Tuesday, October 30, 2007

More on INVITEing phones to ring

This is a follow up on a previous post.

Apart from using a softphone, you can make use of svmap.py (part of SIPVicious tool suite) to reproduce the behavior:
./svmap.py -m INVITE 192.168.1.4 -p5061
Where 192.168.1.4 is the IP of the SIP phone and 5061 is the SIP port of the phone. For a ghost call effect, if you have a network with all SIP phones listening on port 5060, you can just run the following to get them to ring at the same time:
./svmap.py -m INVITE 192.168.1.1/24

Updated list of softphones tested and exhibiting this behavior:
  • WengoPhone **
  • X-lite release 1011b
  • SJPhone 1.65.377a
  • Ekiga 2.0.11 (beta)
  • Yate
  • SIP Communicator
Some VoIP phones (hardware) were also tested and exhibit this behavior as well:
  • GrandStream GXP 2000
  • Grandstream BT100
  • Aastra 480i
  • Aastra 9133i
  • Polycom IP330
  • Cisco CP7940G*
  • Lancom VP 100*
  • Linksys SPA 921*
* Requires a valid extension
** Requires valid extension or no extension

Labels: , , , , , , , , ,

posted by sandro at 9:06 AM 0 Comments Links to this post

Friday, August 24, 2007

How to turn a Grandstream SIP phone into a remote bug

The "Institut National de Recherche en Informatique" has done it again. They released details of their research regarding the Grandstream GXV-3000 SIP phone - specially on a bug that allows one to crash the phone, and set it off the hook without ringing. This last exploit effectively turns such phones into a spying device, allowing crooks and other evil entities to discretely listen on conversations in a room where the phone is installed.

Apparently, it is not just these Grandstream devices that are vulnerable to the same attack, but it affects "some SIP stack engines". The trick is to send a "183 Session Progress" SIP message to the phone following an INVITE request, which in turn makes it go all fuzzy and start sending RTP packets to the attacker. The full-disclosure post further illustrates this with a example code in perl.

Meanwhile, all this wouldn't have been possible for the Institute without using their SIP stateful fuzzer. The paper presenting this project can be found here. Least that I can say is that this is very cool stuff.

Labels: , , , , ,

posted by sandro at 4:31 AM 0 Comments Links to this post