lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 15 Oct 2007 21:50:27 +0200
From: "Radu State" <State@...ia.fr>
To: "'3APA3A'" <3APA3A@...URITY.NNOV.RU>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: CallManager and OpeSer toll fraud and
	authentication forward attack



The problem in this case is that once you sniff the digest, it can be reused
forever. It does not expire on the server side, which is something that
should not happen. That is, an attacker can call forever, even though he
does not know the secret. 
The minor issue is that the digest is not checked to see if the new call is
destinated to another new destination.
A worst issue with this described vulnerability is that an attacker can even
force a specific digest...
There is no need to perform active MIM. Passive works very fine. You just
need to get the digest exchanged between the two. 


Regards
RS

 


-----Original Message-----
From: 3APA3A [mailto:3APA3A@...URITY.NNOV.RU] 
Sent: Monday, October 15, 2007 9:31 PM
To: Radu State
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] CallManager and OpeSer toll fraud and
authentication forward attack

Dear Radu State,

 As  far as I understood the issue, it requires active Man-in-the-Middle
 attack.  Digest authentication, like any authentication without traffic
 encryption  or traffic signing, doesn't protect against active M-i-t-M,
 because   active   M-i-t-M   can  always  force  client  to  use  basic
 authentication  or  to  hijack  the  session  after  authentication  is
 finished.  This is, no doubt, security issue, but it's scope is limited
 to configurations, where client is configured to do not allow cleartext
 authentication  or  where attacker can sniff traffic, but can not spoof
 server reply.

--Friday, October 12, 2007, 8:54:18 PM, you wrote to
full-disclosure@...ts.grok.org.uk:

RS> MADYNES Security Advisory : SIP toll fraud and authentication forward
attack

RS> Date of Discovery 5  May, 2007

RS> Vendor1 (Cisco) was informed on 22 May 2007

RS> Vendor 2 (OpenSer,  voice-systems) was informed in 4 th October 2007

RS> ID: KIPH11 

RS> Affected products

 

RS> CallManager:

RS> System version: 5.1.1.3000-5 

RS> Administration version: 1.1.0.0-1

 

RS> OpenSer

 

RS> SVN version until the 4 th October 2007

RS> Version 1.2.2

 

 

RS> Summary 

 

 

RS> The tested systems do not associate a Digest authentication to a dialog
RS> which allows any user who can sniff the traffic to make its own calls on
RS> behalf of the the sniffed device. 


RS> Synopsis

RS> The tested implementations do not allow to check if the provided URI in
RS> the Digest authentication header is the same as the REQUEST-URI of  the
RS> message, which  allows an attacker to call any other extension. This is
not
RS> a simple replay attack.

RS> They do not allowed to generate one-time nonces.   These issues will
allow a
RS> malicious user able to sniff a Digest  authentication from a regular
user,
RS> to call (by spoofing data) any  extension on behalf of the user; as long
as
RS> the nonce does not expire.

RS> The first vendor   (Cisco) was informed  in May 2007 and acknowledged
the
RS> vulnerability. The second vendor (OpenSer, voice-systems) was informed
in
RS> October 2007 and fixed the vulnerabity on the same day.

RS>  This vulnerability was identified by the Madynes research team at INRIA
RS> Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first
RS> vulnerabilities published where advanced state tracking is required.

RS> Background 

RS> *	SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
RS> signalization. SIP is an ASCII based INVITE message is used to initiate
and
RS> maintain a communication session. 



RS> Impact :


RS> A malicious user perform toll fraud and call ID spoofing.


RS> Resolution



RS> OpenSer fixed the issue on the 4 th October.  

 

RS> The devel branch was enhanced to export a variable $adu which refer to
this
RS> field. It is easy now to check in config file whether it is equal or not
RS> with r-uri:

 

RS> if($adu != $ru)

RS> {

RS> # digest uri and request uri are different 

RS> }

 


RS> Credits

RS> *	Humberto J. Abdelnur (Ph.D Student) 
RS> *	Radu State (Ph.D) 
RS> *	Olivier Festor (Ph.D) 


RS> This vulnerability was identified by the Madynes research team at INRIA
RS> Lorraine, using the Madynes VoIP fuzzer KIF

 

RS> POC: PoC code is available on request

 

 

 



-- 
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
поверили. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ