<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PlaceName"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PlaceType"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:566767589;
mso-list-template-ids:535710460;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:1640841892;
mso-list-template-ids:-1691044848;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=FR link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'>MADYNES Security Advisory : SIP
toll fraud and authentication forward attack<o:p></o:p></span></font></p>
<p><b><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:
12.0pt;font-weight:bold'>Date of Discovery 5 May</span></font></b><span
lang=EN-US>, 2007<o:p></o:p></span></p>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>Vendor1
(Cisco) was informed on 22 May 2007<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>Vendor
2 (OpenSer, voice-systems) was informed in 4 th October 2007<br>
<br>
<b><span style='font-weight:bold'>ID: </span></b>KIPH11 <o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>Affected
products<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>CallManager:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>System version:
5.1.1.3000-5 <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Administration
version: 1.1.0.0-1<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>OpenSer<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>SVN version until
the 4 th October 2007<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Version 1.2.2<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Summary <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>The tested
systems do not associate a Digest authentication to a dialog which allows any
user who can sniff the traffic to make its own calls on behalf of the the
sniffed device. <o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'><br>
<b><span style='font-weight:bold'>Synopsis</span></b><o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3
face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>The tested
implementations do not allow to check if the provided URI in the Digest
authentication header is the same as the REQUEST-URI of the message, </span></font><font
size=2 face="Courier New"><span lang=EN-US style='font-size:10.0pt;font-family:
"Courier New"'>which allows an attacker to call any other extension. This is
not a simple replay attack.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>They
do not allowed to generate one-time nonces. These issues will allow a
malicious user able to sniff a Digest authentication from a regular user, to
call (by spoofing data) any extension on behalf of the user; as long as the
nonce does not expire.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>The
first vendor (Cisco) was informed in May 2007 and acknowledged the
vulnerability. The second vendor (OpenSer, voice-systems) was informed in October
2007 and fixed the vulnerabity on the same day.<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'> This
vulnerability was identified by the Madynes research team at INRIA Lorraine,
using the Madynes VoIP fuzzer KIPH. This is one of the first vulnerabilities
published where advanced state tracking is required.<br>
<br>
<b><span style='font-weight:bold'>Background </span></b><o:p></o:p></span></font></p>
<ul type=disc>
<li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto;mso-list:l1 level1 lfo1'><font size=3 color=black
face="Times New Roman"><span lang=EN-US style='font-size:12.0pt;
color:windowtext'>SIP is the IETF standardized (RFCs 2543 and 3261)
protocol for VoIP signalization. SIP is an ASCII based INVITE message is
used to initiate and maintain a communication session. <br>
<br>
</span></font><span lang=EN-US><o:p></o:p></span></li>
</ul>
<p style='margin-bottom:12.0pt'><b><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;font-weight:bold'>Impact :<o:p></o:p></span></font></b></p>
<p style='margin-bottom:12.0pt'><b><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;font-weight:bold'><br>
</span></font></b><span lang=EN-US>A malicious user perform toll fraud and call
ID spoofing.<o:p></o:p></span></p>
<p style='margin-bottom:12.0pt'><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt'><br>
<b><span style='font-weight:bold'>Resolution<br>
<br>
<o:p></o:p></span></b></span></font></p>
<p class=MsoNormal style='text-autospace:none'><b><font size=3
face="Times New Roman"><span lang=EN-US style='font-size:12.0pt;font-weight:
bold'>OpenSer fixed the issue on the 4 th October. <o:p></o:p></span></font></b></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>The devel branch
was enhanced to export a variable $adu which refer to this field. It is easy
now to check in config file whether it is equal or not with r-uri:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>if($adu != $ru)<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>{<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'># digest uri and
request uri are different <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>}<o:p></o:p></span></font></p>
<p style='margin-bottom:12.0pt'><b><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;font-weight:bold'><o:p> </o:p></span></font></b></p>
<p style='margin-bottom:12.0pt'><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt'><br>
<b><span style='font-weight:bold'>Credits</span></b><o:p></o:p></span></font></p>
<ul type=disc>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo2'><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt'>Humberto J. Abdelnur (Ph.D Student) <o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo2'><st1:place w:st="on"><st1:PlaceName w:st="on"><font
size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>Radu</span></font></st1:PlaceName><span
lang=EN-US> <st1:PlaceType w:st="on">State</st1:PlaceType></span></st1:place><span
lang=EN-US> (Ph.D)</span><span lang=EN-US> </span><span lang=EN-US><o:p></o:p></span></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo2'><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt'>Olivier Festor (Ph.D)</span><span
lang=EN-US> </span></font><span lang=EN-US><o:p></o:p></span></li>
</ul>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'><br>
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIF<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'>POC: PoC code is available on
request<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-US
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</body>
</html>