[37226] in bugtraq
SSC Advisory TSA-052 (Callwave.com)
daemon@ATHENA.MIT.EDU (Secure Science Corporation Advisor)
Thu Nov 4 16:21:58 2004
Message-ID: <41893186.9050104@securescience.net>
Date: Wed, 03 Nov 2004 11:29:10 -0800
From: Secure Science Corporation Advisory Notice <bugtraq@securescience.net>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig6233B5EC56E3AC1EB91776A9"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig6233B5EC56E3AC1EB91776A9
Content-Type: multipart/mixed;
boundary="------------000301020301000809040400"
This is a multi-part message in MIME format.
--------------000301020301000809040400
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.com
--------------000301020301000809040400
Content-Type: text/plain;
name="Callwave_exploit"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Callwave_exploit"
Secure Science Corporation Advisory TSA-052
http://www.securescience.net
e-response@securescience.net
877-570-0455
---------------------------------------------------------
Callwave.com customer service automated termination service is
vulnerable to caller-ID authentication spoofing, enabling arbitrary
termination of customer accounts.
---------------------------------------------------------------------
Vulnerability Classification: Authentication bypass, Denial of Service,
Misplaced trust.
Discovery Date: October 25, 2004
Vendor Contacted: October 25, 2004
Advisory publication date: November 3rd, 2004
Vendor Description:
-------------------
CallWave's easy-to-install software helps consumers and businesses get more
out of their wireless phone, home phone, and Internet-connected PC by 'bridging'
calls between these devices. Millions of households and small businesses have
installed CallWave to get important calls instantly no matter where they are,
receive faxes on their PC, and even screen out unwanted calls all without
purchasing or installing additional hardware.
Abstract:
---------
Callwave.com grant implicit trust to service subscribers Caller-ID input for
customers to terminate their accounts via the automated termination service 800
number. Caller-ID spoofing allows forgery of a calling number to the target
number. When spoofing a subscriber number while calling the automated 800
service, the target depends solely on the CID for authentication and grants
termination of the customer account associated with the specific number spoofed.
Description:
------------
During recent explorations with telephone bridging software, we signed up for
the callwave service temporarily. The process to cancel the service when
requested directed us to call an automated 800 service from your subscription
number. Forging the caller-id and calling the 800 service number enabled the
termination
request to be successful.
It is untested whether CID/CPN spoofing impacts other features of callwave at
this time.
Tested Vendors:
---------------
Callwave.com
Vendor and Patch Information:
-----------------------------
Secure Science Corporation has made attempts to contact the vendor with no
response.
Solution:
---------
Add 2-factor authentication (passcode requirement) by default and cease implicit
trust of Caller-ID information. Alternatively use ANI with 8xx numbers.
Credits:
--------
Secure Science Corporation: Lance James
Disclaimer:
-----------
Secure Science Corporation is not responsible for the misuse of any of the
information we provide on this website and/or through our security advisories.
Our advisories are a service to our customers intended to promote secure
installation and use of Secure Science Corporation products.
--------------000301020301000809040400--
--------------enig6233B5EC56E3AC1EB91776A9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBiTGGS5qPmxIxbpkRAoSQAJ40xXd6y0jcuqvq+yMjOFaOB/+jRACfTYms
87JAx2BS5n9hkm+pz3R9OkQ=
=rroz
-----END PGP SIGNATURE-----
--------------enig6233B5EC56E3AC1EB91776A9--
