CVE-2015-4683
published 2017-09-19CVE-2015-4683: Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows attackers to obtain sensitive information and potentially gain privileges by leveraging use…
PriorityP357critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.87%
93.3th percentile
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows attackers to obtain sensitive information and potentially gain privileges by leveraging use of session identifiers as parameters with HTTP GET requests.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| polycom | realpresence_resource_manager | <= 8.3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/PlcmRmWeb/FileDownload?DownloadType=REPORT&Modifier=../../../../../../../etc/shadow&Credentials=*VALID-USER-TOKEN*&ClientId=&FileName=↗
path../../../../../../../../../../../../opt/polycom/cma/current/jserver/web/ROOT.war/webshell-123.jsp↗
url/PlcmRmWeb/FileDownload?DownloadType=LOGGER&Modifier=-123&Credentials=12345678-1234-1234-1234-123456789000&ClientId=&FileName=Conference.log↗
- →Detect path traversal attempts targeting /PlcmRmWeb/FileDownload with 'Modifier' parameter containing '../' sequences, especially targeting /etc/shadow or other sensitive files. ↗
- →Detect POST requests to /PlcmRmWeb/FileUpload with multipart form-data containing path traversal sequences (../../../../) in the 'Filename' or 'SE_FNAME' fields, particularly targeting .jsp webshell uploads. ↗
- →Extract valid session IDs from RPRM access log files using the regex pattern for UUIDs; session IDs exposed in GET parameters can be replayed for privilege escalation. ↗
- →Monitor for SOAP actions aa:getMCUsNetworkDevicesForList and aa:getNetworkDevicesForList against /PlcmRmWeb endpoints, which also disclose plaintext passwords. ↗
- →Alert on POST requests to /PlcmRmWeb/JUserManager with SOAPAction aa:importSipUriReservations containing path traversal sequences in the request body (e.g., ../../../../../../../../../../../../../etc/hosts). ↗
- →Monitor for new files written to /var/polycom/cma/upgrade/scripts/ by the plcm user, followed by sudo execution, as this path is writable and allows full root privilege escalation. ↗
- →Detect HTTP requests to RPRM on port 8443 where the 'Credentials' GET parameter contains a UUID-formatted session token, indicating session ID leakage via GET requests (the core CVE-2015-4683 indicator). ↗
- ·The default plcm OS account uses the hardcoded password 'Polycom123', which is recoverable from the disclosed /etc/shadow hash and confirmed by the advisory. ↗
- ·Vulnerability 7 (Weak/Missing Authorization) is explicitly NOT fixed in RPRM v8.4; patching to 8.4 does not fully remediate all reported issues. ↗
- ·The sudoers configuration grants the plcm user broad NOPASSWD sudo rights including over writable directories, making privilege escalation trivial post-authentication. ↗
- ·SOAP action aa:importUserH323Reservations is likely also vulnerable to the same path traversal/file disclosure as aa:importSipUriReservations. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132463/Polycom-RealPresence-Resource-Manager-RPRM-Disclosure-Traversal.htmlhttp://seclists.org/fulldisclosure/2015/Jun/81http://www.securityfocus.com/archive/1/535852/100/0/threadedhttp://www.securityfocus.com/bid/75432https://support.polycom.com/global/documents/support/documentation/Security_Center_Post_for_RPRM_CVEs.pdfhttps://www.exploit-db.com/exploits/37449/http://packetstormsecurity.com/files/132463/Polycom-RealPresence-Resource-Manager-RPRM-Disclosure-Traversal.htmlhttp://seclists.org/fulldisclosure/2015/Jun/81http://www.securityfocus.com/archive/1/535852/100/0/threadedhttp://www.securityfocus.com/bid/75432https://support.polycom.com/global/documents/support/documentation/Security_Center_Post_for_RPRM_CVEs.pdfhttps://www.exploit-db.com/exploits/37449/
2017-09-19
Published