#### Title: Polycom BToE Connector up to version 2.3.0 allows unprivileged windows users to execute arbitrary code with SYSTEM privileges.
#### Type of vulnerability: Privilege Escalation ##### Exploitation vector: local ##### Attack outcome: Code execution with SYSTEM privileges. #### Impact: CVSS Base Score 6,2 CVSS v2 Vector (AV:L/AC:L/Au:S/C:C/I:C/A:N) #### Software/Product name: Polycom BToE Connector #### Affected versions: All Versions including 2.3.0 #### Fixed in version: Version 3.0.0 (Released March 2015) #### Vendor: Polycom Inc. #### CVE number: CVE-2015-8300 #### Timeline * `2014-12-19` identification of vulnerability * `2015-01-01` vendor contacted via customer * `2015-03-01` vendor released fixed version 3.0.0 * `2015-07-14` contact cve-request@mitre. #### Credits: Severin Winkler `swink...@sba-research.org` (SBA Research) Ulrich Bayer `uba...@sba-research.org` (SBA Research) #### References: Download secure version 3.0.0 http://support.polycom.com/PolycomService/support/us/support/eula/ucs/UCagreement_BToE_3_0_0.html #### Description: The Polycom BToE Connector Version up to version 2.3.0 allows a local user to gain local administrator privileges. The software creates a windows service running with SYSTEM privileges using the following file (standard installation path): C:\program files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe The default installation allows everyone to replace the plcmbtoesrv.exe file allowing unprivileged users to execute arbitrary commands on the windows host. #### Proof-of-concept: *none*
0x58F775B2.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
