[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1663475743.20071015233047@SECURITY.NNOV.RU>
Date: Mon, 15 Oct 2007 23:30:47 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Radu State" <State@...ia.fr>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: CallManager and OpeSer toll fraud and
authentication forward attack
Dear Radu State,
As far as I understood the issue, it requires active Man-in-the-Middle
attack. Digest authentication, like any authentication without traffic
encryption or traffic signing, doesn't protect against active M-i-t-M,
because active M-i-t-M can always force client to use basic
authentication or to hijack the session after authentication is
finished. This is, no doubt, security issue, but it's scope is limited
to configurations, where client is configured to do not allow cleartext
authentication or where attacker can sniff traffic, but can not spoof
server reply.
--Friday, October 12, 2007, 8:54:18 PM, you wrote to full-disclosure@...ts.grok.org.uk:
RS> MADYNES Security Advisory : SIP toll fraud and authentication forward attack
RS> Date of Discovery 5 May, 2007
RS> Vendor1 (Cisco) was informed on 22 May 2007
RS> Vendor 2 (OpenSer, voice-systems) was informed in 4 th October 2007
RS> ID: KIPH11
RS> Affected products
RS> CallManager:
RS> System version: 5.1.1.3000-5
RS> Administration version: 1.1.0.0-1
RS> OpenSer
RS> SVN version until the 4 th October 2007
RS> Version 1.2.2
RS> Summary
RS> The tested systems do not associate a Digest authentication to a dialog
RS> which allows any user who can sniff the traffic to make its own calls on
RS> behalf of the the sniffed device.
RS> Synopsis
RS> The tested implementations do not allow to check if the provided URI in
RS> the Digest authentication header is the same as the REQUEST-URI of the
RS> message, which allows an attacker to call any other extension. This is not
RS> a simple replay attack.
RS> They do not allowed to generate one-time nonces. These issues will allow a
RS> malicious user able to sniff a Digest authentication from a regular user,
RS> to call (by spoofing data) any extension on behalf of the user; as long as
RS> the nonce does not expire.
RS> The first vendor (Cisco) was informed in May 2007 and acknowledged the
RS> vulnerability. The second vendor (OpenSer, voice-systems) was informed in
RS> October 2007 and fixed the vulnerabity on the same day.
RS> This vulnerability was identified by the Madynes research team at INRIA
RS> Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first
RS> vulnerabilities published where advanced state tracking is required.
RS> Background
RS> * SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
RS> signalization. SIP is an ASCII based INVITE message is used to initiate and
RS> maintain a communication session.
RS> Impact :
RS> A malicious user perform toll fraud and call ID spoofing.
RS> Resolution
RS> OpenSer fixed the issue on the 4 th October.
RS> The devel branch was enhanced to export a variable $adu which refer to this
RS> field. It is easy now to check in config file whether it is equal or not
RS> with r-uri:
RS> if($adu != $ru)
RS> {
RS> # digest uri and request uri are different
RS> }
RS> Credits
RS> * Humberto J. Abdelnur (Ph.D Student)
RS> * Radu State (Ph.D)
RS> * Olivier Festor (Ph.D)
RS> This vulnerability was identified by the Madynes research team at INRIA
RS> Lorraine, using the Madynes VoIP fuzzer KIF
RS> POC: PoC code is available on request
--
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них поверили. (Твен)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists