lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 26 Jun 2007 13:37:02 -0500
From: Paul Schmehl <pauls@...allas.edu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Polycom hacking

--On Tuesday, June 26, 2007 14:15:51 -0400 "J. Oquendo" 
<sil@...iltrated.net> wrote:

> Paul Schmehl wrote:
>> Is anyone aware of any work done in the field of hacking Polycom
>> video-conferencing devices?  Or any known hacks for Polycom devices?
>>
> Hey Paul,
>
> I have a modified version of Asteroid lying on one of my
> servers that affected Polycoms, Snoms, Hitachi WiFi's,
> and possibly a few others.
>
> Offhand you could with high probability generate a hangup
> DoS if you know enough about the network topology. E.g.:
>
>    BYE sip:victim.phone.com SIP/2.0
>    Via: SIP/2.0/TCP spoofed.pbx.server.com:5060
>    Max-Forwards: 70
>    From: Spoofed <sip:spoofed.pbx.server.com>
>    To: VICTIM <sip:victim@...tim.phone.com>
>    Call-ID: $GENERATE_CID_NUMBER@...tim.phone.com
>    CSeq: 1 BYE
>    Content-Length: 0
>
> You could take a look at Asteroid and target a Polycom
> with it. I haven't bothered much with them. Cisco's
> aren't vuln to much I've thrown at them yet.
> (greetings Dario@^C*).
>
> As for video (H323) check out voippong: You may be able
> to intercept the audio streams out of the conference
> depending on the setup. (Asterisk doesn't do H323)...
> Maybe a combination of Yates, VoIPPong and others. HTH
>
> http://www.enderunix.org/voipong/
> http://www.infiltrated.net/asteroid/
> http://www.voipsa.org/Resources/tools.php

Thanks.  I'm not that interested in DoSes, but I'm thinking that you could 
mget the entire contents, alter them to your satisfaction and then mput 
them.  Don't know how much memory these things have yet, but you ought to 
be able to iframe silent installs of malware, script the capture of all 
audio and video traffic from/to the device, etc.  Could be quite 
interesting.

-- 
Paul Schmehl (pauls@...allas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Content of type "application/pkcs7-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists