Professional videoconferencing system as a spy

Over a period of two months, Moritz Jodeit from German IT security specialists n.runs discovered various vulnerabilities in Polycom's HDX series. The researcher presented the results of his work at the Black Hat Europe security conference. According to the manufacturer, these videoconferencing systems are used in numerous large companies worldwide.

Having gained local root access via the Polycom system's undocumented "developer" mode, Jodeit started analysing the individual software components. Among these components is a module that generally handles system communication as well as the H.323 and SIP protocols. When investigating the components, the researcher discovered various bugs and hints of bugs such as 800 references to the dangerous, and therefore ostracised, strcpy() function.

One bug is related to the handling of the H.323 protocol: to establish a call or video conference, a single SETUP packet is sent to port 1720. Polycom systems automatically process these packets even if the automated call answering feature is disabled. The setup packet contains an information element called "display".

It is the code for processing this element that contains a format string bug that allows attackers to set arbitrary values using this element. By making use of a large number of SETUP packets, Moritz Jodeit gradually managed to deploy shell code in the memory of the Polycom device and create a remote root shell. As the firmware contained no defence mechanisms such as ASLR or DEP, the researcher could reliably store and, later, jump into the code.

The demonstration of the security hole was almost fit for a circus: the hacker used wget to load further malicious code onto the Linux-based device; this prompted the system to play a continuous loop of circus music while the remotely controlled camera panned from left to right and the display showed "Pwned!" across the screen. Of course, a real attack would be silent and would intercept the camera image or monitor the room via the microphone.

Moritz Jodeit was very positive about Polycom's cooperation after he presented his findings to the company. Efforts resulted in a firmware update (version 3.1.1.2) that went online a day ahead of the Black Hat presentation. Talking to The H's associates at heise Security, Jodeit explained that the configuration software for the Polycom hardware has no auto-update feature. Administrators will, therefore, need to update manually.

Incidentally, when analysing the firmware, Jodeit found that the Polycom developers had hard-coded the key for encrypting the firmware files into the file. The key is "weAREtheCHAMPIONS".

(Uli Ries / djwm)