Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Polycom H.323 Format String

🗓️ 15 Mar 2013 00:00:00Reported by Moritz JodeitType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 33 Views

Polycom HDX H.323 Format String Vulnerability in SQLite databas

Code
`n.runs AG  
http://www.nruns.com/  
security(at)nruns.com  
n.runs-SA-2013.004  
15-Mar-2013  
___________________________________________________________________________  
Vendor: Polycom, http://www.polycom.com  
Affected Products: Polycom HDX Series  
Affected Version: < 3.1.1.2  
Vulnerability: Polycom H.323 Format String Vulnerability  
Risk: HIGH  
___________________________________________________________________________  
  
Overview:  
  
For every received H.323 SETUP packet the Polycom HDX system writes a call  
detail record (CDR) into its internal database. This even happens when the  
connection is not accepted. The CDR table is stored in a SQLite database  
which can be found in the /data/polycom/cdr/new/localcdr.db file on the  
HDX system.  
  
Description:  
  
One of the items stored in a CDR entry is the remote system name of the  
H.323 video call. The system name is taken directly from the string  
placed in the Display information element from the sent H.323 SETUP  
packet. However no input validation is performed on the string extracted  
from the packet. After the SQL query string is constructed it is passed  
to the internal puts() function which ends up calling the vsnprintf()  
function inside va_logmsg() for logging purposes. The complete SQL query  
string is passed as the format string argument to vsnprintf() which leads  
to a format string vulnerability.  
  
The following output shows the arguments passed to the va_logmsg()  
function. Part of the "fmt" format string argument is the embedded  
Display information element which is under the control of the attacker.  
  
(gdb) break *0x1032E3AC  
Breakpoint 1 at 0x1032e3ac: file ../../../src/Common/OS/logmsg.c, line  
747.  
(gdb) c  
Breakpoint 5, 0x1032e3ac in va_logmsg (ap=0x5e97d298, level=<optimized  
out>,  
component=<optimized out>, fmt=0x5e97d344 "INSERT into CDR_Table  
values(  
'23','0','1347451282','1347451282','---','WE CONTROL THIS  
%n%n%n','','---',  
  
'h323','0','','1','365','1','0','---','---','terminal','','---','---',  
'---','---','---','---','The call has  
ended.','16','0','---','---','---',  
'---','---','---','---','---','---','---','---','---','25');")  
at ../../../src/Common/OS/logmsg.c:747  
  
Since the attacker controls the format string through the sent remote  
system name, he can easily crash the system by sending a single H.323  
SETUP packet with a remote system name such as "%n%n%n".  
  
However this bug also allows remote code execution by sending several  
specially formed H.323 SETUP packets. This allows a complete system  
compromise of the HDX system over the network.  
  
Impact:  
  
This vulnerability can be exploited by an unauthenticated attacker  
over the network as long as the H.323 protocol is enabled. The  
auto-answer call feature must not be enabled for the exploit to  
succeed. Successful exploitation gives an attacker complete root  
access to the HDX system and thus full control over the device.  
  
n.runs successfully developed a proof-of-concept exploit which  
demonstrates remote code execution over the network.  
  
Solution:  
  
Polycom released version 3.1.1.2 of the HDX software which fixes this  
issue. It can be downloaded from the Polycom Support page at  
http://support.polycom.com.  
___________________________________________________________________________  
  
Credit:  
Bug found by Moritz Jodeit of n.runs AG.  
___________________________________________________________________________  
  
Unaltered electronic reproduction of this advisory is permitted. For all  
other reproduction or publication, in printing or otherwise, contact  
[email protected] for permission. Use of the advisory constitutes  
acceptance for use in an "as is" condition. All warranties are excluded.  
In no event shall n.runs be liable for any damages whatsoever including  
direct, indirect, incidental, consequential, loss of business profits or  
special damages, even if n.runs has been advised of the possibility of  
such damages.  
  
Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Mar 2013 00:00Current
7.4High risk
Vulners AI Score7.4
polycomh.323vulnerabilitysqliteexploitremote code executionroot accesshdx systemversion 3.1.1.2moritz jodeitn.runs ag
33