Secure Science Corporation Advisory TSA-053 - Ureach.com's Uscreen Desktop software is vulnerable to misuse and enables specific caller-id spoofing via the forward feature, enabling compromise of other communication services operating on PSTN or wireless networks.
006f9cb5c45c247b15e043a6b78ad99810621540cc9699bc49518f8bfa564295
This is a multi-part message in MIME format.
--------------050908050904050106040702
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
--------------050908050904050106040702
Content-Type: text/plain;
name="Ureach_Exploit"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Ureach_Exploit"
Secure Science Corporation Advisory TSA-053
http://www.securescience.net
e-response@securescience.net
877-570-0455
---------------------------------------------------------
Ureach.com's Uscreen Desktop software is vulnerable to misuse and enables
specific caller-id spoofing via the forward feature, enabling compromise
of other communication services operating on PSTN or wireless networks.
---------------------------------------------------------------------
Vulnerability Classification: Authentication bypass, Remote Compromise,
General misuse.
Discovery Date: October 19th, 2004
Vendor Contacted: October 27, 2004
Advisory publication date: November 5th, 2004
Vendor Description:
-------------------
uReach.com strives to provide solutions that meet a wide range of customer needs
from point solutions that address a specific need to robust bundles that can
simplify managing all forms of communications - email, voice mail, fax,
reminders, alerts and phone calls.
Abstract:
---------
Ureach.com's Uscreen Desktop is included in many services that Ureach.com
provides. It is used as a desktop alert and control service, enabling users to
identify the caller, forward the calls to arbitrary numbers, send to voicemail,
and call back missed calls. Ureach.com provides 1-800 virtual numbers to their
customers that will forward to numbers selected by the customer. Example Case:
Many VOIP phone networks allow the use of toll-free calling (18xxx) (such as
freeworld dialup and sipphone.com) and provide you with a sip id or number.
In most cases, the sip id is not the same format as the Caller-Id given on
a PSTN network (usually 7 or 10 digit sets), e.g. freeworld provides 5 or 6 digit
numbers instead. When calling a ureach number with a sip-phone that does
not match the criteria of proper caller id format, Ureach will correct it
by calling the destination number using the Caller-id display of the
destination number.
Description:
------------
In Pseudocode:
if (UscreenReceiveCall(!PROPERCIDFORMAT)) { cid = destination_target; ForwardCall(cid, destination_target); }
By sending a non-proper formatted id as identification, the target number is
displayed as the caller. This allows for trivial abuse by arbitrary attackers,
including remote compromise of voicemail systems such as T-mobile Wireless and
Verizon Northwest (refer to Secure Science Corporation Advisory TSA-051).
Tested Vendors:
---------------
Ureach.com
Vendor and Patch Information:
-----------------------------
Secure Science Corporation has made attempts to contact the vendor and has received no response.
Solution:
---------
Ureach.com receives calls with Caller ID signal first, ANI second (if
Caller-ID is blocked): If the Caller-ID does not match proper format, then ANI
should be utilized or the customers 877 virtual number should be displayed to the destination.
Credits:
--------
Secure Science Corporation: Lance James
Disclaimer:
-----------
Secure Science Corporation is not responsible for the misuse of any of the
information we provide on this website and/or through our security advisories.
Our advisories are a service to our customers intended to promote secure
installation and use of Secure Science Corporation products.
--------------050908050904050106040702--