PhonerLite 2.14 SIP Soft Phone – SIP Digest Disclosure

  • 作者: Jason Ostrom
    日期: 2014-04-01
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/32643/
  • -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    I. Advisory Summary
    
    Title: SIP Digest Leak Information Disclosure in PhonerLite 2.14 SIP Soft Phone
    Date Published: March 30, 2014
    Vendors contacted: Heiko Sommerfeldt, PhonerLite author
    Discovered by: Jason Ostrom
    Severity: Medium
    
    II. Vulnerability Scoring Metrics
    
    CVE Reference: CVE-2014-2560
    CVSS v2 Base Score: 4.3
    CVSS v2 Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
    Component(s): PhonerLite SIP Soft Phone
    Class: Information Disclosure
    
    III. Introduction
    
    PhonerLite [1] is a freeware SIP soft phone client running on the Windows
    platform and supporting common VoIP features as well as security
    functionality such as SIP TLS, SRTP, and ZRTP.
    
    [1] http://www.phonerlite.de
    
    IV. Vulnerability Description
    
    PhonerLite SIP soft phone version 2.14 is vulnerable to revealing SIP MD5
    digest authenticated user credential hash via spoofed SIP INVITE message
    sent by a malicious 3rd party. After responding back to an authentication
    challenge to the BYE message, PhonerLite leaks the hashed MD5 digest
    credentials. After the 3rd party receives the dumped MD5 hash, they can use
    this information to mount an offline wordlist attack. This SIP protocol
    implementation issue vulnerability was initially discovered by Sandro Gauci
    of Enable Security [2], with vendor soft phones and handsets showing
    differential success in mitigating this flaw. CVE-IDs have been reserved
    for two previous SIP soft phone implementations [3, 4] that were tested as
    vulnerable.
    
    [2] https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf
    [3] CVE-ID for Gizmo5 soft phone: CVE-2009-5139
    [4] CVE-ID for Linksys SPA2102 adapter: CVE-2009-5140
    
    V. Technical Description / Proof of Concept Code
    
    The following steps can be carried out in duplicating this vulnerability.
    
    Step 1:
    Use SIPp protocol tester to craft a SIP INVITE message using TCP transport
    and forward the SIP message towards the IP address of the Windows PhonerLite
    soft phone, listening on TCP port 5060
    Step 2:
    PhonerLite user answers call
    Step 3:
    PhonerLite user hangs up call, since there is no one talking (it is like
    dead air)
    Step 4:
    Attacker receives BYE message from PhonerLite. Immediately after receiving
    BYE, attacker sends a 401 challenge SIP message
    Step 5:
    PhonerLite responds with a second BYE message, containing SIP Authorization
    header (which contains MD5 hash / response)
    Step 6:
    Attacker mounts an offline wordlist attack against the dumped MD5 hash using
    sipdump/sipcrack
    
    Additional Notes:
    * The vulnerability verification was tested as a malicious 3rd party using
    Kali Linux [5] distribution, with all tools included in distro.
    * The attacker does not need to know the correct username of PhonerLite
    registered SIP user. The attacker only needs to find the IP address of a
    PhonerLite endpoint listening on TCP port 5060.
    * The attacker does not need to know the digest realm field. A null realm
    string of "NULL" or "null" will be sufficient in exploiting the flaw.
    * Verified that PhonerLite is not vulnerable to this security flaw when
    attacker uses UDP transport instead of TCP
    
    [5] http://kali.org
    
    VIII. Vendor Information, Solutions, and Workarounds
    
    This issue is fixed in PhonerLite version 2.15
    
    Resolution is the following, as specified by the author: A SIP UAC (User
    Agent Client) should not send a 401 or 407. In other words, only a UAS
    (User Agent Server) should send a 401 or 407 challenge. Therefore, a
    401/407 will be dropped by the UAS (PhonerLite) if sent by a malicious 3rd
    party UAC.
    
    IX. Credits
    
    This vulnerability has been discovered by:
    Jason Ostrom of Stora
    
    XX. Vulnerability History
    
    Sun, 2/16/14: Vulnerability discovered
    Wed, 3/12/14: Sent vulnerability disclosure to Heiko Sommerfeldt, info at
    phoner.de
    Thu, 3/13/14: Notified by author that Beta version has been uploaded, which
    should fix problem. Attempted to verify with security testing of Beta 2.15.
    Verified that issue has been resolved.
    Sun, 3/30/14: Notified by author that fixed version (2.15) has been
    uploaded
    Sun, 3/30/14: Vulnerability disclosure posted
    
    XXI. Disclaimer
    
    The information contained within this advisory is supplied "as-is" with no
    warranties or guarantees of fitness of use or otherwise. Stora accepts no
    responsibility for any damage caused by the use or misuse of this
    information.
    
    -----BEGIN PGP SIGNATURE-----
    Version: Encryption Desktop 10.3.2 (Build 15238)
    Charset: us-ascii
    
    wsBVAwUBUzl9EWRzm/FWea0uAQjX8gf/Ts6IWfPbMFeir5PxDrvQ2VWBNCESgODN
    GgJQZaj6339ZxIMFC6IYoD4Uvx223igSB+OyYHLmGZOnQoES7Ilj2Or5Afe71Cqe
    ExqYe2fTaZeyruWTgmPA296W3EEoT+Cedeyy5k0+sxK4ahKZ2DQgM/WIDDHU3X/B
    nAJZWob+r2f2tQr+OBhy7saMEix9QMNeAEZCa+JJ8az9gxe6+AU9kdmwj9hPy+qc
    ZDODMOSyvYojfuvE0oy0AyZ1OBWVpI9lSCI6wmUT6ihOpruz3OKQT+e1HyFoBvmX
    aafzW7VlbxgS3EQRC25EWj61BYVIy7OpIFfOzymyBnL/qb0PTBmiDA==
    =rmxn
    -----END PGP SIGNATURE-----