Tuesday, October 30, 2007

More on INVITEing phones to ring

This is a follow up on a previous post.

Apart from using a softphone, you can make use of svmap.py (part of SIPVicious tool suite) to reproduce the behavior:
./svmap.py -m INVITE 192.168.1.4 -p5061
Where 192.168.1.4 is the IP of the SIP phone and 5061 is the SIP port of the phone. For a ghost call effect, if you have a network with all SIP phones listening on port 5060, you can just run the following to get them to ring at the same time:
./svmap.py -m INVITE 192.168.1.1/24

Updated list of softphones tested and exhibiting this behavior:
  • WengoPhone **
  • X-lite release 1011b
  • SJPhone 1.65.377a
  • Ekiga 2.0.11 (beta)
  • Yate
  • SIP Communicator
Some VoIP phones (hardware) were also tested and exhibit this behavior as well:
  • GrandStream GXP 2000
  • Grandstream BT100
  • Aastra 480i
  • Aastra 9133i
  • Polycom IP330
  • Cisco CP7940G*
  • Lancom VP 100*
  • Linksys SPA 921*
* Requires a valid extension
** Requires valid extension or no extension

Labels: , , , , , , , , ,

posted by sandro at 9:06 AM 0 Comments Links to this post

how (not) to get your ex back

Just uploaded a short story showing how an unsolicited user can phone up a victim by knowing (or finding out) IP and port of the victim's VoIP phone. This story ties in with what we've been discussing in previous blog post.

You may check out the story here.

Labels: , , , , , , ,

posted by sandro at 8:40 AM 0 Comments Links to this post

Sunday, October 28, 2007

Server impersonation and SIP

Was reading Sipera's latest advisories. The server impersonation advisory caught my eye mostly because we've seen something similar to this over here during testing. We hadn't published this information until now .. so here goes.

A good number of SIP softphones, and we would assume VoIP phones (hardware), will ring upon receiving an INVITE request. Three months ago we worked on 3 stories, two of which describe protagonists abusing this behavior and are still unpublished. I'm working on getting these two stories published soon.

As hinted by the Sipera advisory, this behavior has a few implications; major ones being that it can be abused for spamming and social engineering attacks.

These are the softphones that were found to display this behavior:
  • X-lite release 1011b
  • Ekiga 2.0.11 (beta)
  • SJPhone 1.65.377a
Also quickly tested Gizmo project 3.1.2 and it did not exhibit the same behavior. Did not try to spoof packet source ip etc.

How do you test for this?
Use your favorite SIP phone to call an address like sip:whatever@192.168.1.1:5060, where 192.168.1.1 is the destination IP of the SIP phone. There is no need to spoof IP addresses or anything like that for the above. In the story (that I'll try to publish tomorrow), the attacker makes use of X-lite. If making use of X-lite, select the option "target domain" in the "Send outbound via:" config.

If you have any results please post a comment or send me an email.

Labels: , , , , , , ,

posted by sandro at 11:54 AM 0 Comments Links to this post