[VOIPSEC] VoIP-Phones: Weakness in proccessing SIP-Notify-Messages

Tobias Glemser tglemser at tele-consulting.com
Thu Jul 7 02:16:00 CDT 2005 

                   Tele-Consulting GmbH
             security | networking | training

                 advisory 05/07/06

URL of this advisory:
http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt


Topic:
     Weakness in implemenation of proccessing SIP-Notify-Messages
     in VoIP-Phones.

Summary:
     Due to ignoring the value of 'Call-ID' and even 'tag' and
     'branch' while processing NOTIFY messages, VoIP-Hardphones
     process spoofed status messages like "Messages-Waiting".

     According to RFC 3265, Chap 3.2 every NOTIFY has to be em-
     bedded in a subcription mechanism. If there ain't knowledge
     of a subscription, the UAC has to respond with a "481
     Subscription does not exist" message.

     All tested phones processed the "Messages-Waiting" messages
     without prior subscriptions anywhere.

Effect:
     An attacker could send "Messages-Waiting: yes" messages to
     all phones in a SIP-environment. Almost every phone proccesses
     this status message and shows the user an icon or a blinking
     display to indicate that new messages are available on the
     voice box.

     If the attacker sends this message to many recipients in a
     huge environment, it would lead to server peaks as many users
     will call the voice box at the same time.
     Because there are no new voice messages as indicated by the
     phone the users will call the support to fix this alleged server
     problem.

     All tested phones process the message with a resetted Call-ID,
     'branch' and 'tag' sent by a spoofed IP-Adress.

Example:
     Attacker spoofs the SIP-Proxys IP, here: 10.1.1.1
     Victim 10.1.1.2

     UDP-Message from Attacker to Victim

     Session Initiation Protocol
          Request-Line: NOTIFY sip:login at 10.1.1.2 SIP/2.0
          Message Header
              Via: SIP/2.0/UDP 15.1.1.12:5060;branch=000000000000000
              From: "asterisk" <sip:asterisk at 10.1.1.1>;tag=000000000
              To: <sip:login at 10.1.1.2>
               Contact: <sip:asterisk at 10.1.1.1>
               Call-ID: 00000000000000 at 10.1.1.1
              CSeq: 102 NOTIFY
                  User-Agent: Asterisk PBX
               Event: message-summary
               Content-Type: application/simple-message-summary
               Content-Length: 37
          Message body
               Messages-Waiting: yes\n
               Voicemail: 3/2\n

Solution:
     Phones who receive a NOTIFY message to which no subscription
     exists, must send a "481 Subscription does not exist" response.
     It should be possible to use the REGISTER request as a
     non-SUBSCRIBE mechanism to set up a valid subscription.

     This would reduce the possibility of an attack in a way, that
     only with a sniffed and spoofed subcription such an attack would
     be possible. Background is given by the way dialogs are des-
     cribed in RFC 3261 and the sections 5.5 and 3.2 of RFC 3265.


Affected products:
     Cisco 7940/7960
     Grandstream BT 100
     others will be tested in future


-- 
Tobias Glemser


TTTTTTT CCCC
   TT   C  tglemser at tele-consulting.com         +49 (0)7032/97580  (fon)
   TT  C   pentest.tele-consulting.com          +49 (0)7032/74750  (fax)
   TT  C
   TT   C  Tele-Consulting GmbH, Siedlerstrasse 22-24, 71126 Gaeufelden
   TT    CCCC             security | networking | training

More information about the Voipsec mailing list