This is a multi-part message in MIME format.
--------------050908050904050106040702
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit


--------------050908050904050106040702
Content-Type: text/plain;
 name="Ureach_Exploit"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="Ureach_Exploit"

Secure Science Corporation Advisory TSA-053
http://www.securescience.net
e-response@securescience.net
877-570-0455

---------------------------------------------------------

Ureach.com's Uscreen Desktop software is vulnerable to misuse and enables
specific caller-id spoofing via the forward feature, enabling compromise 
of other communication services operating on PSTN or wireless networks.

---------------------------------------------------------------------

Vulnerability Classification: Authentication bypass, Remote Compromise,
General misuse.

Discovery Date: October 19th, 2004
Vendor Contacted: October 27, 2004
Advisory publication date: November 5th, 2004


Vendor Description:
-------------------
uReach.com strives to provide solutions that meet a wide range of customer needs
from point solutions that address a specific need to robust bundles that can
simplify managing all forms of communications - email, voice mail, fax,
reminders, alerts and phone calls.


Abstract:
---------
Ureach.com's Uscreen Desktop is included in many services that Ureach.com
provides. It is used as a desktop alert and control service, enabling users to
identify the caller, forward the calls to arbitrary numbers, send to voicemail,
and call back missed calls. Ureach.com provides 1-800 virtual numbers to their
customers that will forward to numbers selected by the customer. Example Case:
Many VOIP phone networks allow the use of toll-free calling (18xxx) (such as 
freeworld dialup and sipphone.com) and provide you with a sip id or number. 
In most cases, the sip id is not the same format as the Caller-Id given on 
a PSTN network (usually 7 or 10 digit sets), e.g. freeworld provides 5 or 6 digit 
numbers instead. When calling a ureach number with a sip-phone that does 
not match the criteria of proper caller id format, Ureach will correct it 
by calling the destination number using the Caller-id display of the 
destination number.  

Description:
------------
In Pseudocode: 
if (UscreenReceiveCall(!PROPERCIDFORMAT)) { cid = destination_target; ForwardCall(cid, destination_target); } 

By sending a non-proper formatted id as identification, the target number is
displayed as the caller. This allows for trivial abuse by arbitrary attackers, 
including remote compromise of voicemail systems such as T-mobile Wireless and
Verizon Northwest (refer to Secure Science Corporation Advisory TSA-051).

Tested Vendors:
---------------
Ureach.com


Vendor and Patch Information:
-----------------------------
Secure Science Corporation has made attempts to contact the vendor and has received no response.

Solution:
---------
Ureach.com receives calls with Caller ID signal first, ANI second (if
Caller-ID is blocked): If the Caller-ID does not match proper format, then ANI
should be utilized or the customers 877 virtual number should be displayed to the destination.

Credits: 
--------
Secure Science Corporation: Lance James

Disclaimer:
----------- 
Secure Science Corporation is not responsible for the misuse of any of the
information we provide on this website and/or through our security advisories.
Our advisories are a service to our customers intended to promote secure
installation and use of Secure Science Corporation products.
--------------050908050904050106040702--