Wednesday, August 29, 2007

Eavesdropping vulnerability in SIP stacks with the code

An eavesdropping vulnerability was revealed on the popular
Full Disclosure mailing list on Wednesday. Vulnerability
researchers Humberto Abdelnur, Radu State and Olivier Festor
claimed the exploit could allow a remote attacker to turn a
VoIP phone into an eavesdropping device, citing a Grandstream
SIP phone as an example.

While playing with the SIP Madynes stateful fuzzer
for a description see http://hal.inria.fr/inria-00166947/en),
we have realized that some SIP stack engines have serious
bugs allowing to an attacker to automatically make a remote
phone accept the call without ringing and without asking the
user to take the phone from the hook, such that the attacker
might be able to listen to all conversations that take place
in the remote room without being noticed.One example that we
can disclose (vendor was notified on 10 th May 2007) is the
following: Grandstream SIP Phone GXV-3000

MADYNES Security Advisory : SIP remote attack on
Grandstream SIP Phone GXV-3000

Date of Discovery 7 th May, 2007

ID: KIPH7

Background

SIP is the IETF standardized (RFCs 2543 and 3261) protocol
for VoIP signalization. SIP is an ASCII based INVITE message
is used to initiate and maintain a communication session.


Affected devices: Grandstream SIP Phone GXV-3000 with latest
available firmware 1.0.1.7 Loader-- 1.0.0.6 Boot--1.0.0.18

Impact :
A malicious user can remotely eavesdrop (a remote location)
and perform DOS on a remote phone.
Resolution
Fixed software will be available from the vendor and customers
following recommended best practices (ie segregating VOIP
traffic from data) will be protected from malicious traffic
in most situations.

The vulnerability is based in a sequence of two messages,
where both messages are syntactically right, but together
they turn the device in an inconsistent state, where the
RTP is now send to the attacker/


ougui at 152.81.48.94:5060 is the attacker
1005 at 152.81.48.88:5060 the attacked phone


X ------ INVITE ------>
GXV-3000
X ------ 100 Trying ------>
GXV-3000
X ------ 180 Ringing ------>
GXV-3000
X ------183 Session Progress ------->
GXV-3000
X ------ RTP - FLOW ------->
GXV-3000
After these messages the device is not able to hang up so a
remote DOS can be also done.
Credits:
* Humberto J. Abdelnur (Ph.D Student)
* Radu State (Ph.D)
* Olivier Festor (Ph.D)
Exploit Code :

0 comments:

Blog Widget by LinkWithin