Replay Attack Vulnerability on Sonys Instant Video Everywhere Service http://www.iptel.org/security/2005-12-31.html December 31, 2005 I. Background Sony offers a SIP based voice and video service called IVE. By downloading a client application for the Windows operating system everybody can make free voice and video calls between the members of the IVE service. For additional monthly charges the users can also make calls into the PSTN (normal telephones and cell phones). More information is available from the website: http://www.myive.com II. Description After starting the IVE client application and entering the username and password into the initial dialog the application sends a HTTP request to one of the servers of the service provider GlowPoint to fetch initial provisioning data. This request is sent over a non-secured TCP connection. The request URI of this initial HTTP request contains two parameters named "userLogin" and "userPassword". The userLogin parameter contains the username (his email address) of the customers in clear text. The userPassword contains a hexadecimal string, but this string is constant for every provisioning request as long as the user does not change his password. The response to this HTTP request contains a list of attribute value pairs. One of the attributes is named "token". The value of this "token" changes for every new HTTP request which is send to the server. Furthermore the value of the "token" appears in the request URI of several additional HTTP requests and in the SIP signaling. In the SIP REGISTER requests from the IVE client the "token" value is present in the "X-DyLogic-MCS-Token" header. III. Analysis Only if the REGISTER request contains the "X-DyLogic-MCS-Token" header with the exact value from the provisioning data set (from the HTTP request before) the server responds to the request. If someone else then the real user (the attacker) knows the "userLogin" and "userPassword" values he can send the same HTTP request (with any HTTP client) to the provisioning server to get an up-to-date provisioning data set. If the attacker copies the "token" value from this provisioning data set into a SIP REGISTER request he can login to the IVE service with any SIP client and receive calls for the real user (as long as the real user is not currently online with his IVE client at the same time). The most recent "token" value is accepted by the server for several hours as long as no additional HTTP provisioning request was sent to the server. As the hexadecimal string value of the "userPassword" is not equal to the real password of the user, the potential attacker would not able to login to the IVE web frontend by just knowing the "userPassword" value. IV. Affected Versions The IVE client version "v4.4.0 MCS" is affected by this vulnerability. V. Workarounds * Change your IVE user password very often. * Use the IVE client only from trustworthy networks. * Wait for a new IVE client version which fixes the described problems. VI. Disclosure Timeline 12/07/2005 Initial vendor notification - GlowPoint 12/07/2005 Initial vendor response 12/31/2005 Public disclosure VII. Credit Nils Ohlmeier discovered this vulnerability. VIII. Legal Notice Copyright © 2005 iptelorg GmbH Permission is granted for the redistribution of this alert electronically. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/