#### Title:
Polycom BToE Connector up to version 2.3.0 allows unprivileged windows
users to execute arbitrary code with SYSTEM privileges.

#### Type of vulnerability:
Privilege Escalation
##### Exploitation vector:
local
##### Attack outcome:
Code execution with SYSTEM privileges.
#### Impact:
CVSS Base Score 6,2
CVSS v2 Vector (AV:L/AC:L/Au:S/C:C/I:C/A:N)
#### Software/Product name:
Polycom BToE Connector
#### Affected versions:
All Versions including 2.3.0

#### Fixed in version:
Version 3.0.0 (Released March 2015)

#### Vendor:
Polycom Inc.
#### CVE number:
CVE-2015-8300
#### Timeline
* `2014-12-19` identification of vulnerability
* `2015-01-01` vendor contacted via customer
* `2015-03-01` vendor released fixed version 3.0.0
* `2015-07-14` contact cve-request@mitre.

#### Credits:
Severin Winkler `swinkler@sba-research.org` (SBA Research)
Ulrich Bayer `ubayer@sba-research.org` (SBA Research)
#### References:
Download secure version 3.0.0
http://support.polycom.com/PolycomService/support/us/support/eula/ucs/UCagreement_BToE_3_0_0.html

#### Description:
The Polycom BToE Connector Version up to version 2.3.0 allows a local
user to gain
local administrator privileges.

The software creates a windows service running with SYSTEM privileges
using the following file (standard installation path):

C:\program files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe

The default installation allows everyone to replace the plcmbtoesrv.exe
file allowing unprivileged users to execute arbitrary commands on the
windows host.

#### Proof-of-concept:
*none*