ExploitFixes
Polycom IP Phone Web Interface Data Diclosure Vulnerability 2011-06-09 14:15:08

# _ ____ __ __ ___
# (_)____ _ __/ __ \/ /_____ ____/ / _/_/ |
# / // __ \ | / / / / / //_/ _ \/ __ / / / / /
# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/
# Live by the byte |_/_/
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: [email protected]
#
# -----------------------------------
# Polycom IP Phone is vulnerable for a data disclosure, the following will explain you how to read the password..
# The vulnerabilitu allows an unprivileged attacker to read the sip details including password.
# The vulnerablities are in:
# * DATA DISCLOSURE - Password disclosure: http://127.0.0.1/reg_1.htm
#-----------------------------------
# Vulnerability Title: Polycom IP Phone Web Interface Data Diclosure Vulnerability
# Date: 08/06/2011
# Author: Pr0T3cT10n
# Website Link: http://www.polycom.com
# Tested on Version: ALL
# ISRAEL
###
###### NOTE: The Polycom ip phone software is also vulnerability for unauthorized person to access the web interface.
###### It happen because there is no password thats protects the interface.
###### Anyway, the default username and password are username "Polycom" and password "456"
## DATA DISCLOSURE:
# The data disclosure vulnerability found in the section of 'Lines' -> 'Line 1' of 'Polycom IP Phone' software.
# The vulnerability allows the attacker to disclosure the password of the username for the phone line that connected.
# To exploit the vulnerability and discluse the data we need to access to the 'Polycom IP Phone' by this url 'http://address/reg_1.htm'.
# Then we can see in the source code by the field 'reg.1.auth.password' and then we see the magic! thats is the password for the username by the sip server.
# Now if we already have the sip server, username and password so we can connect to it with any softphone and make our calls.
##
# Yours, Pr0T3cT10n.