Polycom VSX 7000 – Unauthenticated Access

The Polycom VSX 7000 by default does not require authentication for telnet, HTTP, or FTP according to the manual! It has a ‘secure mode’ that is not by default, that would add a password. Checking a system from telnet:

df ~$ telnet
Connected to
Escape character is ‘^]’.

Hi, my name is : Juice
Here is what I know about myself:
Model: VSX 7000
Serial Number: 74034702352DJF
Software Version: Release 8.5.3 – 28Feb2007 11:15
Build Information: root on engint00.austin.polycom.com
FPGA Revision: 4.3.0
Main Processor: BSP15 v0.0 ~ Core/Mem Clks 405/135 [3:4 0:3]
Time In Last Call: 0:00:43
Total Time In Calls: 19:46:06
Total Calls: 176
SNTP Time Service: off oosync
Local Time is: Fri, 13 Oct 2000 23:47:02 -0300
Network Interface: ISDN_QUAD_BRI
IP Video Number:
ISDN Video Number: 1.303.4547913
H323 Enabled: True
FTP Enabled: True
HTTP Enabled: True
SNMP Enabled: True
NIC Slot 1 SW Ver: 3.14
NIC Slot 1 Boot Ver: 2.00
23:47:02.892 D UI JVM syncEvent UI INFO: ConfigurationManager telnet_client_23.dat = {} by subsystem
23:47:02.894 D UI JVM syncEvent UI INFO: ConfigurationManager telnet_client_23_success.dat = {True} by subsystem
23:47:02.925 D UI JVM NMPAgent UI INFO: CMD: lan snmp 0 trap authok 2

-> 23:47:22.415 D SYS TERM Main commands:
23:47:22.418 D SYS TERM ? alias answer arraymic
23:47:22.418 D SYS TERM audio AudioDS audioinput AudioMode
23:47:22.418 D SYS TERM audiomute autoAnswer BassControl bond
23:47:22.418 D SYS TERM bri bufpool button call
23:47:22.418 D SYS TERM camera camerainputsignacaps channel
23:47:22.418 D SYS TERM classmonitor commChannel conference config
23:47:22.418 D SYS TERM configdelete connection ctrack date
23:47:22.418 D SYS TERM dev device dfc dial
23:47:22.419 D SYS TERM dll DTMF DTMFtone dumpds
23:47:22.419 D SYS TERM ec ecs ffs firewall
23:47:22.419 D SYS TERM forward gatekeeper getencryptionstah221
23:47:22.419 D SYS TERM h320 h323 hangup hardware
23:47:22.419 D SYS TERM help i2cd i2cr i2cw
23:47:22.419 D SYS TERM isdn jpegvidtest jvmprofile jvmtask
23:47:22.419 D SYS TERM kill lan LECDelay LECFlag
23:47:22.419 D SYS TERM light LineOut logr loopback
23:47:22.419 D SYS TERM lspci memleak memstat memtask
23:47:22.419 D SYS TERM memtrace mic modtrace module
23:47:22.420 D SYS TERM monitoroutputsigmpRouter mute nic
23:47:22.420 D SYS TERM NumOfMicPods play plink pointmakerapieve
23:47:22.420 D SYS TERM potscall potshangup PresetChangeNotiPresetClearNotif
23:47:22.420 D SYS TERM prof qos quiet quit
23:47:22.420 D SYS TERM r2d2setoutres reboot RecordLEC RecordMix2
23:47:22.420 D SYS TERM RecordRP RecordSnake registrarServer RPenable
23:47:22.420 D SYS TERM RPProbe rxbas sconfig sema
23:47:22.420 D SYS TERM sendcommands serial setgsw sethfs
23:47:22.420 D SYS TERM sh_button sh_callstats sh_listenphone sh_listenvideo
23:47:22.420 D SYS TERM sh_systemstatus shellHelp sip sipconfig
23:47:22.420 D SYS TERM sipDebug snapshotframeaddspeaker spewcheck
23:47:22.420 D SYS TERM spk stask staskstack stream
23:47:22.421 D SYS TERM syscap syslog system task
23:47:22.421 D SYS TERM taskstack temp termid timer
23:47:22.421 D SYS TERM tone trace transfer TrebleControl
23:47:22.421 D SYS TERM txbas upnp uptime v35
23:47:22.421 D SYS TERM vdisplay vga vid26ldiag vid26le
23:47:22.421 D SYS TERM viddec videnc videocpseths videocpsethsbord
23:47:22.421 D SYS TERM videocpstarths videodecoderunfrvideoencodeadd videoencodealloc
23:47:22.421 D SYS TERM videoencodefree videoencoderemovvideoframeadd videoframemove
23:47:22.421 D SYS TERM videoframeremovevideoinput videooutput videosnapshotrem
23:47:22.421 D SYS TERM vidloopback vidquery vidtest wav
23:47:22.421 D SYS TERM WavGain writetoport writetoportln
23:47:22.422 D (NOCAT) 23:47:22.422 D SYS TERM Main commands:
23:47:22.422 D SYS TERM ? alias bufpool channel
23:47:22.422 D SYS TERM config configdelete dev device
23:47:22.422 D SYS TERM dfc dll dumpds hardware
23:47:22.422 D SYS TERM help kill logr lspci
23:47:22.422 D SYS TERM memleak memstat memtask memtrace
23:47:22.422 D SYS TERM modtrace module prof quiet
23:47:22.422 D SYS TERM quit reboot sconfig sema
23:47:22.422 D SYS TERM sendcommands serial setgsw sethfs
23:47:22.422 D SYS TERM shellHelp sipconfig stask staskstack
23:47:22.422 D SYS TERM syscap syslog system task
23:47:22.422 D SYS TERM taskstack timer trace uptime
23:47:22.422 D (NOCAT)

That is full admin access to the device it seems! You can also get the same information and do configuration via the web page at can get same info from http://target/a_main.htm. You can even use remote monitoring to see a call in progress, or cam if no call in progress!



Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: