Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Sony's Instant Video Everywhere Service Replay Attack

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Sony's Instant Video Everywhere Service Replay Attack
Date: 4 Jan 2006 17:49:28 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Sony's Instant Video Everywhere Service Replay Attack
------------------------------------------------------------------------


SUMMARY

" <http://sony.glowpoint.com/> IVE makes video and voice calling from you 
PC as easy as placing a telephone call - but with the added power of 
face-to-face communications. "

By exploiting a replay attack on Sony's Instant Video Everywhere, 
attackers can steal calls and impersonate the users.

DETAILS

Vulnerable Systems:
 * Sonny IVE version 4.4.0 MCS

After starting the IVE client application and entering the username and 
password into the initial dialog the application sends an HTTP request to 
one of the servers of the service provider GlowPoint to fetch initial 
provisioning data. This request is sent over a non-secured TCP connection. 
The request URI of this initial HTTP request contains two parameters named 
"userLogin" and "userPassword". The userLogin parameter contains the 
username (his email address) of the customers in clear text. The 
userPassword contains a hexadecimal string, but this string is constant 
for every provisioning request as long as the user does not change his 
password.

The response to this HTTP request contains a list of attribute value 
pairs. One of the attributes is named "token". The value of this "token" 
changes for every new HTTP request which is send to the server. 
Furthermore the value of the "token" appears in the request URI of several 
additional HTTP requests and in the SIP signaling. In the SIP REGISTER 
requests from the IVE client the "token" value is present in the 
"X-DyLogic-MCS-Token" header.

Only if the REGISTER request contains the "X-DyLogic-MCS-Token" header 
with the exact value from the provisioning data set (from the HTTP request 
before) the server responds to the request.

If someone else then the real user (the attacker) knows the "userLogin" 
and "userPassword" values he can send the same HTTP request (with any HTTP 
client) to the provisioning server to get an up-to-date provisioning data 
set. If the attacker copies the "token" value from this provisioning data 
set into a SIP REGISTER request he can login to the IVE service with any 
SIP client and receive calls for the real user (as long as the real user 
is not currently online with his IVE client at the same time).
The most recent "token" value is accepted by the server for several hours 
as long as no additional HTTP provisioning request was sent to the server.

As the hexadecimal string value of the "userPassword" is not equal to the 
real password of the user, the potential attacker would not able to login 
to the IVE web frontend by just knowing the "userPassword" value.

Disclosure Timeline:
12/07/2005 Initial vendor notification - GlowPoint
12/07/2005 Initial vendor response
12/31/2005 Public disclosure


ADDITIONAL INFORMATION

The information has been provided by  <mailto:lists@ohlmeier.org> Nils 
Ohlmeier.
The original article can be found at:  
<http://www.iptel.org/security/2005-12-31.html> 
http://www.iptel.org/security/2005-12-31.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Sony's Instant Video Everywhere Service Replay Attack, SecuriTeam <=
Previous by Date:  [NT] KGB Key Logger Password Protection Bypass, SecuriTeam
Next by Date:  [NT] Sygate Protection Agent Privileges Escalation, SecuriTeam
Previous by Thread:  [NT] KGB Key Logger Password Protection Bypass, SecuriTeam
Next by Thread:  [NT] Sygate Protection Agent Privileges Escalation, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]