Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29193
HistoryMar 19, 2013 - 12:00 a.m.

n.runs-SA-2013.004 - Polycom - H.323 Format String Vulnerability

2013-03-1900:00:00
vulners.com
37
JSON

n.runs AG
http://www.nruns.com/
security(at)nruns.com
n.runs-SA-2013.004
15-Mar-2013

Vendor: Polycom, http://www.polycom.com
Affected Products: Polycom HDX Series
Affected Version: < 3.1.1.2
Vulnerability: Polycom H.323 Format String Vulnerability
Risk: HIGH

Overview:

For every received H.323 SETUP packet the Polycom HDX system writes a call
detail record (CDR) into its internal database. This even happens when the
connection is not accepted. The CDR table is stored in a SQLite database
which can be found in the /data/polycom/cdr/new/localcdr.db file on the
HDX system.

Description:

One of the items stored in a CDR entry is the remote system name of the
H.323 video call. The system name is taken directly from the string
placed in the Display information element from the sent H.323 SETUP
packet. However no input validation is performed on the string extracted
from the packet. After the SQL query string is constructed it is passed
to the internal puts() function which ends up calling the vsnprintf()
function inside va_logmsg() for logging purposes. The complete SQL query
string is passed as the format string argument to vsnprintf() which leads
to a format string vulnerability.

The following output shows the arguments passed to the va_logmsg()
function. Part of the "fmt" format string argument is the embedded
Display information element which is under the control of the attacker.

&#40;gdb&#41; break *0x1032E3AC
Breakpoint 1 at 0x1032e3ac: file ../../../src/Common/OS/logmsg.c, line

&#40;gdb&#41; c
Breakpoint 5, 0x1032e3ac in va_logmsg &#40;ap=0x5e97d298, level=&lt;optimized

out>,
component=<optimized out>, fmt=0x5e97d344 "INSERT into CDR_Table
values(
'23','0','1347451282','1347451282','—','WE CONTROL THIS
%n%n%n','','—',

'h323','0','','1','365','1','0','—','—','terminal','','—','—',
'—','—','—','—','The call has
ended.','16','0','—','—','—',
'—','—','—','—','—','—','—','—','—','25');")
at …/…/…/src/Common/OS/logmsg.c:747

Since the attacker controls the format string through the sent remote
system name, he can easily crash the system by sending a single H.323
SETUP packet with a remote system name such as "%n%n%n".

However this bug also allows remote code execution by sending several
specially formed H.323 SETUP packets. This allows a complete system
compromise of the HDX system over the network.

Impact:

This vulnerability can be exploited by an unauthenticated attacker
over the network as long as the H.323 protocol is enabled. The
auto-answer call feature must not be enabled for the exploit to
succeed. Successful exploitation gives an attacker complete root
access to the HDX system and thus full control over the device.

n.runs successfully developed a proof-of-concept exploit which
demonstrates remote code execution over the network.

Solution:

Polycom released version 3.1.1.2 of the HDX software which fixes this
issue. It can be downloaded from the Polycom Support page at
http://support.polycom.com.

Credit:
Bug found by Moritz Jodeit of n.runs AG.

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
[email protected] for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of
such damages.

Copyright 2013 n.runs AG. All rights reserved. Terms of use apply.

JSON