Gold Sponsors
Array Telepresence Logo   Human Productivity Lab Logo   Ashton Bentley Logo
Silver Sponsors
Bronze Sponsors
Telepresence Options Magazine

Latest Telepresence and Visual Collaboration News:
Full Article:

Professional videoconferencing system as a spy

March 19, 2013 | Telepresence Options

Story and Images by Uli Ries / The H Security

Over a period of two months, Moritz Jodeit from German IT security specialists n.runs discovered various vulnerabilities in Polycom's HDX series. The researcher presented the results of his work at the Black Hat Europe security conference. According to the manufacturer, these videoconferencing systems are used in numerous large companies worldwide.

Having gained local root access via the Polycom system's undocumented "developer" mode, Jodeit started analysing the individual software components. Among these components is a module that generally handles system communication as well as the H.323 and SIP protocols. When investigating the components, the researcher discovered various bugs and hints of bugs such as 800 references to the dangerous, and therefore ostracised, strcpy() function.

One bug is related to the handling of the H.323 protocol: to establish a call or video conference, a single SETUP packet is sent to port 1720. Polycom systems automatically process these packets even if the automated call answering feature is disabled. The setup packet contains an information element called "display".

It is the code for processing this element that contains a format string bug that allows attackers to set arbitrary values using this element. By making use of a large number of SETUP packets, Moritz Jodeit gradually managed to deploy shell code in the memory of the Polycom device and create a remote root shell. As the firmware contained no defence mechanisms such as ASLR or DEP, the researcher could reliably store and, later, jump into the code.

Continue Reading...

Add New Comment

Telepresence Options welcomes your comments! You may comment using your name and email (which will not be displayed), or you may connect with your Twitter, Facebook, Google+, or DISQUS account.