A zero-day vulnerability found in a video-conferencing system and responsibly disclosed led to the response, “Our developers are aware of some known vulnerabilities with the systems, development for these devices has slowed significantly as they are End of Life. For devices that are still under support, we may target future releases.”
This left the vulnerability finder — Trustwave SpiderLabs’ researcher Simon Kenin — with a quandary: make public the vulnerability so that users would be aware of the threat and attackers might use it, or just sit on it. Shodan shows there are 372 Lifesize devices in universities around the world. The Lifesize website claims, “Tens of thousands of organizations around the world use Lifesize.”
The vulnerability, amounting to multiple command injection flaws, is trivial to exploit and was found in all versions of four Lifesize products: Team, Room, Passport and Networker. It requires access to the firmware, which can only be obtained with a valid serial number. However, with that serial number, an attacker can obtain the firmware. The attack requires access to the Lifesize support function, but the device comes with a default support account.
The Lifesize problem is nothing more than a lack of sanitization: user provided input is passed direct to the PHP shell_exec function, which executes system commands as the webserver user. The value to the attacker is limited, but nevertheless gets him a foothold on the server.
However, by combining this new command injection vulnerability with a separate — and also unfixed — privilege escalation bug, Kenin blogged he “could achieve root privileges on the Lifesize product’s system and have full persistence on the device and its underlying corporate network.” He wrote a full python PoC exploit and provided it with his disclosure to Lifesize in November 2018.
He had no reply from Lifesize. In January 2019 he tried again — and this is when he was told there would be no fix. “It is always a dilemma when you go public with an advisory after a responsible disclosure process that does not result in a fix,” he wrote. “On one hand, I could simply trash my work on this research and keep attention off of it… But,” he added, “for all we know, a malicious attacker could already have in their possession the same knowledge that I do and may be actively using this exploit to infiltrate corporate networks.”
With no sign of a patch, he decided he would have to go to full disclosure — but this story has a happy ending. The day before he was due to publish his findings, Lifesize issued a statement: “We encourage all customers using Lifesize 220 Series systems to contact Lifesize support for a hotfix. Our support teams can be reached by telephone, email or by opening a support ticket.”
Kenin decided to publish his findings (Advisory TWSL2019-001), but withhold publishing the exploit for two weeks (it will be appended to the advisory).
“We will hold the PoC for two weeks until Thursday, February 21st in order to give users a chance to apply the hotfix,” wrote Kenin. “At that time we will release the PoC code to provide users, administrators and network security professionals with the technical details and tools to validate whether they are still vulnerable. This PoC will be added directly to the advisory.”