Polycom SoundStatation IP 5000

by Vince
in Blog
Hits: 1404

According to the description:  "The SoundStation IP 5000 boosts productivity and reduces listener fatigue by turning ordinary conference calls into crystal-clear interactive conversations."  Looks like you can still get them from CDW for about $500 although you can get them used for about $20-30.  With the latest firmware, this unit is vulnerable to cross site scripting and session hijacking.  Then again, the session hijacking part is not really required because of yet another issue but I'll get to that shortly.



The default admin password is:  456

We get logged into the unit and verify we're running the latest firmware version:



Capturing the request in Burp Suite, we see Basic Auth:



We toss this over to Decoder: 



And we find the password is Base64 encoded as the cookie which makes this ripe for stealing. 

Using inspect element, I widen the field on this input box and I insert some XSS to retrieve the cookie:



Because the field isn't properly sanitized, we are successful in our attempt to steal the cookie.  We can also send this over to our attacking server using any number of techniques. 



There are several other vulnerabilities in this device but due to the age of this product, I doubt anyone is concerned.  Time for an upgrade!