-----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 - --[ Polycom Video Conference System Management Server Authentication Bypass Vulnerability ]-- - --[ Type Design Error - --[ Release Date December 19, 2002 - --[ Product / Vendor The Polycom ViewStation FX set top video system provides TV-quality video for the most demanding video communications needs. Embedded streaming capabilities let you capture and send meetings, presentations or broadcasts to anyone equipped with a Web browser. Polycom's unmatched full duplex sound and tracking technology make video meetings effortless, natural, and push-button-easy. Audio flexibility and custom application support are extensive. http://www.polycom.com - --[ Summary A problem with the Polycom ViewStation allows some users to change configuration of the video conferencing system. A bug introduced in the Polycom ViewStation FX Release v4.2 that could allow users full access on the video conferencing system. Upon taking advantage of this vulnerability, the user could change the configuration of the video conferencing system and could change admin password and software update password. Polycom ViewStation admin password and software update password is stored in plain text and can be revealed by viewing the source (http://<host>/a_security.htm) of the web page. - --[ Analysis An analysis for this vulnerability exists and is available below. a_security.htm source code: ==================== SNIP ==================== <html> <head> <title>Admin Password Change</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <link rel="stylesheet" href="style1.css" type="text/css"> </head> <body bgcolor="#FFFFFF" text="#000000" background="background1.gif" class="largetext"> <script language="JavaScript"> var model = "VSFX4"; var mppSelect = "Meeting"; var mpp = ""; function setSelected(list, value) { //list = document.forms[0].SNAPCAM var j; for(j = 0; j < list.length; j++) { if(list.options[j].value == value) { list.options[j].selected = true; } else { list.options[j].selected = false; } } } </script> <div align="center"> <p>Security </p> <form method="POST" enctype="application/x-www-form-urlencoded"> <table border="0" cellspacing="2" class="text2"> <tr> <td class="text2">Meeting Password:</td> <td> *********************** HERE ******************************** <input type="text" name="viewingpasswrd" value="123"> ************************************************************ </td> </tr> <tr> <td class="text2">Software Update Password:</td> <td> *********************** HERE ******************************** <input type="text" name="softupdatepasswrd" value="g3kk9g3z"> ************************************************************ </td> </tr> </table> <p><input type="submit" name="Submit" value="Submit"> </p></form> </div> </body> </html> ==================== SNIP ==================== - --[ Tested Polycom ViewStation FX Release v4.2 - --[ Vulnerable Polycom ViewStation FX Release v4.2 - --[ Disclaimer http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. - --[ Author Tamer Sahin ts@securityoffice.net http://www.securityoffice.net All our advisories can be viewed at http://www.securityoffice.net/articles/ Please send suggestions, updates, and comments to feedback@securityoffice.net (c) 2002 SecurityOffice This Security Advisory may be reproduced and distributed, provided that this Security Advisory is not modified in any way and is attributed to SecurityOffice and provided that such reproduction and distribution is performed for non-commercial purposes. Tamer Sahin http://www.securityoffice.net -----BEGIN PGP SIGNATURE----- Version: 2.6 iQEVAwUAPgGWLvpL5ibJRTtBAQG+ywf9GJUvE9XzQyf1Ue1L9Cc/eOVMtuIHdRZi Y0RA+GAK729BrvYifAUWEm2CrVx9AUA8Z10NIOOqZjaxgexaCotvU1VKiDYRP0AV nK2GQmY/4XDfMJ9k7lrcOP71HXxa605ToOIgeUQqGQMp5KEk5FAkgytrtQ8HRMTV alqPLUB/kwXtQwLPzNrePpNypXHID5D6jOX1Pw1H4RxHRQWMIT+Ye9fZl8pFA904 b7SIQ0EKc/Y29MBNMzpn1c4702qsDEnq74PmfOukLxWy975XRHxvPeFrt60WTFs8 EemZfXPXzu4njJe7apIcgCRgSYKrh1eIHCOuLAwKoBssrC763bkKpw== =yFDv -----END PGP SIGNATURE-----
