Today, SecureState is releasing details regarding a new vulnerability within the LifeSize Room appliance. Both of these vulnerabilities target the web interface and can ultimately lead to code execution on the underlying operating system. The first vulnerability that was found was an authentication by pass method. This vulnerability is triggered when a user alters the AMF data in a response from the server from false to true. This simple attack is an example of why client side applications should not be relied upon for security. Successfully leveraging this vulnerability will permit administrative access into the web console. The second and more serious vulnerability permits unauthenticated, arbitrary command execution on the host operating system. This vulnerability exploits a command in the LSRoom_Remoting.doCommand function within a request to the /gateway.php resource. An attacker can change the original value of:
pref -l /var/system/upgrade/status
To an arbitrary command that will be executed with the permissions of the apache user. he detailed advisory can be found here.
Two CVEs have been reserved for these vulnerabilities and are:
CVE-2011-2762 – Authentication Bypass
CVE-2011-2763 – OS Command Injection
A Metasploit module for the command injection vulnerability can be found here.