The future home of a lot of POCs. The POCs are done, I'm just writing things up and requesting CVEs.
Already posted:
Sipp POC of my zero day.
Affected SIP FW versions: 8.6 (and older, presumably).
Confirmed vulnerable versions: 8.6
Confirmed not vulnerable: 8.7, 8.8, 8.9.
Untested: 8.5-, 8.10, 8.11, 8.12
Coming Soon:
POC of my zero day.
Affected SIP FW versions: 8.6 (and older, presumably).
Confirmed vulnerable versions: 8.6
Confirmed not vulnerable: 8.7, 8.8, 8.9.
Untested: 8.5-, 8.10, 8.11, 8.12
POC of my zero day.
Vulnerable SIP FW versions: 8.6, 8.7, 8.8, 8.9.
Confirmed not vulnerable: None
Untested: 8.5-, 8.10, 8.11, 8.12
POC of a bug that already has a CVE, but no known POCs:
https://nvd.nist.gov/vuln/detail/CVE-2008-0528
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080213-phone
Vulnerable SIP FW versions: 8.7-
Confirmed vulnerable versions: 8.6
Fixed in 8.8
My POCs include:
- Dump arbitrary DWORDs to the Telnet debug terminal, script to to this on a range and scrape the results
- This is how I obtained an unencrypted copy of the firmware, one DWORD at a time.
- "Hello World" printed to screen
- Change the outgoing CallerID name to a payload that crashes any 7940/7960 you call with this phone >:)
- Hack the TFTP server of phone config and have the rebooting phones grab that same CallerID-of-Death and spread the fun!
- Change arbitrary memory and settings, e.g. set the ringer to silent, set phone to auto answer with the room mic on -- basically turn the phone into a bug in their office.
- I can probably remotely write the change to flash, too, but I've already bricked enough of these phones already, down to 2...
- Set the LEDs on or off
- Turn off the activity LED when using the phone as an office bug
- Make a row of phones LED's blink like a Cylon or KITT.
- Enable the Telnet debug server on phone and start it without rebooting the phone -- something Cisco CallManager/Unified Communications Manager is incapable of doing!!!
- Change the Telnet debug password to something you know, of course.
- Change the background image of the phone to any image hosted online
- Write arbitrary pixels to the screen. This is super slow and clunky and randomly gets erased, but I managed to display a cat with Nicholas Cage's face so well worth the effort.