Polycom IP Phone - Web Interface Data Disclosure

EDB-ID:

17377

CVE:





Platform:

Hardware

Date:

2011-06-09


#     _             ____  __            __    ___
#    (_)____ _   __/ __ \/ /_____  ____/ /  _/_/ |
#   / // __ \ | / / / / / //_/ _ \/ __  /  / / / /
#  / // / / / |/ / /_/ / ,< /  __/ /_/ /  / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/  / /_/_/ 
#                   Live by the byte     |_/_/ 
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
# Polycom IP Phone is vulnerable for a data disclosure, the following will explain you how to read the password..
# The vulnerabilitu allows an unprivileged attacker to read the sip details including password.
# The vulnerablities are in:
# * DATA DISCLOSURE - Password disclosure: http://127.0.0.1/reg_1.htm
#-----------------------------------
# Vulnerability Title: Polycom IP Phone Web Interface Data Diclosure Vulnerability
# Date: 08/06/2011
# Author: Pr0T3cT10n
# Website Link: http://www.polycom.com
# Tested on Version: ALL
# ISRAEL
###
###### NOTE: The Polycom ip phone software is also vulnerability for unauthorized person to access the web interface.
###### It happen because there is no password thats protects the interface.
###### Anyway, the default username and password are username "Polycom" and password "456"
## DATA DISCLOSURE:
# The data disclosure vulnerability found in the section of 'Lines' -> 'Line 1' of 'Polycom IP Phone' software.
# The vulnerability allows the attacker to disclosure the password of the username for the phone line that connected.
# To exploit the vulnerability and discluse the data we need to access to the 'Polycom IP Phone' by this url 'http://address/reg_1.htm'.
# Then we can see in the source code by the field 'reg.1.auth.password' and then we see the magic! thats is the password for the username by the sip server.
# Now if we already have the sip server, username and password so we can connect to it with any softphone and make our calls.
##
# Yours, Pr0T3cT10n.