CVE-2015-8300: Polycom BToE Connector v2.3.0 Privilege Escalation Vulnerability

[SBA Research Advisory <advisory () sba-research org>]

#### Title:
Polycom BToE Connector up to version 2.3.0 allows unprivileged windows
users to execute arbitrary code with SYSTEM privileges.

#### Type of vulnerability:
Privilege Escalation
##### Exploitation vector:
local
##### Attack outcome:
Code execution with SYSTEM privileges.
#### Impact:
CVSS Base Score 6,2
CVSS v2 Vector (AV:L/AC:L/Au:S/C:C/I:C/A:N)
#### Software/Product name:
Polycom BToE Connector
#### Affected versions:
All Versions including 2.3.0

#### Fixed in version:
Version 3.0.0 (Released March 2015)

#### Vendor:
Polycom Inc.
#### CVE number:
CVE-2015-8300
#### Timeline
* `2014-12-19` identification of vulnerability
* `2015-01-01` vendor contacted via customer
* `2015-03-01` vendor released fixed version 3.0.0
* `2015-07-14` contact cve-request@mitre.

#### Credits:
Severin Winkler `swinkler () sba-research org` (SBA Research)
Ulrich Bayer `ubayer () sba-research org` (SBA Research)
#### References:
Download secure version 3.0.0
http://support.polycom.com/PolycomService/support/us/support/eula/ucs/UCagreement_BToE_3_0_0.html

#### Description:
The Polycom BToE Connector Version up to version 2.3.0 allows a local
user to gain
local administrator privileges.

The software creates a windows service running with SYSTEM privileges
using the following file (standard installation path):

C:\program files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe

The default installation allows everyone to replace the plcmbtoesrv.exe
file allowing unprivileged users to execute arbitrary commands on the
windows host.

#### Proof-of-concept:
*none*

Attachment: 0x58F775B2.asc
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/