[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVE-2015-8300: Polycom BToE Connector v2.3.0 Privilege Escalation Vulnerability
From: SBA Research Advisory <advisory () sba-research ! org>
Date: 2015-11-23 12:18:21
Message-ID: 5653040D.9040708 () sba-research ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
#### Title:
Polycom BToE Connector up to version 2.3.0 allows unprivileged windows
users to execute arbitrary code with SYSTEM privileges.
#### Type of vulnerability:
Privilege Escalation
##### Exploitation vector:
local
##### Attack outcome:
Code execution with SYSTEM privileges.
#### Impact:
CVSS Base Score 6,2
CVSS v2 Vector (AV:L/AC:L/Au:S/C:C/I:C/A:N)
#### Software/Product name:
Polycom BToE Connector
#### Affected versions:
All Versions including 2.3.0
#### Fixed in version:
Version 3.0.0 (Released March 2015)
#### Vendor:
Polycom Inc.
#### CVE number:
CVE-2015-8300
#### Timeline
* `2014-12-19` identification of vulnerability
* `2015-01-01` vendor contacted via customer
* `2015-03-01` vendor released fixed version 3.0.0
* `2015-07-14` contact cve-request@mitre.
#### Credits:
Severin Winkler `swinkler@sba-research.org` (SBA Research)
Ulrich Bayer `ubayer@sba-research.org` (SBA Research)
#### References:
Download secure version 3.0.0
http://support.polycom.com/PolycomService/support/us/support/eula/ucs/UCa=
greement_BToE_3_0_0.html
#### Description:
The Polycom BToE Connector Version up to version 2.3.0 allows a local
user to gain
local administrator privileges.
The software creates a windows service running with SYSTEM privileges
using the following file (standard installation path):
C:\program files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe
The default installation allows everyone to replace the plcmbtoesrv.exe
file allowing unprivileged users to execute arbitrary commands on the
windows host.
#### Proof-of-concept:
*none*
["0x58F775B2.asc" (application/pgp-keys)]
["signature.asc" (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic