SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (VoIP/Phone/FAX)  >   BudgeTone SIP Phones Vendors:   Grandstream Networks
BudgeTone SIP Phone Lets Remote Users Spoof SIP-Notify-Messages Packets
SecurityTracker Alert ID:  1014407
SecurityTracker URL:  http://securitytracker.com/id/1014407
CVE Reference:   CVE-2005-2182   (Links to External Site)
Updated:  Jun 16 2008
Original Entry Date:  Jul 6 2005
Impact:   Modification of system information
Exploit Included:  Yes  
Version(s): 100 Series
Description:   A vulnerability was reported in the Grandstream BudgeTone 100 phones in the processing of certain Session Initiation Protocol (SIP) messages. A remote user can spoof SIP-Notify-Messages packets.

The BudgeTone SIP implementation does not properly validate the 'Call-ID', 'tag', and 'branch' parameters of received NOTIFY messages to ensure that the NOTIFY message is part of a valid subscription. A remote user can send a spoofed SIP-Notify-Messages packet to modify the Message Waiting status on the target user's phone.

Tobias Glemser from Tele-Consulting GmbH reported this vulnerability.

The original advisory is available at:

http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt

Impact:   A remote user can send spoofed SIP-Notify-Messages packets to modify the Message Waiting status on the target user's phone.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.grandstream.com/y-bt100.htm (Links to External Site)
Cause:   Authentication error

Message History:   None.


 Source Message Contents

Subject:  VoIP-Phones: Weakness in proccessing SIP-Notify-Messages


			      Tele-Consulting GmbH
			security | networking | training
			
				advisory 05/07/06

URL of this advisory:
http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt


Topic:
	Weakness in implemenation of proccessing SIP-Notify-Messages
	in VoIP-Phones.

Summary:
	Due to ignoring the value of 'Call-ID' and even 'tag' and
	'branch' while processing NOTIFY messages, VoIP-Hardphones
	process spoofed status messages like "Messages-Waiting".
	
	According to RFC 3265, Chap 3.2 every NOTIFY has to be em-
	bedded in a subcription mechanism. If there ain't knowledge
	of a subscription, the UAC has to respond with a "481
	Subscription does not exist" message.

	All tested phones processed the "Messages-Waiting" messages
	without prior subscriptions anywhere.

Effect:
	An attacker could send "Messages-Waiting: yes" messages to
	all phones in a SIP-environment. Almost every phone proccesses
	this status message and shows the user an icon or a blinking
	display to indicate that new messages are available on the
	voice box.
	
	If the attacker sends this message to many recipients in a
	huge environment, it would lead to server peaks as many users
	will call the voice box at the same time.
	Because there are no new voice messages as indicated by the
	phone the users will call the support to fix this alleged server
	problem.

	All tested phones process the message with a resetted Call-ID,
	'branch' and 'tag' sent by a spoofed IP-Adress.

Example:
	Attacker spoofs the SIP-Proxys IP, here: 10.1.1.1
	Victim 10.1.1.2
	
	UDP-Message from Attacker to Victim
	
	Session Initiation Protocol
	     Request-Line: NOTIFY sip:login@10.1.1.2 SIP/2.0
	     Message Header
  	        Via: SIP/2.0/UDP 15.1.1.12:5060;branch=000000000000000
  	        From: "asterisk" <sip:asterisk@10.1.1.1>;tag=000000000
  	        To: <sip:login@10.1.1.2>
   	        Contact: <sip:asterisk@10.1.1.1>
           	Call-ID: 00000000000000@10.1.1.1
          	CSeq: 102 NOTIFY
        	  	User-Agent: Asterisk PBX
           	Event: message-summary
           	Content-Type: application/simple-message-summary
           	Content-Length: 37
      	Message body
           	Messages-Waiting: yes\n
           	Voicemail: 3/2\n

Solution:
	Phones who receive a NOTIFY message to which no subscription
	exists, must send a "481 Subscription does not exist" response.
	It should be possible to use the REGISTER request as a
	non-SUBSCRIBE mechanism to set up a valid subscription.

	This would reduce the possibility of an attack in a way, that
	only with a sniffed and spoofed subcription such an attack would
	be possible. Background is given by the way dialogs are des-
	cribed in RFC 3261 and the sections 5.5 and 3.2 of RFC 3265.


Affected products:
	Cisco 7940/7960
	Grandstream BT 100
	others will be tested in future


--
Tobias Glemser


TTTTTTT CCCC
   TT   C  tglemser@tele-consulting.com         +49 (0)7032/97580  (fon)
   TT  C   pentest.tele-consulting.com          +49 (0)7032/74750  (fax)
   TT  C
   TT   C  Tele-Consulting GmbH, Siedlerstrasse 22-24, 71126 Gaeufelden
   TT    CCCC             security | networking | training

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC