PhonerLite 2.14 Digest Information Leak

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
  
I. Advisory Summary  
  
Title: SIP Digest Leak Information Disclosure in PhonerLite 2.14 SIP Soft  
Phone  
Date Published: March 30, 2014  
Vendors contacted: Heiko Sommerfeldt, PhonerLite author  
Discovered by: Jason Ostrom  
Severity: Medium  
  
II. Vulnerability Scoring Metrics  
  
CVE Reference: CVE-2014-2560  
CVSS v2 Base Score: 4.3  
CVSS v2 Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)  
Component(s): PhonerLite SIP Soft Phone  
Class: Information Disclosure  
  
III. Introduction  
  
PhonerLite [1] is a freeware SIP soft phone client running on the Windows  
platform and supporting common VoIP features as well as security  
functionality such as SIP TLS, SRTP, and ZRTP.  
  
[1] http://www.phonerlite.de  
  
IV. Vulnerability Description  
  
PhonerLite SIP soft phone version 2.14 is vulnerable to revealing SIP MD5  
digest authenticated user credential hash via spoofed SIP INVITE message  
sent by a malicious 3rd party. After responding back to an authentication  
challenge to the BYE message, PhonerLite leaks the hashed MD5 digest  
credentials. After the 3rd party receives the dumped MD5 hash, they can use  
this information to mount an offline wordlist attack. This SIP protocol  
implementation issue vulnerability was initially discovered by Sandro Gauci  
of Enable Security [2], with vendor soft phones and handsets showing  
differential success in mitigating this flaw. CVE-IDs have been reserved  
for two previous SIP soft phone implementations [3, 4] that were tested as  
vulnerable.  
  
[2] https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf  
[3] CVE-ID for Gizmo5 soft phone: CVE-2009-5139  
[4] CVE-ID for Linksys SPA2102 adapter: CVE-2009-5140  
  
V. Technical Description / Proof of Concept Code  
  
The following steps can be carried out in duplicating this vulnerability.  
  
Step 1:  
Use SIPp protocol tester to craft a SIP INVITE message using TCP transport  
and forward the SIP message towards the IP address of the Windows PhonerLite  
soft phone, listening on TCP port 5060  
Step 2:  
PhonerLite user answers call  
Step 3:  
PhonerLite user hangs up call, since there is no one talking (it is like  
dead air)  
Step 4:  
Attacker receives BYE message from PhonerLite. Immediately after receiving  
BYE, attacker sends a 401 challenge SIP message  
Step 5:  
PhonerLite responds with a second BYE message, containing SIP Authorization  
header (which contains MD5 hash / response)  
Step 6:  
Attacker mounts an offline wordlist attack against the dumped MD5 hash using  
sipdump/sipcrack  
  
Additional Notes:  
* The vulnerability verification was tested as a malicious 3rd party using  
Kali Linux [5] distribution, with all tools included in distro.  
* The attacker does not need to know the correct username of PhonerLite  
registered SIP user. The attacker only needs to find the IP address of a  
PhonerLite endpoint listening on TCP port 5060.  
* The attacker does not need to know the digest realm field. A null realm  
string of "NULL" or "null" will be sufficient in exploiting the flaw.  
* Verified that PhonerLite is not vulnerable to this security flaw when  
attacker uses UDP transport instead of TCP  
  
[5] http://kali.org  
  
VIII. Vendor Information, Solutions, and Workarounds  
  
This issue is fixed in PhonerLite version 2.15  
  
Resolution is the following, as specified by the author: A SIP UAC (User  
Agent Client) should not send a 401 or 407. In other words, only a UAS  
(User Agent Server) should send a 401 or 407 challenge. Therefore, a  
401/407 will be dropped by the UAS (PhonerLite) if sent by a malicious 3rd  
party UAC.  
  
IX. Credits  
  
This vulnerability has been discovered by:  
Jason Ostrom of Stora  
  
XX. Vulnerability History  
  
Sun, 2/16/14: Vulnerability discovered  
Wed, 3/12/14: Sent vulnerability disclosure to Heiko Sommerfeldt, info at  
phoner.de  
Thu, 3/13/14: Notified by author that Beta version has been uploaded, which  
should fix problem. Attempted to verify with security testing of Beta 2.15.  
Verified that issue has been resolved.  
Sun, 3/30/14: Notified by author that fixed version (2.15) has been  
uploaded  
Sun, 3/30/14: Vulnerability disclosure posted  
  
XXI. Disclaimer  
  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise. Stora accepts no  
responsibility for any damage caused by the use or misuse of this  
information.  
  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: Encryption Desktop 10.3.2 (Build 15238)  
Charset: us-ascii  
  
wsBVAwUBUzl9EWRzm/FWea0uAQjX8gf/Ts6IWfPbMFeir5PxDrvQ2VWBNCESgODN  
GgJQZaj6339ZxIMFC6IYoD4Uvx223igSB+OyYHLmGZOnQoES7Ilj2Or5Afe71Cqe  
ExqYe2fTaZeyruWTgmPA296W3EEoT+Cedeyy5k0+sxK4ahKZ2DQgM/WIDDHU3X/B  
nAJZWob+r2f2tQr+OBhy7saMEix9QMNeAEZCa+JJ8az9gxe6+AU9kdmwj9hPy+qc  
ZDODMOSyvYojfuvE0oy0AyZ1OBWVpI9lSCI6wmUT6ihOpruz3OKQT+e1HyFoBvmX  
aafzW7VlbxgS3EQRC25EWj61BYVIy7OpIFfOzymyBnL/qb0PTBmiDA==  
=rmxn  
-----END PGP SIGNATURE-----  
`