Details of VAR-201109-0092

ID

VAR-201109-0092

CVE

CVE-2011-2763

TITLE

LifeSize Room appliance authentication bypass and arbitrary code injection vulnerability

Trust: 0.8

sources: CERT/CC: VU#213486

DESCRIPTION

The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php. LifeSize Room appliance contains an authentication bypass and arbitrary code injection vulnerability when failing to sanitize input from unauthenticated clients. LifeSize Room is a high definition video conferencing device. LifeSize Room is prone to a security-bypass vulnerability and a command-injection vulnerability. LifeSize Room versions 3.5.3 and 4.7.18 are affected; other versions may also be vulnerable. Discovered: 07-13-11 By: Spencer McIntyre (zeroSteiner) SecureState R&D Team www.securestate.com Background: ----------- Multiple vulnerabilities within the LifeSize Room appliance. Vulnerability Summaries: ------------------------ Login page can be bypassed, granting administrative access to the web interface. Unauthenticated OS command injection is possible through the web interface. The easiest way to perform these attacks is using a web proxy. Authentication By Pass: ----------------------- Following the request to /gateway.php that references the LSRoom_Remoting.authenticate function, modify the AMF data in the response from the server to change "false" to "true" Example: Original False AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\x00\x00\x00\x02\x01\x00" Modified True AMF: "\x0d\x0a\x0d\x0a\x00\x00\x00\x00\x00\x01\x00\x0c\x2f\x35\x37\x2f\x6f\x6e\x52\x65\x73\x75\x6c\x74\x00\x04\x6e\x75\x6c\x6c\xff\xff\xff\xff\x01\x01" Command Injection: ------------------ The request to /gateway.php references a vulnerable function LSRoom_Remoting.doCommand within the encoded AMF data. The original parameter for the vulnerable function is "pref -l /var/system/upgrade/status" Replace this part with the command to be executed. Authentication to the web application is not necessary however a valid PHP session ID must be passed within the request. References: ----------- CVE-2011-2762 - authentication bypass CVE-2011-2763 - OS command injection

Trust: 3.24

sources: NVD: CVE-2011-2763 // CERT/CC: VU#213486 // JVNDB: JVNDB-2011-002227 // CNVD: CNVD-2011-3534 // BID: 49330 // PACKETSTORM: 104535

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2011-3534

AFFECTED PRODUCTS

vendor:	lifesize	model:	room appliance software	scope:	eq	version:	4.7.18	Trust: 1.0
vendor:	lifesize	model:	room appliance software	scope:	eq	version:	ls_rm1_3.5.3	Trust: 1.0
vendor:	lifesize	model:	communications lifesize room	scope:	eq	version:	3.5.3	Trust: 0.9
vendor:	lifesize	model:	communications lifesize room	scope:	eq	version:	4.7.18	Trust: 0.9
vendor:	logitech	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	lifesize	model:	room	scope:	eq	version:	4.7.18	Trust: 0.8
vendor:	lifesize	model:	room	scope:	eq	version:	ls_rm1_3.5.3 (11)	Trust: 0.8
vendor:	lifesize	model:	room appliance	scope:	-	version:	-	Trust: 0.6

sources: CERT/CC: VU#213486 // CNVD: CNVD-2011-3534 // BID: 49330 // JVNDB: JVNDB-2011-002227 // CNNVD: CNNVD-201109-002 // NVD: CVE-2011-2763

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-2763
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#213486
value:	1.36
Trust: 0.8
NVD:	CVE-2011-2763
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201109-002
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2011-2763
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: CERT/CC: VU#213486 // JVNDB: JVNDB-2011-002227 // CNNVD: CNNVD-201109-002 // NVD: CVE-2011-2763

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2011-002227 // NVD: CVE-2011-2763

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201109-002

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201109-002

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-002227

PATCH

title:

LifeSize Room

url:

http://www.lifesize.com/Products/Video/LifeSize_Room_Series/Room.aspx

Trust: 0.8

sources: JVNDB: JVNDB-2011-002227

EXTERNAL IDS

db:	NVD	id:	CVE-2011-2763	Trust: 3.4
db:	BID	id:	49330	Trust: 3.3
db:	CERT/CC	id:	VU#213486	Trust: 3.2
db:	EXPLOIT-DB	id:	17743	Trust: 1.6
db:	XF	id:	69444	Trust: 1.4
db:	SREASON	id:	8527	Trust: 1.0
db:	SREASON	id:	8363	Trust: 1.0
db:	OSVDB	id:	75212	Trust: 0.8
db:	JVNDB	id:	JVNDB-2011-002227	Trust: 0.8
db:	CNVD	id:	CNVD-2011-3534	Trust: 0.6
db:	BUGTRAQ	id:	20110828 LIFESIZE ROOM VULNERABILITIES	Trust: 0.6
db:	CNNVD	id:	CNNVD-201109-002	Trust: 0.6
db:	PACKETSTORM	id:	104535	Trust: 0.1

sources: CERT/CC: VU#213486 // CNVD: CNVD-2011-3534 // BID: 49330 // JVNDB: JVNDB-2011-002227 // PACKETSTORM: 104535 // CNNVD: CNNVD-201109-002 // NVD: CVE-2011-2763

REFERENCES

url:	http://www.securityfocus.com/bid/49330	Trust: 3.0
url:	http://www.kb.cert.org/vuls/id/213486	Trust: 2.4
url:	http://www.securestate.com/documents/lifesize_room_advisory.txt	Trust: 1.6
url:	http://www.exploit-db.com/exploits/17743	Trust: 1.6
url:	http://xforce.iss.net/xforce/xfdb/69444	Trust: 1.4
url:	http://securityreason.com/securityalert/8527	Trust: 1.0
url:	http://www.securityfocus.com/archive/1/519463/100/0/threaded	Trust: 1.0
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/69444	Trust: 1.0
url:	http://securityreason.com/securityalert/8363	Trust: 1.0
url:	about vulnerability notes	Trust: 0.8
url:	contact us about this vulnerability	Trust: 0.8
url:	provide a vendor statement	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-2763	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu213486	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-2763	Trust: 0.8
url:	http://osvdb.org/75212	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/519463/100/0/threaded	Trust: 0.6
url:	http://www.lifesize.com/products/video/lifesize_room_series/room.aspx	Trust: 0.3
url:	https://www.securestate.com	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2011-2762	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2011-2763	Trust: 0.1

sources: CERT/CC: VU#213486 // CNVD: CNVD-2011-3534 // BID: 49330 // JVNDB: JVNDB-2011-002227 // PACKETSTORM: 104535 // CNNVD: CNNVD-201109-002 // NVD: CVE-2011-2763

CREDITS

Spencer McIntyre

Trust: 0.4

sources: BID: 49330 // PACKETSTORM: 104535

SOURCES

db:	CERT/CC	id:	VU#213486
db:	CNVD	id:	CNVD-2011-3534
db:	BID	id:	49330
db:	JVNDB	id:	JVNDB-2011-002227
db:	PACKETSTORM	id:	104535
db:	CNNVD	id:	CNNVD-201109-002
db:	NVD	id:	CVE-2011-2763

LAST UPDATE DATE

2025-04-11T22:59:26.439000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#213486	date:	2011-10-19T00:00:00
db:	CNVD	id:	CNVD-2011-3534	date:	2011-09-07T00:00:00
db:	BID	id:	49330	date:	2011-08-26T00:00:00
db:	JVNDB	id:	JVNDB-2011-002227	date:	2011-09-22T00:00:00
db:	CNNVD	id:	CNNVD-201109-002	date:	2011-09-05T00:00:00
db:	NVD	id:	CVE-2011-2763	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#213486	date:	2011-08-29T00:00:00
db:	CNVD	id:	CNVD-2011-3534	date:	2011-09-07T00:00:00
db:	BID	id:	49330	date:	2011-08-26T00:00:00
db:	JVNDB	id:	JVNDB-2011-002227	date:	2011-09-22T00:00:00
db:	PACKETSTORM	id:	104535	date:	2011-08-28T21:18:57
db:	CNNVD	id:	CNNVD-201109-002	date:	2011-09-05T00:00:00
db:	NVD	id:	CVE-2011-2763	date:	2011-09-02T16:55:04.943