Poly Inc., formerly Polycom, is a corporation that develops video and voice communication technology. Their business desk and conference IP phones are popular and commonly used in enterprise business environments.
modzero identified several vulnerabilities in the Poly CCX series, a business media desk phone and the Poly Trio series, which are smart conference phones. It is confirmed by the vendor that other devices are also vulnerable to some of the same attacks, as they share many software components. The discovered vulnerabilities can be combined to take over a device either through the local network or with physical access to it. An attacker could then employ the device to eavesdrop using the built-in microphones or reroute incoming and outgoing calls. It would also be possible to install malicious applications, attack the connected network or perform phishing attacks on users by prompting for their credentials.
The session tokens generated for the different Poly devices' web management interfaces are using weak randomness. Effectively all tokens generated in the span of a second have the same value and the tokens can be predicted by an attacker due to a deterministic algorithm based on the time in seconds. An attacker with network access can continuously generate valid session tokens for the web management interface, trying to authenticate with them, eventually stealing an administrator session once they log in. One of the discovered vulnerabilities allows an attacker to crash the devices with an unauthenticated HTTP request. They may thus provoke an administrator to log into the Poly device’s web management interface thereby enabling the session takeover.
An attacker can then leverage the lack of password protection in the configuration import to override the currently set password and gain persistence on the device. From here, an attacker has multiple options to elevate their access:
On older devices such as the Trio 8800, they can enable a diagnostics Telnet shell and use a command injection vulnerability to gain full control with root privileges. If they attack a device where the command injection has been patched, for example the Poly CCX 400, they can use the management interface to roll back the firmware to an older, vulnerable version and exploit it the same way afterwards.
An attacker with physical access but without administrative privileges can gain these on Trio devices with internet connection, by registering them with Poly’s management cloud called Lens. This can be achieved by navigating to a menu which is not password-protected and using the displayed cloud registration code.
With administrative access on Trio devices an attacker can enable the “Test Automation” mode on the device by solving a challenge-response problem posed by the device. By reverse-engineering the algorithm behind the challenge, modzero was able to create a proof-of-concept tool for generating valid responses to these challenges. The only required information is the device’s MAC address, which is printed on the bottom of the device. Once the mode is enabled, the devices start an ADB and Telnet daemon on boot. Both allow unauthenticated shell-level access to the device, to run arbitrary code.
Products that were tested by modzero:
| Finding | CCX (8.1.3.1301) | Trio 8800 (7.2.6.0019) | Trio C60 (8.1.3.1300) |
|---|---|---|---|
| Administrator Session Prediction | Vulnerable | Vulnerable | Vulnerable |
| Denial of Service Through HTTP Request | Vulnerable | Vulnerable | Vulnerable |
| OS Command Injection in Diagnostics-Telnet | <8.0.2.3267 | Vulnerable | <8.0.2.3266 |
| Configuration Import Allows Unverified Password Change | Vulnerable | Vulnerable | Vulnerable |
| Missing Firmware Anti-Rollback Protection | Vulnerable | Vulnerable | Vulnerable |
| Backdoor-Mode Allows Telnet Root Access | Not Affected | Vulnerable | Not Affected |
| Missing Authorization for Cloud Registration Code | Not Affected | Vulnerable | Vulnerable |
While not explicitly verified by modzero, the vendor noted that the following devices or product lines are affected at least in part:
- Trio 8300/8500/8800/C60
- CCX
- VVX
- Edge E
Further details by the vendor will be published on the respective product pages or at the HP security bulletin site.
The full disclosure report can be found on the advisory page. The proof-of-concept code will be published in January 2024 on our GitHub.