Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Notify Message Spoofing Vulnerability With VoIP Phones

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Notify Message Spoofing Vulnerability With VoIP Phones
Date: 11 Jul 2005 12:54:52 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Notify Message Spoofing Vulnerability With VoIP Phones
------------------------------------------------------------------------


SUMMARY

The Session Initiation Protocol (SIP) is an application-layer control 
(signaling) protocol for creating, modifying and terminating sessions with 
one or more participants. These sessions include Internet multimedia 
conferences, Internet telephone calls, multimedia distribution and instant 
messaging. The SIP protocol is described in RFC3261 (with extensions 
contained in RFC3265).

Due to ignoring the value of 'Call-ID' and even 'tag' and 'branch' while 
processing NOTIFY messages, VoIP-Hard-phones process are vulnerable for 
spoofing of status messages such as "Messages-Waiting".

DETAILS

Vulnerable Systems:
 * Cisco 7940/7960
 * Grandstream BT 100
 * Other vendors might be vulnerable as well

According to RFC 3265, Chap 3.2 every NOTIFY has to be embedded in a 
subscription mechanism. If there isn't any knowledge of a subscription, 
the UAC has to responds with a "481 Subscription does not exist" message.

An attacker could send "Messages-Waiting: yes" messages to all phones 
using the SIP-environment. Almost every phone processes this status 
message and shows the user an icon or a blinking display to indicate that 
new messages are available on the voice box. If the attacker sends this 
message to many recipients in a huge environment, it would lead to server 
peaks as many users will call the voice box at the same time. Because 
there are no new voice messages as indicated by the phone the users will 
call the support to fix this alleged server problem.

All tested phones process the message with a reseted Call-ID, 'branch' and 
'tag' sent by a spoofed IP-Address.

Example:
Attacker spoofs the SIP-Proxy's IP, here: 10.1.1.1 Victim 10.1.1.2
UDP-Message from Attacker to Victim:
Session Initiation Protocol
 Request-Line: NOTIFY sip:login@10.1.1.2 SIP/2.0
  Message Header
   Via: SIP/2.0/UDP 15.1.1.12:5060;branch=000000000000000
    From: "asterisk" <sip:asterisk@10.1.1.1>;tag=000000000
     To: <sip:login@10.1.1.2>
      Contact: <sip:asterisk@10.1.1.1>
      Call-ID: 00000000000000@10.1.1.1
      CSeq: 102 NOTIFY
                  User-Agent: Asterisk PBX
      Event: message-summary
      Content-Type: application/simple-message-summary
      Content-Length: 37
        Message body
                Messages-Waiting: yes\n
                Voicemail: 3/2\n

Solution:
Phones who receive a NOTIFY message to which no subscription exists, must 
send a "481 Subscription does not exist" response. It should be possible 
to use the REGISTER request as a non-SUBSCRIBE mechanism to set up a valid 
subscription.
This would reduce the possibility of an attack in a way, that only with a 
sniffed and spoofed subscription such an attack would be possible. 
Background is given by the way dialogs are described in RFC 3261 and the 
sections 5.5 and 3.2 of RFC 3265.


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:tglemser@tele-consulting.com> Tobias Glemser .
The original article can be found at:  
<http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt> 
http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Notify Message Spoofing Vulnerability With VoIP Phones, SecuriTeam <=
Previous by Date:  [TOOL] TCP Conneciton Denial of Service Tool (panic.pl), SecuriTeam
Next by Date:  [NEWS] zlib Buffer Overflow Vulnerability, SecuriTeam
Previous by Thread:  [TOOL] TCP Conneciton Denial of Service Tool (panic.pl), SecuriTeam
Next by Thread:  [NEWS] zlib Buffer Overflow Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]