n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2013.003 15-Mar-2013
Vendor: Polycom, http://www.polycom.com Affected Products: Polycom HDX Series Affected Version: < 126.96.36.199 Vulnerability: Polycom H.323 CDR Database SQL Injection Risk: HIGH
For every received H.323 SETUP packet the Polycom HDX system writes a call detail record (CDR) into its internal database. This even happens when the connection is not accepted. The CDR table is stored in a SQLite database which can be found in the /data/polycom/cdr/new/localcdr.db file on the HDX system.
One of the items stored in a CDR entry is the remote system name of the H.323 video call. The system name is taken directly from the string placed in the Display information element from the sent H.323 SETUP packet. However no input validation is performed on the string extracted from the packet. The SQL query string to insert a new CDR is constructed by simple string concatenation. Since the Display information element can contain strings with embedded single quote characters the code is vulnerable to a simple SQL injection vulnerability.
The vulnerability can easily be demonstrated by sending a H.323 SETUP packet with a Display information element which contains a single quote character. The following log entries can be observed when sending the remote system name "SQL'INJECT":
DEBUG avc: pc: INSERT into CDR_Table
'690','---','SQL'INJECT','','---','h323','0','','1','327','1','0','---','--- ', 'term DEBUG avc: pc: Can't prepare database: near "INJECT": syntax error DEBUG avc: pc: sqlInsert: time = 1 DEBUG avc: pc: NOTIFY: SYS config cdrrowid1 0 "83" rw DEBUG avc: pc: H323Conn: state:"incoming" --> "disconnecting" DEBUG avc: pc: H323Call: hangup, cause code 16
An unauthenticated attacker could try to exploit this vulnerability over the network in order to manipulate the constructed SQL query. In the worst case such a bug could lead to remote code execution through the injection of specific SQL statements. Only a single TCP packet would be needed for such an attack.
Polycom released version 188.8.131.52 of the HDX software which fixes this issue. It can be downloaded from the Polycom Support page at http://support.polycom.com.
Credit: Bug found by Moritz Jodeit of n.runs AG.
Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact email@example.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.