Secure Science Corporation Advisory TSA-053 http://www.securescience.net e-response@securescience.net 877-570-0455 --------------------------------------------------------- Ureach.com's Uscreen Desktop software is vulnerable to misuse and enables specific caller-id spoofing via the forward feature, enabling compromise of other communication services operating on PSTN or wireless networks. --------------------------------------------------------------------- Vulnerability Classification: Authentication bypass, Remote Compromise, General misuse. Discovery Date: October 19th, 2004 Vendor Contacted: October 27, 2004 Advisory publication date: November 5th, 2004 Vendor Description: ------------------- uReach.com strives to provide solutions that meet a wide range of customer needs from point solutions that address a specific need to robust bundles that can simplify managing all forms of communications - email, voice mail, fax, reminders, alerts and phone calls. Abstract: --------- Ureach.com's Uscreen Desktop is included in many services that Ureach.com provides. It is used as a desktop alert and control service, enabling users to identify the caller, forward the calls to arbitrary numbers, send to voicemail, and call back missed calls. Ureach.com provides 1-800 virtual numbers to their customers that will forward to numbers selected by the customer. Example Case: Many VOIP phone networks allow the use of toll-free calling (18xxx) (such as freeworld dialup and sipphone.com) and provide you with a sip id or number. In most cases, the sip id is not the same format as the Caller-Id given on a PSTN network (usually 7 or 10 digit sets), e.g. freeworld provides 5 or 6 digit numbers instead. When calling a ureach number with a sip-phone that does not match the criteria of proper caller id format, Ureach will correct it by calling the destination number using the Caller-id display of the destination number. Description: ------------ In Pseudocode: if (UscreenReceiveCall(!PROPERCIDFORMAT)) { cid = destination_target; ForwardCall(cid, destination_target); } By sending a non-proper formatted id as identification, the target number is displayed as the caller. This allows for trivial abuse by arbitrary attackers, including remote compromise of voicemail systems such as T-mobile Wireless and Verizon Northwest (refer to Secure Science Corporation Advisory TSA-051). Tested Vendors: --------------- Ureach.com Vendor and Patch Information: ----------------------------- Secure Science Corporation has made attempts to contact the vendor and has received no response. Solution: --------- Ureach.com receives calls with Caller ID signal first, ANI second (if Caller-ID is blocked): If the Caller-ID does not match proper format, then ANI should be utilized or the customers 877 virtual number should be displayed to the destination. Credits: -------- Secure Science Corporation: Lance James Disclaimer: ----------- Secure Science Corporation is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Secure Science Corporation products.