Full Disclosure mailing list archives

Re: Polycom hacking

From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 26 Jun 2007 13:37:02 -0500

--On Tuesday, June 26, 2007 14:15:51 -0400 "J. Oquendo"<sil () infiltrated net> wrote:

Paul Schmehl wrote:

Is anyone aware of any work done in the field of hacking Polycom
video-conferencing devices?  Or any known hacks for Polycom devices?

Hey Paul,

I have a modified version of Asteroid lying on one of my
servers that affected Polycoms, Snoms, Hitachi WiFi's,
and possibly a few others.

Offhand you could with high probability generate a hangup
DoS if you know enough about the network topology. E.g.:

   BYE sip:victim.phone.com SIP/2.0
   Via: SIP/2.0/TCP spoofed.pbx.server.com:5060
   Max-Forwards: 70
   From: Spoofed <sip:spoofed.pbx.server.com>
   To: VICTIM <sip:victim () victim phone com>
   Call-ID: $GENERATE_CID_NUMBER () victim phone com
   CSeq: 1 BYE
   Content-Length: 0

You could take a look at Asteroid and target a Polycom
with it. I haven't bothered much with them. Cisco's
aren't vuln to much I've thrown at them yet.
(greetings Dario@^C*).

As for video (H323) check out voippong: You may be able
to intercept the audio streams out of the conference
depending on the setup. (Asterisk doesn't do H323)...
Maybe a combination of Yates, VoIPPong and others. HTH

http://www.enderunix.org/voipong/
http://www.infiltrated.net/asteroid/
http://www.voipsa.org/Resources/tools.php

Thanks. I'm not that interested in DoSes, but I'm thinking that you couldmget the entire contents, alter them to your satisfaction and then mputthem. Don't know how much memory these things have yet, but you ought tobe able to iframe silent installs of malware, script the capture of allaudio and video traffic from/to the device, etc. Could be quiteinteresting.


--
Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Polycom hacking Paul Schmehl (Jun 26)
- Re: Polycom hacking StaticRez (Jun 26)
- Re: Polycom hacking J. Oquendo (Jun 26)
  - Re: Polycom hacking Paul Schmehl (Jun 26)
    - Re: Polycom hacking J. Oquendo (Jun 26)
- <Possible follow-ups>
- Re: Polycom hacking b . hines (Jun 26)
  - Re: Polycom hacking Paul Schmehl (Jun 26)
- Re: Polycom hacking Paul Schmehl (Jun 27)
  - Re: Polycom hacking Peter Dawson (Jun 28)
    - Re: Polycom hacking Paul Schmehl (Jun 29)