首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PhonerLite 2.14 SIP Soft Phone - SIP Digest Disclosure
来源:vfocus.net 作者:Ostrom 发布时间:2014-04-02  
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
  
I. Advisory Summary
  
Title: SIP Digest Leak Information Disclosure in PhonerLite 2.14 SIP Soft Phone
Date Published: March 30, 2014
Vendors contacted: Heiko Sommerfeldt, PhonerLite author
Discovered by: Jason Ostrom
Severity: Medium
  
II. Vulnerability Scoring Metrics
  
CVE Reference: CVE-2014-2560
CVSS v2 Base Score: 4.3
CVSS v2 Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Component(s): PhonerLite SIP Soft Phone
Class: Information Disclosure
  
III. Introduction
  
PhonerLite [1] is a freeware SIP soft phone client running on the Windows
platform and supporting common VoIP features as well as security
functionality such as SIP TLS, SRTP, and ZRTP.
  
[1] http://www.phonerlite.de
  
IV. Vulnerability Description
  
PhonerLite SIP soft phone version 2.14 is vulnerable to revealing SIP MD5
digest authenticated user credential hash via spoofed SIP INVITE message
sent by a malicious 3rd party. After responding back to an authentication
challenge to the BYE message, PhonerLite leaks the hashed MD5 digest
credentials. After the 3rd party receives the dumped MD5 hash, they can use
this information to mount an offline wordlist attack. This SIP protocol
implementation issue vulnerability was initially discovered by Sandro Gauci
of Enable Security [2], with vendor soft phones and handsets showing
differential success in mitigating this flaw. CVE-IDs have been reserved
for two previous SIP soft phone implementations [3, 4] that were tested as
vulnerable.
  
[2] https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf
[3] CVE-ID for Gizmo5 soft phone: CVE-2009-5139
[4] CVE-ID for Linksys SPA2102 adapter: CVE-2009-5140
  
V. Technical Description / Proof of Concept Code
  
The following steps can be carried out in duplicating this vulnerability.
  
Step 1:
Use SIPp protocol tester to craft a SIP INVITE message using TCP transport
and forward the SIP message towards the IP address of the Windows PhonerLite
soft phone, listening on TCP port 5060
Step 2:
PhonerLite user answers call
Step 3:
PhonerLite user hangs up call, since there is no one talking (it is like
dead air)
Step 4:
Attacker receives BYE message from PhonerLite. Immediately after receiving
BYE, attacker sends a 401 challenge SIP message
Step 5:
PhonerLite responds with a second BYE message, containing SIP Authorization
header (which contains MD5 hash / response)
Step 6:
Attacker mounts an offline wordlist attack against the dumped MD5 hash using
sipdump/sipcrack
  
Additional Notes:
* The vulnerability verification was tested as a malicious 3rd party using
Kali Linux [5] distribution, with all tools included in distro.
* The attacker does not need to know the correct username of PhonerLite
registered SIP user. The attacker only needs to find the IP address of a
PhonerLite endpoint listening on TCP port 5060.
* The attacker does not need to know the digest realm field. A null realm
string of "NULL" or "null" will be sufficient in exploiting the flaw.
* Verified that PhonerLite is not vulnerable to this security flaw when
attacker uses UDP transport instead of TCP
  
[5] http://kali.org
  
VIII. Vendor Information, Solutions, and Workarounds
  
This issue is fixed in PhonerLite version 2.15
  
Resolution is the following, as specified by the author: A SIP UAC (User
Agent Client) should not send a 401 or 407. In other words, only a UAS
(User Agent Server) should send a 401 or 407 challenge. Therefore, a
401/407 will be dropped by the UAS (PhonerLite) if sent by a malicious 3rd
party UAC.
  
IX. Credits
  
This vulnerability has been discovered by:
Jason Ostrom of Stora
  
XX. Vulnerability History
  
Sun, 2/16/14: Vulnerability discovered
Wed, 3/12/14: Sent vulnerability disclosure to Heiko Sommerfeldt, info at
phoner.de
Thu, 3/13/14: Notified by author that Beta version has been uploaded, which
should fix problem. Attempted to verify with security testing of Beta 2.15.
Verified that issue has been resolved.
Sun, 3/30/14: Notified by author that fixed version (2.15) has been
uploaded
Sun, 3/30/14: Vulnerability disclosure posted
  
XXI. Disclaimer
  
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. Stora accepts no
responsibility for any damage caused by the use or misuse of this
information.
  
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: us-ascii
  
wsBVAwUBUzl9EWRzm/FWea0uAQjX8gf/Ts6IWfPbMFeir5PxDrvQ2VWBNCESgODN
GgJQZaj6339ZxIMFC6IYoD4Uvx223igSB+OyYHLmGZOnQoES7Ilj2Or5Afe71Cqe
ExqYe2fTaZeyruWTgmPA296W3EEoT+Cedeyy5k0+sxK4ahKZ2DQgM/WIDDHU3X/B
nAJZWob+r2f2tQr+OBhy7saMEix9QMNeAEZCa+JJ8az9gxe6+AU9kdmwj9hPy+qc
ZDODMOSyvYojfuvE0oy0AyZ1OBWVpI9lSCI6wmUT6ihOpruz3OKQT+e1HyFoBvmX
aafzW7VlbxgS3EQRC25EWj61BYVIy7OpIFfOzymyBnL/qb0PTBmiDA==
=rmxn
-----END PGP SIGNATURE-----

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AudioCoder 0.8.29 - Memory Cor
·Kyocera FS5250 Cross Site Scri
·Fitnesse Wiki Remote Command E
·Linksys E-Series TheMoon Remot
·SePortal 2.5 SQL Injection / R
·JIRA Issues Collector Director
·ibstat $PATH Privilege Escalat
·IBM Tealeaf CX 8.8 - Remote OS
·MA Lighting Technology grandMA
·VirusChaser 8.0 - Stack Buffer
·Google Voice Private/Unknown N
·Couchdb 1.5.0 - uuids DoS Expl
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved