Injection Vulnerabilities in Polycom HDX Systems Web Interface

Overview

Researched By: ​WootCloud IOT Threat Labs (WITL)

Tested Firmware:​ Polycom HDX Systems 3.1.12 Firmware
(​https://support.polycom.com/content/dam/polycom-support/products/telepresence-and-video/hdx-serie s/release-notes/en/3725-2398a-079a-hdx3.1.12-rel-notes.pdf​ )

Vulnerable Systems:​ Polycom HDX 4000 – 9000 system running the firmware 3.1.12 or less.
Issue : Cross-site Scripting (XSS) Vulnerability in “Remote Access Settings” Component

Details: ​The HTTP parameter “​Failed&message=” component in “​remoteaccesssettings.htm” component is prone to XSS vulnerability. The component fails to validate the arbitrary input passed by the user and execute the JavaScript payload in the context of the user. For vulnerability validation, the following payload was used to validate the vulnerability.

  • Payload:​ ​’;–“/>”/><h1><iframe src=”JavaScript:alert(/Injected_via_Iframe/)”></iframe><br/><br/><a href=”JavaScript:alert(document.cookie);”>[INJECTED PAYLOAD]</a></h1>
  • URL: https://[ploycom_hdx_system]/a_remoteaccesssettings.htm?FAILED&message=’;–“/>” /><h1><iframe src=”JavaScript:alert(/Injected_via_Iframe/)”></iframe><br/><br/><a href=”JavaScript:alert(document.cookie);”>[INJECTED PAYLOAD]</a></h1>

XSS vulnerabilities can be used to execute malicious code or steal session details via an injected JavaScript. Successful execution of the code is shown below:

For more details about the issue, refer: ​https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Recommendation: ​It is advised that arbitrary input passed by the user should be sanitized, filtered and validated on the server side.

Recent FBI Warnings on Device Security

FBI recommends that you keep your IoT devices on a separate network Is your smart TV spying on you? A new FBI warning says it’s possible Securing the Internet of Things

This website uses cookies to ensure you get the best experience on our website.