All posts under tagged ‘remotely eavesdrop’

Feed for all posts filed under "remotely eavesdrop"

Eavesdropping vulnerability in SIP stacks with the code

Source: snapvoip.blogspot.com

An eavesdropping vulnerability was revealed on the popularFull Disclosure mailing list on Wednesday. Vulnerabilityresearchers Humberto Abdelnur, Radu State and Olivier Festorclaimed the exploit could allow a remote attacker to turn aVoIP phone into an eavesdropping device, citing a GrandstreamSIP phone as an example.

While playing with the SIP  Madynes stateful fuzzerfor a description see http://hal.inria.fr/inria-00166947/en),we have realized that some SIP stack engines have seriousbugs allowing to an attacker to automatically make a remotephone accept the call without ringing and without asking theuser to  take the phone from the hook, such that the attackermight be able to listen to all conversations that take placein the remote room without being noticed.One example that wecan disclose (vendor was notified on 10 th May 2007) is thefollowing:  Grandstream SIP Phone GXV-3000

MADYNES Security Advisory :  SIP  remote attack onGrandstream SIP Phone GXV-3000

Date of Discovery 7 th May, 2007

ID: KIPH7

Background

SIP is the IETF standardized (RFCs 2543 and 3261) protocolfor VoIP signalization. SIP is an ASCII based INVITE messageis used to initiate and maintain a communication session.

Affected devices:  Grandstream SIP Phone GXV-3000 with latestavailable firmware  1.0.1.7  Loader-- 1.0.0.6   Boot--1.0.0.18

Impact :A malicious user can remotely eavesdrop (a remote location)and perform DOS on a remote phone.ResolutionFixed software will be available from the vendor and customersfollowing recommended best practices (ie segregating VOIPtraffic from data) will be protected from malicious trafficin most situations.

The vulnerability is based in a sequence of two messages,where both messages are syntactically right, but togetherthey turn the device in an inconsistent state, where theRTP is now send to the attacker/

ougui at 152.81.48.94:5060    is the attacker1005 at 152.81.48.88:5060    the attacked phone

            X ------ INVITE ------>GXV-3000            X ------ 100 Trying  ------> GXV-3000                          X ------ 180 Ringing ------> GXV-3000                          X ------183 Session Progress ------->GXV-3000            X ------ RTP - FLOW ------->GXV-3000 After these  messages the device is not able to hang up so aremote DOS can be also done. Credits:* Humberto J. Abdelnur (Ph.D Student)* Radu State (Ph.D)* Olivier Festor (Ph.D)Exploit Code :
Published on August 29th, 2007 under , , , , , ,

Member of "Hype Media! Network"