Polycom BTOE Connector 2.3.0 Local Privilege Escalation

`#### Title:  
Polycom BToE Connector up to version 2.3.0 allows unprivileged windows  
users to execute arbitrary code with SYSTEM privileges.  
  
#### Type of vulnerability:  
Privilege Escalation  
##### Exploitation vector:  
local  
##### Attack outcome:  
Code execution with SYSTEM privileges.  
#### Impact:  
CVSS Base Score 6,2  
CVSS v2 Vector (AV:L/AC:L/Au:S/C:C/I:C/A:N)  
#### Software/Product name:  
Polycom BToE Connector  
#### Affected versions:  
All Versions including 2.3.0  
  
#### Fixed in version:  
Version 3.0.0 (Released March 2015)  
  
#### Vendor:  
Polycom Inc.  
#### CVE number:  
CVE-2015-8300  
#### Timeline  
* `2014-12-19` identification of vulnerability  
* `2015-01-01` vendor contacted via customer  
* `2015-03-01` vendor released fixed version 3.0.0  
* `2015-07-14` contact cve-request@mitre.  
  
#### Credits:  
Severin Winkler `[email protected]` (SBA Research)  
Ulrich Bayer `[email protected]` (SBA Research)  
#### References:  
Download secure version 3.0.0  
http://support.polycom.com/PolycomService/support/us/support/eula/ucs/UCagreement_BToE_3_0_0.html  
  
#### Description:  
The Polycom BToE Connector Version up to version 2.3.0 allows a local  
user to gain  
local administrator privileges.  
  
The software creates a windows service running with SYSTEM privileges  
using the following file (standard installation path):  
  
C:\program files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe  
  
The default installation allows everyone to replace the plcmbtoesrv.exe  
file allowing unprivileged users to execute arbitrary commands on the  
windows host.  
  
#### Proof-of-concept:  
*none*  
  
  
`