A security researcher from security firm Trustwave has found a vulnerability that could allow hackers to take over videoconferencing devices made by Lifesize. Some of the affected products have reached end-of-sale or end-of-support, but are still widely used by organizations around the world in meeting rooms.
The vulnerability is located in the firmware of Lifesize Team, Lifesize Room, Lifesize Passport and Lifesize Networker, an IP and ISDN videoconferencing gateway, particularly in their PHP-based support interfaces.
The flaw allows for command injection and is caused by improper sanitization of user input passed to the PHP shell_exec function. A malicious user with access to the support interface can leverage it to execute commands on the underlying operating system with the permissions of the apache account.
At first glance, this is not a critical issue because it requires authentication and because the apache user has limited privileges on the OS. However, there are two additional issues that make the problem worse.
First, the Lifesize devices ship with a default support account and password that can give attackers an easy way to access the interface. Many users typically don’t chance these default credentials.
The second is an older privilege escalation vulnerability that has been reported to Lifesize by another researcher and which hasn’t been fixed. This vulnerability could allow an attacker to gain full privileges on the device.
By combining the three issues—default support credentials, the command injection vulnerability and the privileges escalation flaw—an attacker can take complete control over the system remotely. If the device is publicly exposed to the internet, this kind of access can give attackers a foothold into the corporate network from where they can target other systems.
“I wrote a python PoC [proof-of-concept] exploit that achieves full RCE on those Lifesize products and provided it to Lifesize with the advisory,” the Trustwave researcher said in an advisory published today. “The PoC takes an argument which is an IP of Lifesize product and tries to connect with the default credentials, then it crafts a malicious request which injects code with a payload that would escalate from Apache user into root and would spawn a reverse shell with root privileges.”
The Shodan search engine shows 372 Lifesize devices in universities around the globe that are accessible to the internet. However, the company’s services and devices are used by thousands of companies worldwide.
According to Trustwave, Lifesize initially was hesitant to fix the vulnerability because the affected devices are considered legacy and are no longer being sold. However, just before the release of the advisory, the company informed Trustwave that it has developed a hotfix for the Lifesize 220 Series systems and encourages all customers to contact its support department to obtain it.
Trustwave will delay the publishing of the proof-of-concept exploit for two weeks, until Feb. 21, to give systems administrators the opportunity to deploy the patch. Once the PoC becomes available, it will be very easy for hackers to target these devices, so organizations that have them on their networks should deploy the patch as soon as possible and isolate the devices from the internet.