var-201109-0092
Vulnerability from variot
The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php. LifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients. LifeSize Room is a high definition video conferencing device. LifeSize Room is prone to a security-bypass vulnerability and a command-injection vulnerability. LifeSize Room versions 3.5.3 and 4.7.18 are affected; other versions may also be vulnerable. Discovered: 07-13-11 By: Spencer McIntyre (zeroSteiner) SecureState R&D Team www.securestate.com
Background:
Multiple vulnerabilities within the LifeSize Room appliance.
Vulnerability Summaries:
Login page can be bypassed, granting administrative access to the web interface. Unauthenticated OS command injection is possible through the web interface. The easiest way to perform these attacks is using a web proxy.
Authentication By Pass:
Following the request to /gateway.php that references the LSRoom_Remoting.authenticate function, modify the AMF data in the response from the server to change "false" to "true" Example: Original False AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\x00\x00\x00\x02\x01\x00" Modified True AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\xff\xff\xff\xff\x01\x01"
Command Injection:
The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand within the encoded AMF data. The original parameter for the vulnerable function is "pref -l /var/system/upgrade/status" Replace this part with the command to be executed. Authentication to the web application is not necessary however a valid PHP session ID must be passed within the request.
References:
CVE-2011-2762 - authentication bypass CVE-2011-2763 - OS command injection
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201109-0092",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "room appliance software",
"scope": "eq",
"trust": 1.0,
"vendor": "lifesize",
"version": "4.7.18"
},
{
"model": "room appliance software",
"scope": "eq",
"trust": 1.0,
"vendor": "lifesize",
"version": "ls_rm1_3.5.3"
},
{
"model": "communications lifesize room",
"scope": "eq",
"trust": 0.9,
"vendor": "lifesize",
"version": "3.5.3"
},
{
"model": "communications lifesize room",
"scope": "eq",
"trust": 0.9,
"vendor": "lifesize",
"version": "4.7.18"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "logitech",
"version": null
},
{
"model": "room",
"scope": "eq",
"trust": 0.8,
"vendor": "lifesize",
"version": "4.7.18"
},
{
"model": "room",
"scope": "eq",
"trust": 0.8,
"vendor": "lifesize",
"version": "ls_rm1_3.5.3 (11)"
},
{
"model": "room appliance",
"scope": null,
"trust": 0.6,
"vendor": "lifesize",
"version": null
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#213486"
},
{
"db": "CNVD",
"id": "CNVD-2011-3534"
},
{
"db": "BID",
"id": "49330"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002227"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-002"
},
{
"db": "NVD",
"id": "CVE-2011-2763"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:lifesize:lifesize_room_appliance_software",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-002227"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Spencer McIntyre",
"sources": [
{
"db": "BID",
"id": "49330"
},
{
"db": "PACKETSTORM",
"id": "104535"
}
],
"trust": 0.4
},
"cve": "CVE-2011-2763",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2011-2763",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2011-2763",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#213486",
"trust": 0.8,
"value": "1.36"
},
{
"author": "NVD",
"id": "CVE-2011-2763",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201109-002",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#213486"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002227"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-002"
},
{
"db": "NVD",
"id": "CVE-2011-2763"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php. LifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients. LifeSize Room is a high definition video conferencing device. LifeSize Room is prone to a security-bypass vulnerability and a command-injection vulnerability. \nLifeSize Room versions 3.5.3 and 4.7.18 are affected; other versions may also be vulnerable. Discovered: 07-13-11\nBy: Spencer McIntyre (zeroSteiner) SecureState R\u0026D Team\nwww.securestate.com\n\n\nBackground:\n-----------\nMultiple vulnerabilities within the LifeSize Room appliance. \n\n\nVulnerability Summaries:\n------------------------\nLogin page can be bypassed, granting administrative access to the web interface. \nUnauthenticated OS command injection is possible through the web interface. \nThe easiest way to perform these attacks is using a web proxy. \n\n\nAuthentication By Pass:\n-----------------------\nFollowing the request to /gateway.php that references the LSRoom_Remoting.authenticate\nfunction, modify the AMF data in the response from the server to change \"false\" to \"true\"\nExample:\nOriginal False AMF: \"\\x0d\\x0a\\x0d\\x0a\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x0c\\x2f\\x35\\x37\\x2f\\x6f\\x6e\\x52\\x65\\x73\\x75\\x6c\\x74\\x00\\x04\\x6e\\x75\\x6c\\x6c\\x00\\x00\\x00\\x02\\x01\\x00\"\nModified True AMF: \"\\x0d\\x0a\\x0d\\x0a\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x0c\\x2f\\x35\\x37\\x2f\\x6f\\x6e\\x52\\x65\\x73\\x75\\x6c\\x74\\x00\\x04\\x6e\\x75\\x6c\\x6c\\xff\\xff\\xff\\xff\\x01\\x01\"\n\n\nCommand Injection:\n------------------\nThe request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand\nwithin the encoded AMF data. The original parameter for the vulnerable function is\n\"pref -l /var/system/upgrade/status\" Replace this part with the command to be executed. \nAuthentication to the web application is not necessary however a valid PHP session ID\nmust be passed within the request. \n\n\nReferences:\n-----------\nCVE-2011-2762 - authentication bypass\nCVE-2011-2763 - OS command injection\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-2763"
},
{
"db": "CERT/CC",
"id": "VU#213486"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002227"
},
{
"db": "CNVD",
"id": "CNVD-2011-3534"
},
{
"db": "BID",
"id": "49330"
},
{
"db": "PACKETSTORM",
"id": "104535"
}
],
"trust": 3.24
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2011-2763",
"trust": 3.4
},
{
"db": "BID",
"id": "49330",
"trust": 3.3
},
{
"db": "CERT/CC",
"id": "VU#213486",
"trust": 3.2
},
{
"db": "EXPLOIT-DB",
"id": "17743",
"trust": 1.6
},
{
"db": "XF",
"id": "69444",
"trust": 1.4
},
{
"db": "SREASON",
"id": "8363",
"trust": 1.0
},
{
"db": "SREASON",
"id": "8527",
"trust": 1.0
},
{
"db": "OSVDB",
"id": "75212",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002227",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2011-3534",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20110828 LIFESIZE ROOM VULNERABILITIES",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201109-002",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "104535",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#213486"
},
{
"db": "CNVD",
"id": "CNVD-2011-3534"
},
{
"db": "BID",
"id": "49330"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002227"
},
{
"db": "PACKETSTORM",
"id": "104535"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-002"
},
{
"db": "NVD",
"id": "CVE-2011-2763"
}
]
},
"id": "VAR-201109-0092",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-3534"
}
],
"trust": 1.4333333000000001
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2011-3534"
}
]
},
"last_update_date": "2024-11-23T22:35:35.075000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "LifeSize Room",
"trust": 0.8,
"url": "http://www.lifesize.com/Products/Video/LifeSize_Room_Series/Room.aspx"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-002227"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-002227"
},
{
"db": "NVD",
"id": "CVE-2011-2763"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "http://www.securityfocus.com/bid/49330"
},
{
"trust": 2.4,
"url": "http://www.kb.cert.org/vuls/id/213486"
},
{
"trust": 1.6,
"url": "http://www.securestate.com/documents/lifesize_room_advisory.txt"
},
{
"trust": 1.6,
"url": "http://www.exploit-db.com/exploits/17743"
},
{
"trust": 1.4,
"url": "http://xforce.iss.net/xforce/xfdb/69444"
},
{
"trust": 1.0,
"url": "http://securityreason.com/securityalert/8363"
},
{
"trust": 1.0,
"url": "http://securityreason.com/securityalert/8527"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69444"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/archive/1/519463/100/0/threaded"
},
{
"trust": 0.8,
"url": "about vulnerability notes"
},
{
"trust": 0.8,
"url": "contact us about this vulnerability"
},
{
"trust": 0.8,
"url": "provide a vendor statement"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-2763"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu213486"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-2763"
},
{
"trust": 0.8,
"url": "http://osvdb.org/75212"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/519463/100/0/threaded"
},
{
"trust": 0.3,
"url": "http://www.lifesize.com/products/video/lifesize_room_series/room.aspx"
},
{
"trust": 0.1,
"url": "https://www.securestate.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2762"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2763"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#213486"
},
{
"db": "CNVD",
"id": "CNVD-2011-3534"
},
{
"db": "BID",
"id": "49330"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002227"
},
{
"db": "PACKETSTORM",
"id": "104535"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-002"
},
{
"db": "NVD",
"id": "CVE-2011-2763"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#213486"
},
{
"db": "CNVD",
"id": "CNVD-2011-3534"
},
{
"db": "BID",
"id": "49330"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-002227"
},
{
"db": "PACKETSTORM",
"id": "104535"
},
{
"db": "CNNVD",
"id": "CNNVD-201109-002"
},
{
"db": "NVD",
"id": "CVE-2011-2763"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-08-29T00:00:00",
"db": "CERT/CC",
"id": "VU#213486"
},
{
"date": "2011-09-07T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-3534"
},
{
"date": "2011-08-26T00:00:00",
"db": "BID",
"id": "49330"
},
{
"date": "2011-09-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-002227"
},
{
"date": "2011-08-28T21:18:57",
"db": "PACKETSTORM",
"id": "104535"
},
{
"date": "2011-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201109-002"
},
{
"date": "2011-09-02T16:55:04.943000",
"db": "NVD",
"id": "CVE-2011-2763"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-10-19T00:00:00",
"db": "CERT/CC",
"id": "VU#213486"
},
{
"date": "2011-09-07T00:00:00",
"db": "CNVD",
"id": "CNVD-2011-3534"
},
{
"date": "2011-08-26T00:00:00",
"db": "BID",
"id": "49330"
},
{
"date": "2011-09-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-002227"
},
{
"date": "2011-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201109-002"
},
{
"date": "2024-11-21T01:28:55.337000",
"db": "NVD",
"id": "CVE-2011-2763"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201109-002"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "LifeSize Room appliance authentication bypass and arbitrary code injection vulnerability",
"sources": [
{
"db": "CERT/CC",
"id": "VU#213486"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201109-002"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…