Paul Schmehl wrote:Is anyone aware of any work done in the field of hacking Polycom video-conferencing devices? Or any known hacks for Polycom devices?Hey Paul, I have a modified version of Asteroid lying on one of my servers that affected Polycoms, Snoms, Hitachi WiFi's, and possibly a few others. Offhand you could with high probability generate a hangup DoS if you know enough about the network topology. E.g.: BYE sip:victim.phone.com SIP/2.0 Via: SIP/2.0/TCP spoofed.pbx.server.com:5060 Max-Forwards: 70 From: Spoofed <sip:spoofed.pbx.server.com> To: VICTIM <sip:victim@xxxxxxxxxxxxxxxx> Call-ID: $GENERATE_CID_NUMBER@xxxxxxxxxxxxxxxx CSeq: 1 BYE Content-Length: 0 You could take a look at Asteroid and target a Polycom with it. I haven't bothered much with them. Cisco's aren't vuln to much I've thrown at them yet. (greetings Dario@^C*). As for video (H323) check out voippong: You may be able to intercept the audio streams out of the conference depending on the setup. (Asterisk doesn't do H323)... Maybe a combination of Yates, VoIPPong and others. HTH http://www.enderunix.org/voipong/ http://www.infiltrated.net/asteroid/ http://www.voipsa.org/Resources/tools.php
Thanks. I'm not that interested in DoSes, but I'm thinking that you could mget the entire contents, alter them to your satisfaction and then mput them. Don't know how much memory these things have yet, but you ought to be able to iframe silent installs of malware, script the capture of all audio and video traffic from/to the device, etc. Could be quite interesting.
-- Paul Schmehl (pauls@xxxxxxxxxxxx) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
p7sThfYA4Y7qw.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/