BudgeTone SIP Phone Lets Remote Users Spoof SIP-Notify-Messages Packets
SecurityTracker Alert ID: 1014407|
SecurityTracker URL: http://securitytracker.com/id/1014407
(Links to External Site)
Updated: Jun 16 2008|
Original Entry Date: Jul 6 2005
Modification of system information|
Exploit Included: Yes |
Version(s): 100 Series|
A vulnerability was reported in the Grandstream BudgeTone 100 phones in the processing of certain Session Initiation Protocol (SIP) messages. A remote user can spoof SIP-Notify-Messages packets.|
The BudgeTone SIP implementation does not properly validate the 'Call-ID', 'tag', and 'branch' parameters of received NOTIFY messages to ensure that the NOTIFY message is part of a valid subscription. A remote user can send a spoofed SIP-Notify-Messages packet to modify the Message Waiting status on the target user's phone.
Tobias Glemser from Tele-Consulting GmbH reported this vulnerability.
The original advisory is available at:
A remote user can send spoofed SIP-Notify-Messages packets to modify the Message Waiting status on the target user's phone.|
No solution was available at the time of this entry.|
Vendor URL: www.grandstream.com/y-bt100.htm (Links to External Site)
Source Message Contents
Subject: VoIP-Phones: Weakness in proccessing SIP-Notify-Messages|
security | networking | training
URL of this advisory:
Weakness in implemenation of proccessing SIP-Notify-Messages
Due to ignoring the value of 'Call-ID' and even 'tag' and
'branch' while processing NOTIFY messages, VoIP-Hardphones
process spoofed status messages like "Messages-Waiting".
According to RFC 3265, Chap 3.2 every NOTIFY has to be em-
bedded in a subcription mechanism. If there ain't knowledge
of a subscription, the UAC has to respond with a "481
Subscription does not exist" message.
All tested phones processed the "Messages-Waiting" messages
without prior subscriptions anywhere.
An attacker could send "Messages-Waiting: yes" messages to
all phones in a SIP-environment. Almost every phone proccesses
this status message and shows the user an icon or a blinking
display to indicate that new messages are available on the
If the attacker sends this message to many recipients in a
huge environment, it would lead to server peaks as many users
will call the voice box at the same time.
Because there are no new voice messages as indicated by the
phone the users will call the support to fix this alleged server
All tested phones process the message with a resetted Call-ID,
'branch' and 'tag' sent by a spoofed IP-Adress.
Attacker spoofs the SIP-Proxys IP, here: 10.1.1.1
UDP-Message from Attacker to Victim
Session Initiation Protocol
Request-Line: NOTIFY sip:firstname.lastname@example.org SIP/2.0
Via: SIP/2.0/UDP 184.108.40.206:5060;branch=000000000000000
From: "asterisk" <sip:email@example.com>;tag=000000000
CSeq: 102 NOTIFY
User-Agent: Asterisk PBX
Phones who receive a NOTIFY message to which no subscription
exists, must send a "481 Subscription does not exist" response.
It should be possible to use the REGISTER request as a
non-SUBSCRIBE mechanism to set up a valid subscription.
This would reduce the possibility of an attack in a way, that
only with a sniffed and spoofed subcription such an attack would
be possible. Background is given by the way dialogs are des-
cribed in RFC 3261 and the sections 5.5 and 3.2 of RFC 3265.
Grandstream BT 100
others will be tested in future
TT C firstname.lastname@example.org +49 (0)7032/97580 (fon)
TT C pentest.tele-consulting.com +49 (0)7032/74750 (fax)
TT C Tele-Consulting GmbH, Siedlerstrasse 22-24, 71126 Gaeufelden
TT CCCC security | networking | training