[VOIPSEC] maybe vulnerability at sjphone

Dan Wing dwing at fuggles.com
Fri Dec 14 13:13:02 CST 2007 

Diana Cionoiu wrote:
> Hi Sharon,
> 
> But this doesn't really help since you can only do that if you are a man
> in the middle, and if you are a man in the middle you can
> replace the RTP anyway.
> Anyway this kind of behavior is normal because all those SIP fans
> believe that RTP should come from anywhere and it should go to anywhere.

That isn't the fault of SIP fans, but rather that is how RTP works.  For
example, section 8.2 of RFC3550 says:

    Therefore, if a source changes its source transport address, it MAY
    also choose a new SSRC identifier to avoid being interpreted as a
    looped source.  (This is not MUST because in some applications of RTP
    sources may be expected to change addresses during a session.)

There are other places in RFC3550 that say similar things about source
transport addresses changing.

...
>> I just did the following experiment: 
>> I did a regular SIP call between 2 SJPhones (latest release), lets say from IP A to IP B.
>>  
>> While in a call, I stopped sending RTP from B to A.
>> Then I started sending RTP from C to A (C is not known to A and was no part of the signaling at all...).
>>
>> as a result, A started to get and render the RTP stream from C 

Ok.

 >> and changed it's RTP stream to C!!!

That last step is certainly defective.  I would bet it was done in an 
attempt to handle a NAT traversal case.

>> So without no difficulty I I have stolen the strem from A to B....
>> ( I guess this is a symmetric RTP like feature that is aimed to help the crossing of NATs)
>>  
>> any comments?

Sounds like a bug to me.

-d



>>
>>  
>> Thanks,
>> Sharon
>>
>>
>>       ____________________________________________________________________________________
>> Get easy, one-click access to your favorites. 
>> Make Yahoo! your homepage.
>> http://www.yahoo.com/r/hs 
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>   
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
>

More information about the Voipsec mailing list