22 December 2012

Bugs in the boardroom? They're already there

Despite an ongoing joke otherwise, I did not create SHODAN. On the other hand, I have blogged and presented about SHODAN in the past, and I was one of the first people to recognize the impact of SHODAN to vulnerability identification analysis.

During a recent engagement for one of my clients, I came across an unsecured instance of a Polycom web interface; in other words this web interface required zero authentication to access all of its options (including, quite obviously, its administrative options).

I developed two searches to locate these devices. The first search finds results for telnet sessions associated with these Polycom devices. To be sure, this is more of an information search to show you how many of these sorts of devices are out there (and exposed to the Internet).

The second search is more useful: it relies on a unique HTTP response and returns exposed web interfaces for these Polycom devices. Many of these instances require additional administrative authentication, but some do not. Even though some of these devices require additional authentication, it seems at least mildly surprising that some of them are exposed to the Internet, among them: "Fargo Cass Co District Court Rm 5," and "British Embassy - Brasilia."

Here are the most common options on the front page:

The difference should be immediately available: by clicking on "Admin Settings" on the top bar, you will either be prompted for a password or not. Here (when no password is required), we are taken the Admin Settings page and every option is available to us, include remote administration and monitoring.

Low-hanging fruit to be sure, but it will literally gives you eyes and ears into the conference room.
Post a Comment