exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

polycom.auth-bypass.txt

polycom.auth-bypass.txt
Posted Dec 21, 2002
Authored by Tamer Sahin | Site securityoffice.net

The Polycom ViewStation FX set top video system allows users to change configuration of the video conferencing system. A bug introduced in the Polycom ViewStation FX Release v4.2 allows users full access to the video conferencing system including changing the admin password.

tags | advisory, bypass
SHA-256 | efc1399c213252cbb952cdd78a552988b8c768fd731044eb40928f453a8af4c3

polycom.auth-bypass.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

- --[ Polycom Video Conference System Management Server Authentication Bypass Vulnerability ]--

- --[ Type

Design Error

- --[ Release Date

December 19, 2002

- --[ Product / Vendor

The Polycom ViewStation FX set top video system provides TV-quality video for
the most demanding video communications needs. Embedded streaming
capabilities let you capture and send meetings, presentations or broadcasts
to anyone equipped with a Web browser. Polycom's unmatched full duplex
sound and tracking technology make video meetings effortless, natural, and
push-button-easy. Audio flexibility and custom application support are extensive.

http://www.polycom.com

- --[ Summary

A problem with the Polycom ViewStation allows some users to change configuration
of the video conferencing system. A bug introduced in the Polycom ViewStation
FX Release v4.2 that could allow users full access on the video conferencing system.
Upon taking advantage of this vulnerability, the user could change the configuration
of the video conferencing system and could change admin password and software
update password.

Polycom ViewStation admin password and software update password is stored in
plain text and can be revealed by viewing the source (http://<host>/a_security.htm)
of the web page.

- --[ Analysis

An analysis for this vulnerability exists and is available below.

a_security.htm source code:

==================== SNIP ====================

<html>
<head>
<title>Admin Password Change</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="style1.css" type="text/css">
</head>

<body bgcolor="#FFFFFF" text="#000000" background="background1.gif" class="largetext">
<script language="JavaScript">
var model = "VSFX4";
var mppSelect = "Meeting";
var mpp = "";

function setSelected(list, value)
{
//list = document.forms[0].SNAPCAM
var j;
for(j = 0; j < list.length; j++)
{
if(list.options[j].value == value)
{
list.options[j].selected = true;
}
else
{
list.options[j].selected = false;
}
}
}
</script>
<div align="center">
<p>Security </p>
<form method="POST" enctype="application/x-www-form-urlencoded">
<table border="0" cellspacing="2" class="text2">

<tr>
<td class="text2">Meeting Password:</td>
<td>
*********************** HERE ********************************
<input type="text" name="viewingpasswrd" value="123">
************************************************************
</td>
</tr>
<tr>
<td class="text2">Software Update Password:</td>
<td>
*********************** HERE ********************************
<input type="text" name="softupdatepasswrd" value="g3kk9g3z">
************************************************************
</td>
</tr>
</table>
<p><input type="submit" name="Submit" value="Submit">
</p></form>
</div>
</body>
</html>

==================== SNIP ====================

- --[ Tested

Polycom ViewStation FX Release v4.2

- --[ Vulnerable

Polycom ViewStation FX Release v4.2

- --[ Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of
any of the information and/or the software listed on this security advisory.

- --[ Author

Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net

All our advisories can be viewed at http://www.securityoffice.net/articles/

Please send suggestions, updates, and comments to feedback@securityoffice.net

(c) 2002 SecurityOffice

This Security Advisory may be reproduced and distributed, provided that this
Security Advisory is not modified in any way and is attributed to SecurityOffice
and provided that such reproduction and distribution is performed for
non-commercial purposes.

Tamer Sahin
http://www.securityoffice.net

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQEVAwUAPgGXIfpL5ibJRTtBAQGTtAf/WyQ19QsKfi2/4Agp4k5QZtkRvsBIR/KN
eAxs8bpTj29WkLw1oTrgklZRZgrEYnunloMYZIU5wJNQ75xnM2inIT1wZ/lojhAj
dz2hyh66kA9l+Ojg5E381clGRtOtBM1MlA8QStb8o2q9dTVG7aUsRynqVh+XvWvW
C8Se+ipmPeCPnyypG3Mp9O55oKnXIJo1jSwAYcHMGzZQBAtcPy0PrQQmT02BvCHo
5WCI8GjLvxBpic4Jd/+m7JS40ujNegoD2OJdzRa0pCZzn64lZI5hLiVezzzoJcrj
Y5eWNBoBlkrnun8DCIEwhlx/F1igRMRP6ZDxNctcAKAqMZuisxSwrg==
=GJ1Y
-----END PGP SIGNATURE-----



Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close