More on INVITEing phones to ring

This is a follow up on a previous post.

Apart from using a softphone, you can make use of svmap.py (part of SIPVicious tool suite) to reproduce the behavior:

./svmap.py -m INVITE 192.168.1.4 -p5061

Where 192.168.1.4 is the IP of the SIP phone and 5061 is the SIP port of the phone. For a ghost call effect, if you have a network with all SIP phones listening on port 5060, you can just run the following to get them to ring at the same time:

./svmap.py -m INVITE 192.168.1.1/24

Updated list of softphones tested and exhibiting this behavior:

• WengoPhone **
  
• X-lite release 1011b
• SJPhone 1.65.377a
• Ekiga 2.0.11 (beta)
• Yate
• SIP Communicator

Some VoIP phones (hardware) were also tested and exhibit this behavior as well:

• GrandStream GXP 2000
• Grandstream BT100
• Aastra 480i
• Aastra 9133i
• Polycom IP330
• Cisco CP7940G*
• Lancom VP 100*
• Linksys SPA 921*

* Requires a valid extension
** Requires valid extension or no extension

XSS in Linksys SPA941

Cross Scripting in an IP Phone? Of course - it has an HTTP interface!

What's more is that the HTTP interface shows a call history. The call history page makes use of information gathered from the SIP messages themselves to display which numbers tried to call the phone.

This post on full-disclosure mailing list shows how this feature can be abused so that malformed SIP messages are able to inject html scripts in the web interface itself.

This is a reminder that when changing from one format or protocol to another, the underlying code needs to make sure that the data is properly escaped. In this case, the http server or underlying scripts need to escape the miss call entries for html characters.

MediaDefender Phone Call was over VoIP

If you're not familiar with the leak, this article on TorrentFreak talks about phonecalls between a New York attorney and MediaDefender which were leaked out.

Funnily enough (for some), during the phone call one of the parties says: "what we could do if you wanted, change the port ... change the login, obviously the password, if you guys need to know the password that we're using we can just communicate that by phone. .... If you need to .. anything which is really really sensitive we can just communicate in this [phonecall] fashion".

There were different opinions on how this call was captured. One suggestion floating on the forums are that the VoIP call was recorded by one of the parties (MediaDefender or NY attorney) and put on a compromised server. Another idea is that that the call was sniffed by the attacker.

Which ever way this call was compromised, this show two things with regards to VoIP communications:

• Phone traffic now goes over the Internet. Don't assume that your call cannot be intercepted over the Internet .. that assumption is very outdated.
  
• Encryption definitely has an important place in VoIP security. In this case, it would probably have helped
  

How to turn a Grandstream SIP phone into a remote bug

The "Institut National de Recherche en Informatique" has done it again. They released details of their research regarding the Grandstream GXV-3000 SIP phone - specially on a bug that allows one to crash the phone, and set it off the hook without ringing. This last exploit effectively turns such phones into a spying device, allowing crooks and other evil entities to discretely listen on conversations in a room where the phone is installed.

Apparently, it is not just these Grandstream devices that are vulnerable to the same attack, but it affects "some SIP stack engines". The trick is to send a "183 Session Progress" SIP message to the phone following an INVITE request, which in turn makes it go all fuzzy and start sending RTP packets to the attacker. The full-disclosure post further illustrates this with a example code in perl.

Meanwhile, all this wouldn't have been possible for the Institute without using their SIP stateful fuzzer. The paper presenting this project can be found here. Least that I can say is that this is very cool stuff.

Cisco IP Phone 7940 exploits

Is it just me, or is public exploit code for SIP devices and SIP software appearing more often? Published on milw0rm - two perl scripts which launch a DoS attack [1][2] on Cisco IP Phone 7940. The advisories[1][2] can be found on full disclosure.

These vulnerabilities seem to be related to sequence of certain SIP requests being sent to the IP phone. So how were these vulnerabilities found? The researchers were making use of their own fuzzer called Madynes VoIP fuzzer KIPH, which supports "state tracking".

SIP softphone buffer overflow demo

Someone was showing off a 0day exploit at Black Hat. The article is a bit sketchy and feels sensational, but it does show that various parties are concerned. Just like most other pieces of software, softphones will (and do) have security vulnerabilities lead to remote access.

Article can be found here.

Hardphones, on the other hand, are secure.. right? :-p