Allele Security Alert
ASA-2019-00046
Identifier(s)
ASA-2019-00046, CVE-2019-7632
Title
Authenticated Remote OS Command Injection
Vendor(s)
Lifesize
Product(s)
Lifesize Team
Lifesize Room
Lifesize Passport
Lifesize Networker
Affected version(s)
All versions
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
All LifeSize products that use PHP for the GUI suffer from many Command Injection attacks.
Technical details
Looking at the PHP code of mtusize.php under /support/ for example:
$new_mtu_size=$_REQUEST['mtu_size'];
{
print("<hr>\n");
$output = shell_exec( "/usr/local/lifesize/cli/mtusize set $new_mtu_size" );
echo "<pre>$output</pre>";
}
A user input is taken as is from $_REQUEST[‘mtu_size’] and then passed without any validation into “shell_exec”, allowing an authenticated attacker to inject any code to run on the system. For example the value “1;whoami” would inject the command whoami and run it on the system.
The directory /support/ requires authentication, however the default is cli:lifesize, which bypasses the need for authentication in many cases.
Credits
Simon Kenin (Trustwave)
Reference(s)
Trustwave SpiderLabs Security Advisory TWSL2019-001: Vulnerabilities in LifeSize Products
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=22113
Lifesize Team, Room, Passport & Networker Remote OS Command Injection
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lifesize-team-room-passport-networker-remote-os-command-injection/
CVE-2019-7632
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7632
CVE-2019-7632
https://nvd.nist.gov/vuln/detail/CVE-2019-7632
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 10, 2019