what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PhonerLite 2.14 Digest Information Leak

PhonerLite 2.14 Digest Information Leak
Posted Mar 31, 2014
Authored by Jason Ostrom

PhonerLite SIP soft phone version 2.14 is vulnerable to revealing SIP MD5 digest authenticated user credential hash via spoofed SIP INVITE message sent by a malicious 3rd party. After responding back to an authentication challenge to the BYE message, PhonerLite leaks the hashed MD5 digest credentials.

tags | exploit, spoof, info disclosure
advisories | CVE-2014-2560
SHA-256 | 7a34b13b986e3c819eec422d90f73dfa5a7fe4225fdb3fbe73a15891c3c278e5

PhonerLite 2.14 Digest Information Leak

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


I. Advisory Summary

Title: SIP Digest Leak Information Disclosure in PhonerLite 2.14 SIP Soft
Phone
Date Published: March 30, 2014
Vendors contacted: Heiko Sommerfeldt, PhonerLite author
Discovered by: Jason Ostrom
Severity: Medium

II. Vulnerability Scoring Metrics

CVE Reference: CVE-2014-2560
CVSS v2 Base Score: 4.3
CVSS v2 Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Component(s): PhonerLite SIP Soft Phone
Class: Information Disclosure

III. Introduction

PhonerLite [1] is a freeware SIP soft phone client running on the Windows
platform and supporting common VoIP features as well as security
functionality such as SIP TLS, SRTP, and ZRTP.

[1] http://www.phonerlite.de

IV. Vulnerability Description

PhonerLite SIP soft phone version 2.14 is vulnerable to revealing SIP MD5
digest authenticated user credential hash via spoofed SIP INVITE message
sent by a malicious 3rd party. After responding back to an authentication
challenge to the BYE message, PhonerLite leaks the hashed MD5 digest
credentials. After the 3rd party receives the dumped MD5 hash, they can use
this information to mount an offline wordlist attack. This SIP protocol
implementation issue vulnerability was initially discovered by Sandro Gauci
of Enable Security [2], with vendor soft phones and handsets showing
differential success in mitigating this flaw. CVE-IDs have been reserved
for two previous SIP soft phone implementations [3, 4] that were tested as
vulnerable.

[2] https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf
[3] CVE-ID for Gizmo5 soft phone: CVE-2009-5139
[4] CVE-ID for Linksys SPA2102 adapter: CVE-2009-5140

V. Technical Description / Proof of Concept Code

The following steps can be carried out in duplicating this vulnerability.

Step 1:
Use SIPp protocol tester to craft a SIP INVITE message using TCP transport
and forward the SIP message towards the IP address of the Windows PhonerLite
soft phone, listening on TCP port 5060
Step 2:
PhonerLite user answers call
Step 3:
PhonerLite user hangs up call, since there is no one talking (it is like
dead air)
Step 4:
Attacker receives BYE message from PhonerLite. Immediately after receiving
BYE, attacker sends a 401 challenge SIP message
Step 5:
PhonerLite responds with a second BYE message, containing SIP Authorization
header (which contains MD5 hash / response)
Step 6:
Attacker mounts an offline wordlist attack against the dumped MD5 hash using
sipdump/sipcrack

Additional Notes:
* The vulnerability verification was tested as a malicious 3rd party using
Kali Linux [5] distribution, with all tools included in distro.
* The attacker does not need to know the correct username of PhonerLite
registered SIP user. The attacker only needs to find the IP address of a
PhonerLite endpoint listening on TCP port 5060.
* The attacker does not need to know the digest realm field. A null realm
string of "NULL" or "null" will be sufficient in exploiting the flaw.
* Verified that PhonerLite is not vulnerable to this security flaw when
attacker uses UDP transport instead of TCP

[5] http://kali.org

VIII. Vendor Information, Solutions, and Workarounds

This issue is fixed in PhonerLite version 2.15

Resolution is the following, as specified by the author: A SIP UAC (User
Agent Client) should not send a 401 or 407. In other words, only a UAS
(User Agent Server) should send a 401 or 407 challenge. Therefore, a
401/407 will be dropped by the UAS (PhonerLite) if sent by a malicious 3rd
party UAC.

IX. Credits

This vulnerability has been discovered by:
Jason Ostrom of Stora

XX. Vulnerability History

Sun, 2/16/14: Vulnerability discovered
Wed, 3/12/14: Sent vulnerability disclosure to Heiko Sommerfeldt, info at
phoner.de
Thu, 3/13/14: Notified by author that Beta version has been uploaded, which
should fix problem. Attempted to verify with security testing of Beta 2.15.
Verified that issue has been resolved.
Sun, 3/30/14: Notified by author that fixed version (2.15) has been
uploaded
Sun, 3/30/14: Vulnerability disclosure posted

XXI. Disclaimer

The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. Stora accepts no
responsibility for any damage caused by the use or misuse of this
information.



-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: us-ascii

wsBVAwUBUzl9EWRzm/FWea0uAQjX8gf/Ts6IWfPbMFeir5PxDrvQ2VWBNCESgODN
GgJQZaj6339ZxIMFC6IYoD4Uvx223igSB+OyYHLmGZOnQoES7Ilj2Or5Afe71Cqe
ExqYe2fTaZeyruWTgmPA296W3EEoT+Cedeyy5k0+sxK4ahKZ2DQgM/WIDDHU3X/B
nAJZWob+r2f2tQr+OBhy7saMEix9QMNeAEZCa+JJ8az9gxe6+AU9kdmwj9hPy+qc
ZDODMOSyvYojfuvE0oy0AyZ1OBWVpI9lSCI6wmUT6ihOpruz3OKQT+e1HyFoBvmX
aafzW7VlbxgS3EQRC25EWj61BYVIy7OpIFfOzymyBnL/qb0PTBmiDA==
=rmxn
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close