CVE-2011-2763
published 2011-09-02CVE-2011-2763: The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to…
PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
36.12%
98.3th percentile
The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lifesize | lifesize_room_appliance_software | — | — |
| lifesize | lifesize_room_appliance_software | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x00\x00\x01\x00\x19LSRoom_Remoting.doCommand\x00\x02\x2f\x37\xff\xff\xff\xff\x0a\x00\x00\x00\x02\x02
bytes↗
\x00\x00\x00\x00\x00\x02\x00\x1bLSRoom_Remoting.amfphpLogin\x00\x02/1\x00\x00\x00\x05\x0a\x00\x00\x00\x00\x00\x17LSRoom_Remoting.getHost\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00
- →Detect exploit attempts by monitoring POST requests to /gateway.php with Content-Type: application/x-amf containing the AMF-encoded string 'LSRoom_Remoting.doCommand' ↗
- →Flag AMF POST bodies to /gateway.php containing the byte sequence 0x00 0x19 followed by the ASCII string 'LSRoom_Remoting.doCommand' as a high-fidelity exploit indicator ↗
- →The exploit's default User-Agent string is a specific Fedora Firefox 3.6.17 UA; alert on this UA combined with requests to /gateway.php or /interface/interface.php on LifeSize Room appliances ↗
- →The AMF validation request to /gateway.php contains the literal string 'LSRoom_Remoting.amfphpLogin' followed by 'LSRoom_Remoting.getHost'; detecting this compound AMF body indicates active pre-exploitation reconnaissance ↗
- ·Payload space is constrained to 65535 bytes by the two-byte size field in the AMF encoding; payloads exceeding this will fail ↗
- ·The appliance environment is limited, restricting viable payload types to 'cmd' and 'cmd_bash' with required commands 'generic' or 'bash-tcp' only ↗
- ·The exploit targets only LifeSize Room versions 3.5.3 (LS_RM1_3.5.3 (11)) and 4.7.18; other versions are not confirmed vulnerable ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
LifeSize Room - Command Injection (Metasploit)
exploitdb·2011-08-28
CVE-2011-2763 LifeSize Room - Command Injection (Metasploit)
LifeSize Room - Command Injection (Metasploit)
---
require 'msf/core'
class Metasploit3 'LifeSize Room Command Injection',
'Description' => %q{
This module exploits a vulnerable resource in LifeSize
Room versions 3.5.3 and 4.7.18 to inject OS commmands. LifeSize
Room is an appliance and thus the environment is limited
resulting in a small set of payload options.
},
'Author' =>
[
'Spencer McIntyre',
# Special Thanks To Chris Murrey
'SecureState R&D Team'
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 6 $',
'References' =>
[
[ 'CVE', '2011-2763' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 65535, # limited by the two byte size in the AMF encoding
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp',
}
},
'Platform' => [
Metasploit
LifeSize Room Command Injection
metasploit
LifeSize Room Command Injection
LifeSize Room Command Injection
This module exploits a vulnerable resource in LifeSize Room versions 3.5.3 and 4.7.18 to inject OS commands. LifeSize Room is an appliance and thus the environment is limited resulting in a small set of payload options.
No writeups or analysis indexed.
http://securityreason.com/securityalert/8363http://securityreason.com/securityalert/8527http://www.exploit-db.com/exploits/17743http://www.kb.cert.org/vuls/id/213486http://www.securestate.com/Documents/LifeSize_Room_Advisory.txthttp://www.securityfocus.com/archive/1/519463/100/0/threadedhttp://www.securityfocus.com/bid/49330https://exchange.xforce.ibmcloud.com/vulnerabilities/69444http://securityreason.com/securityalert/8363http://securityreason.com/securityalert/8527http://www.exploit-db.com/exploits/17743http://www.kb.cert.org/vuls/id/213486http://www.securestate.com/Documents/LifeSize_Room_Advisory.txthttp://www.securityfocus.com/archive/1/519463/100/0/threadedhttp://www.securityfocus.com/bid/49330https://exchange.xforce.ibmcloud.com/vulnerabilities/69444
2011-09-02
Published