Firmware Audited: Build date: Mon Aug 28 07:08:05 CDT 2017 Build host: ausbuildlifesizecodecicon02 (127.0.1.1) Build location: http://artifacts.lifesize.com/artifactory/lifesize.icon.production/lifesize.icon.production.master.sequoia.full-3.4.0.2268.tar.gz Build version: LS_RM3_3.4.0 (2268) Build type: PRODUCTION Build target: sequoia SVN; SVN%
Findings:
- Exposed ssh out of the box
- Username admin, password admin
- Ssh host private key was easily extracted from firmware update dump
- Exposes an sftp server with public key access only
- Private key was easily extracted from firmware dump
- Access filtered only by local ip address
- Running linux kernel 2.6.37
- 6 years old
- 100+ known vulns http://www.cvedetails.com/version/123871/Linux-Linux-Kernel-2.6.37.html
- Glibc 2.9
- Firmware Signing
- Bootloader image verification pubkey in unsigned/unsecured bootloader
- Firmware signature verification is not enforced via fuse array or other immutable measure. Can be easily bypassed allowing installation of a malicious payload.
Version: Chrome Web Store release as of 09/0/17
Findings:
- Full access to browser history and *.lifesize.com domains
- Jquery 2.1.4
- 3 years old
- Not needed at all in chrome which provides all the needed APIs in native javascript
- Known XSS and DoS vulns https://snyk.io/test/npm/jquery/2.1.4
- NPM dependencies are locked using only fuzzy versions and no hash locking. Dependency attacks are on the table if no other mitigations are present.