Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] CallManager and OpeSer toll fraud and authentication f

from [Radu State] Network Security [Permanent Link]
Subject: [Full-disclosure] CallManager and OpeSer toll fraud and authentication forward attack
Date: Fri, 12 Oct 2007 18:54:18 +0200 
MADYNES Security Advisory : SIP toll fraud and authentication forward attack

Date of Discovery 5  May, 2007

Vendor1 (Cisco) was informed on 22 May 2007

Vendor 2 (OpenSer,  voice-systems) was informed in 4 th October 2007

ID: KIPH11 

Affected products

 

CallManager:

System version: 5.1.1.3000-5 

Administration version: 1.1.0.0-1

 

OpenSer

 

SVN version until the 4 th October 2007

Version 1.2.2

 

 

Summary 

 

 

The tested systems do not associate a Digest authentication to a dialog
which allows any user who can sniff the traffic to make its own calls on
behalf of the the sniffed device. 


Synopsis

The tested implementations do not allow to check if the provided URI in
the Digest authentication header is the same as the REQUEST-URI of  the
message, which  allows an attacker to call any other extension. This is not
a simple replay attack.

They do not allowed to generate one-time nonces.   These issues will allow a
malicious user able to sniff a Digest  authentication from a regular user,
to call (by spoofing data) any  extension on behalf of the user; as long as
the nonce does not expire.

The first vendor   (Cisco) was informed  in May 2007 and acknowledged the
vulnerability. The second vendor (OpenSer, voice-systems) was informed in
October 2007 and fixed the vulnerabity on the same day.

 This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first
vulnerabilities published where advanced state tracking is required.

Background 

*       SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session. 



Impact :


A malicious user perform toll fraud and call ID spoofing.


Resolution



OpenSer fixed the issue on the 4 th October.  

 

The devel branch was enhanced to export a variable $adu which refer to this
field. It is easy now to check in config file whether it is equal or not
with r-uri:

 

if($adu != $ru)

{

# digest uri and request uri are different 

}

 


Credits

*       Humberto J. Abdelnur (Ph.D Student) 
*       Radu State (Ph.D) 
*       Olivier Festor (Ph.D) 


This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIF

 

POC: PoC code is available on request

 

 

 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Remote Desktop Command Fixation Attacks, Thor (Hammer of God)
Next by Date:  [Full-disclosure] gnucitizen bt home hub latest, attacks wide spread, outages reported, worried security
Previous by Thread:  [Full-disclosure] SEC Consult SA-20071012-0 :: Madwifi xrates element remote DOS, Bernhard Mueller
Next by Thread:  Re: [Full-disclosure] CallManager and OpeSer toll fraud and authentication forward attack, 3APA3A
Indexes:  [Date] [Thread] [Top] [All Lists]