SIP Digest Leak Information Disclosure in PhonerLite 2.14 SIP Soft Phone

2014.04.01
Risk: Low
Local: No
Remote: Yes
CWE: CWE-916


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

I. Advisory Summary Title: SIP Digest Leak Information Disclosure in PhonerLite 2.14 SIP Soft Phone Date Published: March 30, 2014 Vendors contacted: Heiko Sommerfeldt, PhonerLite author Discovered by: Jason Ostrom Severity: Medium II. Vulnerability Scoring Metrics CVE Reference: CVE-2014-2560 CVSS v2 Base Score: 4.3 CVSS v2 Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) Component(s): PhonerLite SIP Soft Phone Class: Information Disclosure III. Introduction PhonerLite [1] is a freeware SIP soft phone client running on the Windows platform and supporting common VoIP features as well as security functionality such as SIP TLS, SRTP, and ZRTP. [1] http://www.phonerlite.de IV. Vulnerability Description PhonerLite SIP soft phone version 2.14 is vulnerable to revealing SIP MD5 digest authenticated user credential hash via spoofed SIP INVITE message sent by a malicious 3rd party. After responding back to an authentication challenge to the BYE message, PhonerLite leaks the hashed MD5 digest credentials. After the 3rd party receives the dumped MD5 hash, they can use this information to mount an offline wordlist attack. This SIP protocol implementation issue vulnerability was initially discovered by Sandro Gauci of Enable Security [2], with vendor soft phones and handsets showing differential success in mitigating this flaw. CVE-IDs have been reserved for two previous SIP soft phone implementations [3, 4] that were tested as vulnerable. [2] https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf [3] CVE-ID for Gizmo5 soft phone: CVE-2009-5139 [4] CVE-ID for Linksys SPA2102 adapter: CVE-2009-5140 V. Technical Description / Proof of Concept Code The following steps can be carried out in duplicating this vulnerability. Step 1: Use SIPp protocol tester to craft a SIP INVITE message using TCP transport and forward the SIP message towards the IP address of the Windows PhonerLite soft phone, listening on TCP port 5060 Step 2: PhonerLite user answers call Step 3: PhonerLite user hangs up call, since there is no one talking (it is like dead air) Step 4: Attacker receives BYE message from PhonerLite. Immediately after receiving BYE, attacker sends a 401 challenge SIP message Step 5: PhonerLite responds with a second BYE message, containing SIP Authorization header (which contains MD5 hash / response) Step 6: Attacker mounts an offline wordlist attack against the dumped MD5 hash using sipdump/sipcrack Additional Notes: * The vulnerability verification was tested as a malicious 3rd party using Kali Linux [5] distribution, with all tools included in distro. * The attacker does not need to know the correct username of PhonerLite registered SIP user. The attacker only needs to find the IP address of a PhonerLite endpoint listening on TCP port 5060. * The attacker does not need to know the digest realm field. A null realm string of "NULL" or "null" will be sufficient in exploiting the flaw. * Verified that PhonerLite is not vulnerable to this security flaw when attacker uses UDP transport instead of TCP [5] http://kali.org VIII. Vendor Information, Solutions, and Workarounds This issue is fixed in PhonerLite version 2.15 Resolution is the following, as specified by the author: A SIP UAC (User Agent Client) should not send a 401 or 407. In other words, only a UAS (User Agent Server) should send a 401 or 407 challenge. Therefore, a 401/407 will be dropped by the UAS (PhonerLite) if sent by a malicious 3rd party UAC. IX. Credits This vulnerability has been discovered by: Jason Ostrom of Stora XX. Vulnerability History Sun, 2/16/14: Vulnerability discovered Wed, 3/12/14: Sent vulnerability disclosure to Heiko Sommerfeldt, info at phoner.de Thu, 3/13/14: Notified by author that Beta version has been uploaded, which should fix problem. Attempted to verify with security testing of Beta 2.15. Verified that issue has been resolved. Sun, 3/30/14: Notified by author that fixed version (2.15) has been uploaded Sun, 3/30/14: Vulnerability disclosure posted XXI. Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Stora accepts no responsibility for any damage caused by the use or misuse of this information.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top