what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

voip-phones.txt

voip-phones.txt
Posted Jul 7, 2005
Authored by Tobias Glemser | Site pentest.tele-consulting.com

Due to ignoring the value of Call-ID and even tag and branch while processing NOTIFY messages, VOIP-Hardphones process spoofed status messages like Messages-Waiting.

tags | advisory, spoof
SHA-256 | 7e874ac6aa4310120bd4e7a44ff20320a9205cdf8195fe255cbc74e7c8879b81

voip-phones.txt

Change Mirror Download
            Tele-Consulting GmbH
security | networking | training

advisory 05/07/06

URL of this advisory:
http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt


Topic:
Weakness in implemenation of proccessing SIP-Notify-Messages
in VoIP-Phones.

Summary:
Due to ignoring the value of 'Call-ID' and even 'tag' and
'branch' while processing NOTIFY messages, VoIP-Hardphones
process spoofed status messages like "Messages-Waiting".

According to RFC 3265, Chap 3.2 every NOTIFY has to be em-
bedded in a subcription mechanism. If there ain't knowledge
of a subscription, the UAC has to respond with a "481
Subscription does not exist" message.

All tested phones processed the "Messages-Waiting" messages
without prior subscriptions anywhere.

Effect:
An attacker could send "Messages-Waiting: yes" messages to
all phones in a SIP-environment. Almost every phone proccesses
this status message and shows the user an icon or a blinking
display to indicate that new messages are available on the
voice box.

If the attacker sends this message to many recipients in a
huge environment, it would lead to server peaks as many users
will call the voice box at the same time.
Because there are no new voice messages as indicated by the
phone the users will call the support to fix this alleged server
problem.

All tested phones process the message with a resetted Call-ID,
'branch' and 'tag' sent by a spoofed IP-Adress.

Example:
Attacker spoofs the SIP-Proxys IP, here: 10.1.1.1
Victim 10.1.1.2

UDP-Message from Attacker to Victim

Session Initiation Protocol
Request-Line: NOTIFY sip:login@10.1.1.2 SIP/2.0
Message Header
Via: SIP/2.0/UDP 15.1.1.12:5060;branch=000000000000000
From: "asterisk" <sip:asterisk@10.1.1.1>;tag=000000000
To: <sip:login@10.1.1.2>
Contact: <sip:asterisk@10.1.1.1>
Call-ID: 00000000000000@10.1.1.1
CSeq: 102 NOTIFY
User-Agent: Asterisk PBX
Event: message-summary
Content-Type: application/simple-message-summary
Content-Length: 37
Message body
Messages-Waiting: yes\n
Voicemail: 3/2\n

Solution:
Phones who receive a NOTIFY message to which no subscription
exists, must send a "481 Subscription does not exist" response.
It should be possible to use the REGISTER request as a
non-SUBSCRIBE mechanism to set up a valid subscription.

This would reduce the possibility of an attack in a way, that
only with a sniffed and spoofed subcription such an attack would
be possible. Background is given by the way dialogs are des-
cribed in RFC 3261 and the sections 5.5 and 3.2 of RFC 3265.


Affected products:
Cisco 7940/7960
Grandstream BT 100
others will be tested in future


--
Tobias Glemser


TTTTTTT CCCC
TT C tglemser@tele-consulting.com +49 (0)7032/97580 (fon)
TT C pentest.tele-consulting.com +49 (0)7032/74750 (fax)
TT C
TT C Tele-Consulting GmbH, Siedlerstrasse 22-24, 71126 Gaeufelden
TT CCCC security | networking | training
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close