Polycom IP Phone Web Interface Data Diclosure Vulnerability

vendor:

Polycom IP Phone

by:

Pr0T3cT10n

8.3

CVSS

HIGH

Data Disclosure

200

CWE

Product Name: Polycom IP Phone

Affected Version From: All

Affected Version To: All

Patch Exists: Yes

Related CWE: None

CPE: a:polycom:polycom_ip_phone

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2011

Polycom IP Phone Web Interface Data Diclosure Vulnerability

The data disclosure vulnerability found in the section of 'Lines' -> 'Line 1' of 'Polycom IP Phone' software. The vulnerability allows the attacker to disclosure the password of the username for the phone line that connected. To exploit the vulnerability and discluse the data we need to access to the 'Polycom IP Phone' by this url 'http://address/reg_1.htm'. Then we can see in the source code by the field 'reg.1.auth.password' and then we see the magic! thats is the password for the username by the sip server.

Mitigation:

Ensure that the web interface of the Polycom IP Phone is password protected and that only authorized users have access to it.

Source

Exploit-DB raw data:

#     _             ____  __            __    ___
#    (_)____ _   __/ __ \/ /_____  ____/ /  _/_/ |
#   / // __ \ | / / / / / //_/ _ \/ __  /  / / / /
#  / // / / / |/ / /_/ / ,< /  __/ /_/ /  / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/  / /_/_/ 
#                   Live by the byte     |_/_/ 
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
# Polycom IP Phone is vulnerable for a data disclosure, the following will explain you how to read the password..
# The vulnerabilitu allows an unprivileged attacker to read the sip details including password.
# The vulnerablities are in:
# * DATA DISCLOSURE - Password disclosure: http://127.0.0.1/reg_1.htm
#-----------------------------------
# Vulnerability Title: Polycom IP Phone Web Interface Data Diclosure Vulnerability
# Date: 08/06/2011
# Author: Pr0T3cT10n
# Website Link: http://www.polycom.com
# Tested on Version: ALL
# ISRAEL
###
###### NOTE: The Polycom ip phone software is also vulnerability for unauthorized person to access the web interface.
###### It happen because there is no password thats protects the interface.
###### Anyway, the default username and password are username "Polycom" and password "456"
## DATA DISCLOSURE:
# The data disclosure vulnerability found in the section of 'Lines' -> 'Line 1' of 'Polycom IP Phone' software.
# The vulnerability allows the attacker to disclosure the password of the username for the phone line that connected.
# To exploit the vulnerability and discluse the data we need to access to the 'Polycom IP Phone' by this url 'http://address/reg_1.htm'.
# Then we can see in the source code by the field 'reg.1.auth.password' and then we see the magic! thats is the password for the username by the sip server.
# Now if we already have the sip server, username and password so we can connect to it with any softphone and make our calls.
##
# Yours, Pr0T3cT10n.