Researched By: WootCloud IOT Threat Labs (WITL) [email@example.com ]
Date: June 4th, 2018
Tested Firmware: Polycom HDX Systems 3.1.12 Firmware (https://support.polycom.com/content/dam/polycom-support/products/telepresence-and-video/hdx-serie s/release-notes/en/3725-2398a-079a-hdx3.1.12-rel-notes.pdf )
Vulnerable Systems: Polycom HDX 4000 – 9000 system running the firmware 3.1.12 or less.
Issue 1: Cross-site Scripting (XSS) Vulnerability in “Closed Caption” Component
For more details about the issue, refer: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Recommendation: It is advised that arbitrary input passed by the user should be sanitized, filtered and validated on the server side.
Issue 2 : Design: HTTP Verb Tampering Allowed by Embedded Web Server
Details: The deployed embedded web server in Polycom HDX systems allow HTTP Verb Tampering. The server fails to validate the HTTP requests to specific verbs. It is possible to access the resources by tampering the HTTP verb (Changing HTTP POST to HTTP GET) to ease out the attack surface.
HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms. Many authentication mechanisms only limit access to the most common HTTP methods, thus allowing unauthorized access to restricted resources by other HTTP methods
POC is shown below:
The “a_importdirectoryascsv.cgi” expects the HTTP POST request to be issued by the browser and expects HTTP parameters “importimage.x”, “importimage.y” and “htmlfile” to be sent in order to download the directory information from the “lighttpd” server.
However, if the HTTP verb is tampered from POST to GET, the web server still accepts the request and dump the directory details in the “_importdirectoryascsv.cgi” as shown below:
Self-signed certificate encountered.
More details about HTTP Verb Tampering, refer here:
Recommendation: Make sure HTTP methods are validated and configured securely. More details refer, http://cdn2.hubspot.net/hub/315719/file-1344244110-pdf/download-files/Bypassing_VBAAC_with_HTTP_ Verb_Tampering.pdf