The Polycom VVX web interface allows a user to change an admin's password.
792d01d2d9f6e4be042118b490119eb300113d93351f7dfbda47eb3c8d1bc212# Exploit Title: Polycom VVX Web Interface
- Privilege Escalation
# Date: 01/26/2017
# Exploit Author: m8r0wn
# Vendor Homepage:
http://www.polycom.com/
# Software Link:
http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html
# Version: Polycom VVX 400/410, Software Version: 5.3.1
# CVE :
CVE-2021-41322
# This vulnerability
allows under-privileged users to change the "Admin" account password
# leading to privilege escalation.
1. Login with the "User" Account (default pwd: 123).
2. Navigate to: Settings > Change Password.
3. Fill in "Old Password" field with the current "User" password.
4. Fill in "New Password" field with the new "Admin" account password, and confirm.
5. Click "Save" and use a web application proxy to modify the request:
Change "122=" to "120=" in the POST data to associate the new password with the "Admin" account.
6
. An error will be shown on screen,but the Admin account password has been changed.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed