CVE-2007-5637

Nortel Business Communications Manager - Unauthenticated Eavesdropping via Open Audio Stream

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-5637. PoCs published by Daniel Stirnimann.

AI-analyzed exploit summary This exploit sends spoofed UNIStim messages to a Nortel IP phone to force it into surveillance mode, allowing remote eavesdropping. It brute-forces the 16-bit message ID to bypass authentication.

Description

The Nortel UNIStim IP Softphone 2050, IP Phone 1140E, and additional Nortel products from the IP Phone, Business Communications Manager (BCM), and other product lines allow remote attackers to eavesdrop on the physical environment via an Open Audio Stream message that enables "surveillance mode." NOTE: issues relating to a small ID number space can be leveraged to make this attack easier.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Daniel Stirnimann · perldoshardware

https://www.exploit-db.com/exploits/30679

View Code ZIP pw:eip

This exploit sends spoofed UNIStim messages to a Nortel IP phone to force it into surveillance mode, allowing remote eavesdropping. It brute-forces the 16-bit message ID to bypass authentication.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Nortel IP Phone 1140E, IP Softphone 2050, and others

No auth needed

Prerequisites: Network access to the target IP phone · Knowledge of the signaling server IP address

MITRE ATT&CK