Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Fwd: [VOIPSEC] VoIP-Phones: Weakness in proccessing SIP-Notify-Messages

from [gary madsen] Network Security [Permanent Link]
Subject: Fwd: [VOIPSEC] VoIP-Phones: Weakness in proccessing SIP-Notify-Messages
Date: Fri, 8 Jul 2005 08:54:58 -0500 
FYI

---------- Forwarded message ----------
From: Mark Teicher <mht3@earthlink.net>
Date: Jul 7, 2005 7:06 PM
Subject: Re: [VOIPSEC] VoIP-Phones: Weakness in proccessing SIP-Notify-Messages
To: Tobias Glemser <tglemser@tele-consulting.com>
Cc: voipsec@voipsa.org


Interesting results when executed against the Avaya Softphone and
Avaya 4620.  The Avaya Softphone throws an exception msg handler
window and the application process handler becomes unresponsive  :)

At 03:16 AM 7/7/2005, Tobias Glemser wrote:

                  Tele-Consulting GmbH
            security | networking | training

                advisory 05/07/06

URL of this advisory:
http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt


Topic:
    Weakness in implemenation of proccessing SIP-Notify-Messages
    in VoIP-Phones.

Summary:
    Due to ignoring the value of 'Call-ID' and even 'tag' and
    'branch' while processing NOTIFY messages, VoIP-Hardphones
    process spoofed status messages like "Messages-Waiting".

    According to RFC 3265, Chap 3.2 every NOTIFY has to be em-
    bedded in a subcription mechanism. If there ain't knowledge
    of a subscription, the UAC has to respond with a "481
    Subscription does not exist" message.

    All tested phones processed the "Messages-Waiting" messages
    without prior subscriptions anywhere.

Effect:
    An attacker could send "Messages-Waiting: yes" messages to
    all phones in a SIP-environment. Almost every phone proccesses
    this status message and shows the user an icon or a blinking
    display to indicate that new messages are available on the
    voice box.

    If the attacker sends this message to many recipients in a
    huge environment, it would lead to server peaks as many users
    will call the voice box at the same time.
    Because there are no new voice messages as indicated by the
    phone the users will call the support to fix this alleged server
    problem.

    All tested phones process the message with a resetted Call-ID,
    'branch' and 'tag' sent by a spoofed IP-Adress.

Example:
    Attacker spoofs the SIP-Proxys IP, here: 10.1.1.1
    Victim 10.1.1.2

    UDP-Message from Attacker to Victim

    Session Initiation Protocol
         Request-Line: NOTIFY sip:login@10.1.1.2 SIP/2.0
         Message Header
             Via: SIP/2.0/UDP 15.1.1.12:5060;branch=000000000000000
             From: "asterisk" <sip:asterisk@10.1.1.1>;tag=000000000
             To: <sip:login@10.1.1.2>
              Contact: <sip:asterisk@10.1.1.1>
              Call-ID: 00000000000000@10.1.1.1
             CSeq: 102 NOTIFY
                 User-Agent: Asterisk PBX
              Event: message-summary
              Content-Type: application/simple-message-summary
              Content-Length: 37
         Message body
              Messages-Waiting: yes\n
              Voicemail: 3/2\n

Solution:
    Phones who receive a NOTIFY message to which no subscription
    exists, must send a "481 Subscription does not exist" response.
    It should be possible to use the REGISTER request as a
    non-SUBSCRIBE mechanism to set up a valid subscription.

    This would reduce the possibility of an attack in a way, that
    only with a sniffed and spoofed subcription such an attack would
    be possible. Background is given by the way dialogs are des-
    cribed in RFC 3261 and the sections 5.5 and 3.2 of RFC 3265.


Affected products:
    Cisco 7940/7960
    Grandstream BT 100
    others will be tested in future


--
Tobias Glemser


TTTTTTT CCCC
  TT   C  tglemser@tele-consulting.com         +49 (0)7032/97580  (fon)
  TT  C   pentest.tele-consulting.com          +49 (0)7032/74750  (fax)
  TT  C
  TT   C  Tele-Consulting GmbH, Siedlerstrasse 22-24, 71126 Gaeufelden
  TT    CCCC             security | networking | training


_______________________________________________
Voipsec mailing list
Voipsec@voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org



_______________________________________________
Voipsec mailing list
Voipsec@voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SiteMinder Multiple Vulnerabilities, c0ntexb
Next by Date:  Security Advisory for Bugzilla 2.18.1 and 2.19.3, mkanat
Previous by Thread:  SiteMinder Multiple Vulnerabilities, c0ntexb
Next by Thread:  RE: [VOIPSEC] VoIP-Phones: Weakness in proccessing SIP-Notify-Messages, Walton, John Michael (John)
Indexes:  [Date] [Thread] [Top] [All Lists]