cbcvebase.
CVE-2011-2763
published 2011-09-02

CVE-2011-2763: The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
36.12%
98.3th percentile
The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
lifesizelifesize_room_appliance_software
lifesizelifesize_room_appliance_software

Detection & IOCsextracted from sources · hover to see the quote

path/gateway.php
path/interface/interface.php
commandLSRoom_Remoting.doCommand
cookiePHPSESSID
bytes
\x00\x00\x00\x00\x00\x01\x00\x19LSRoom_Remoting.doCommand\x00\x02\x2f\x37\xff\xff\xff\xff\x0a\x00\x00\x00\x02\x02
bytes
\x00\x00\x00\x00\x00\x02\x00\x1bLSRoom_Remoting.amfphpLogin\x00\x02/1\x00\x00\x00\x05\x0a\x00\x00\x00\x00\x00\x17LSRoom_Remoting.getHost\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00
  • Detect exploit attempts by monitoring POST requests to /gateway.php with Content-Type: application/x-amf containing the AMF-encoded string 'LSRoom_Remoting.doCommand'
  • Flag AMF POST bodies to /gateway.php containing the byte sequence 0x00 0x19 followed by the ASCII string 'LSRoom_Remoting.doCommand' as a high-fidelity exploit indicator
  • The exploit's default User-Agent string is a specific Fedora Firefox 3.6.17 UA; alert on this UA combined with requests to /gateway.php or /interface/interface.php on LifeSize Room appliances
  • The AMF validation request to /gateway.php contains the literal string 'LSRoom_Remoting.amfphpLogin' followed by 'LSRoom_Remoting.getHost'; detecting this compound AMF body indicates active pre-exploitation reconnaissance
  • ·Payload space is constrained to 65535 bytes by the two-byte size field in the AMF encoding; payloads exceeding this will fail
  • ·The appliance environment is limited, restricting viable payload types to 'cmd' and 'cmd_bash' with required commands 'generic' or 'bash-tcp' only
  • ·The exploit targets only LifeSize Room versions 3.5.3 (LS_RM1_3.5.3 (11)) and 4.7.18; other versions are not confirmed vulnerable
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.