lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <EF4C65F18BE6464B8E9DF3C212B6B2930795D872@cof110avexu1.global.avaya.com>
Date: Fri, 8 Jul 2005 17:23:41 -0600
From: "Walton, John Michael (John)" <jmwalton@...ya.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: [VOIPSEC] VoIP-Phones: Weakness in proccessing SIP-Notify-Messages


All-

The Avaya Product Security Support Team (PSST) has been alerted to the
"Weakness in processing SIP-Notify-Messages" advisory.  We are in the
process of investigating whether any Avaya SIP-enabled or H.323-enabled
devices are affected by these issues.  In addition, we are attempting to
work with Mark to duplicate and validate his testing of the Avaya H.323
IPSoftphone and Avaya 4620 hard phone.  Once our investigation is
complete we will update the list with our findings and, if necessary,
release an Avaya Security Advisory to address any outlined concerns. 

The Avaya Product Security Support Team (PSST) takes the security of
Avaya products seriously. We would like to develop a relationship with
our customers and the public to encourage them to forward
vulnerabilities to us. Please send information regarding any discovered
security problems with Avaya products to securityalerts[at]avaya.com. I,
or someone on the PSST, will work directly to validate the problem and
coordinate a response; including an acknowledgement for working with us
to help protect customers. 

Cheers,

John Walton, CISSP
Lead Security Engineer
Product Security Support Team (PSST)
Avaya, Inc.

-----Original Message-----
From: gary madsen [mailto:gmads.seclists@...il.com] 
Sent: Friday, July 08, 2005 7:55 AM
To: bugtraq@...urityfocus.com
Subject: Fwd: [VOIPSEC] VoIP-Phones: Weakness in proccessing
SIP-Notify-Messages

FYI

---------- Forwarded message ----------
From: Mark Teicher <mht3@...thlink.net>
Date: Jul 7, 2005 7:06 PM
Subject: Re: [VOIPSEC] VoIP-Phones: Weakness in proccessing
SIP-Notify-Messages
To: Tobias Glemser <tglemser@...e-consulting.com>
Cc: voipsec@...psa.org


Interesting results when executed against the Avaya Softphone and
Avaya 4620.  The Avaya Softphone throws an exception msg handler
window and the application process handler becomes unresponsive  :)

At 03:16 AM 7/7/2005, Tobias Glemser wrote:
>                   Tele-Consulting GmbH
>             security | networking | training
>
>                 advisory 05/07/06
>
>URL of this advisory:
>http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt
>
>
>Topic:
>     Weakness in implemenation of proccessing SIP-Notify-Messages
>     in VoIP-Phones.
>
>Summary:
>     Due to ignoring the value of 'Call-ID' and even 'tag' and
>     'branch' while processing NOTIFY messages, VoIP-Hardphones
>     process spoofed status messages like "Messages-Waiting".
>
>     According to RFC 3265, Chap 3.2 every NOTIFY has to be em-
>     bedded in a subcription mechanism. If there ain't knowledge
>     of a subscription, the UAC has to respond with a "481
>     Subscription does not exist" message.
>
>     All tested phones processed the "Messages-Waiting" messages
>     without prior subscriptions anywhere.
>
>Effect:
>     An attacker could send "Messages-Waiting: yes" messages to
>     all phones in a SIP-environment. Almost every phone proccesses
>     this status message and shows the user an icon or a blinking
>     display to indicate that new messages are available on the
>     voice box.
>
>     If the attacker sends this message to many recipients in a
>     huge environment, it would lead to server peaks as many users
>     will call the voice box at the same time.
>     Because there are no new voice messages as indicated by the
>     phone the users will call the support to fix this alleged server
>     problem.
>
>     All tested phones process the message with a resetted Call-ID,
>     'branch' and 'tag' sent by a spoofed IP-Adress.
>
>Example:
>     Attacker spoofs the SIP-Proxys IP, here: 10.1.1.1
>     Victim 10.1.1.2
>
>     UDP-Message from Attacker to Victim
>
>     Session Initiation Protocol
>          Request-Line: NOTIFY sip:login@...1.1.2 SIP/2.0
>          Message Header
>              Via: SIP/2.0/UDP 15.1.1.12:5060;branch=000000000000000
>              From: "asterisk" <sip:asterisk@...1.1.1>;tag=000000000
>              To: <sip:login@...1.1.2>
>               Contact: <sip:asterisk@...1.1.1>
>               Call-ID: 00000000000000@...1.1.1
>              CSeq: 102 NOTIFY
>                  User-Agent: Asterisk PBX
>               Event: message-summary
>               Content-Type: application/simple-message-summary
>               Content-Length: 37
>          Message body
>               Messages-Waiting: yes\n
>               Voicemail: 3/2\n
>
>Solution:
>     Phones who receive a NOTIFY message to which no subscription
>     exists, must send a "481 Subscription does not exist" response.
>     It should be possible to use the REGISTER request as a
>     non-SUBSCRIBE mechanism to set up a valid subscription.
>
>     This would reduce the possibility of an attack in a way, that
>     only with a sniffed and spoofed subcription such an attack would
>     be possible. Background is given by the way dialogs are des-
>     cribed in RFC 3261 and the sections 5.5 and 3.2 of RFC 3265.
>
>
>Affected products:
>     Cisco 7940/7960
>     Grandstream BT 100
>     others will be tested in future
>
>
>--
>Tobias Glemser
>
>
>TTTTTTT CCCC
>   TT   C  tglemser@...e-consulting.com         +49 (0)7032/97580
(fon)
>   TT  C   pentest.tele-consulting.com          +49 (0)7032/74750
(fax)
>   TT  C
>   TT   C  Tele-Consulting GmbH, Siedlerstrasse 22-24, 71126 Gaeufelden
>   TT    CCCC             security | networking | training
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec@...psa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec@...psa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ