lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1663475743.20071015233047@SECURITY.NNOV.RU>
Date: Mon, 15 Oct 2007 23:30:47 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Radu State" <State@...ia.fr>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: CallManager and OpeSer toll fraud and
	authentication forward attack

Dear Radu State,

 As  far as I understood the issue, it requires active Man-in-the-Middle
 attack.  Digest authentication, like any authentication without traffic
 encryption  or traffic signing, doesn't protect against active M-i-t-M,
 because   active   M-i-t-M   can  always  force  client  to  use  basic
 authentication  or  to  hijack  the  session  after  authentication  is
 finished.  This is, no doubt, security issue, but it's scope is limited
 to configurations, where client is configured to do not allow cleartext
 authentication  or  where attacker can sniff traffic, but can not spoof
 server reply.

--Friday, October 12, 2007, 8:54:18 PM, you wrote to full-disclosure@...ts.grok.org.uk:

RS> MADYNES Security Advisory : SIP toll fraud and authentication forward attack

RS> Date of Discovery 5  May, 2007

RS> Vendor1 (Cisco) was informed on 22 May 2007

RS> Vendor 2 (OpenSer,  voice-systems) was informed in 4 th October 2007

RS> ID: KIPH11 

RS> Affected products

 

RS> CallManager:

RS> System version: 5.1.1.3000-5 

RS> Administration version: 1.1.0.0-1

 

RS> OpenSer

 

RS> SVN version until the 4 th October 2007

RS> Version 1.2.2

 

 

RS> Summary 

 

 

RS> The tested systems do not associate a Digest authentication to a dialog
RS> which allows any user who can sniff the traffic to make its own calls on
RS> behalf of the the sniffed device. 


RS> Synopsis

RS> The tested implementations do not allow to check if the provided URI in
RS> the Digest authentication header is the same as the REQUEST-URI of  the
RS> message, which  allows an attacker to call any other extension. This is not
RS> a simple replay attack.

RS> They do not allowed to generate one-time nonces.   These issues will allow a
RS> malicious user able to sniff a Digest  authentication from a regular user,
RS> to call (by spoofing data) any  extension on behalf of the user; as long as
RS> the nonce does not expire.

RS> The first vendor   (Cisco) was informed  in May 2007 and acknowledged the
RS> vulnerability. The second vendor (OpenSer, voice-systems) was informed in
RS> October 2007 and fixed the vulnerabity on the same day.

RS>  This vulnerability was identified by the Madynes research team at INRIA
RS> Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first
RS> vulnerabilities published where advanced state tracking is required.

RS> Background 

RS> *	SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
RS> signalization. SIP is an ASCII based INVITE message is used to initiate and
RS> maintain a communication session. 



RS> Impact :


RS> A malicious user perform toll fraud and call ID spoofing.


RS> Resolution



RS> OpenSer fixed the issue on the 4 th October.  

 

RS> The devel branch was enhanced to export a variable $adu which refer to this
RS> field. It is easy now to check in config file whether it is equal or not
RS> with r-uri:

 

RS> if($adu != $ru)

RS> {

RS> # digest uri and request uri are different 

RS> }

 


RS> Credits

RS> *	Humberto J. Abdelnur (Ph.D Student) 
RS> *	Radu State (Ph.D) 
RS> *	Olivier Festor (Ph.D) 


RS> This vulnerability was identified by the Madynes research team at INRIA
RS> Lorraine, using the Madynes VoIP fuzzer KIF

 

RS> POC: PoC code is available on request

 

 

 



-- 
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них поверили. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ