[37243] in bugtraq
SSC Advisory TSA-053 (Ureach.com)
daemon@ATHENA.MIT.EDU (Secure Science Corporation Advisor)
Fri Nov 5 17:08:19 2004
Message-ID: <418BBA72.2040602@securescience.net>
Date: Fri, 05 Nov 2004 09:37:54 -0800
From: Secure Science Corporation Advisory Notice <bugtraq@securescience.net>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig18BFD4384DAA22D54E1230D8"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig18BFD4384DAA22D54E1230D8
Content-Type: multipart/mixed;
boundary="------------050908050904050106040702"
This is a multi-part message in MIME format.
--------------050908050904050106040702
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
--------------050908050904050106040702
Content-Type: text/plain;
name="Ureach_Exploit"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Ureach_Exploit"
Secure Science Corporation Advisory TSA-053
http://www.securescience.net
e-response@securescience.net
877-570-0455
---------------------------------------------------------
Ureach.com's Uscreen Desktop software is vulnerable to misuse and enables
specific caller-id spoofing via the forward feature, enabling compromise
of other communication services operating on PSTN or wireless networks.
---------------------------------------------------------------------
Vulnerability Classification: Authentication bypass, Remote Compromise,
General misuse.
Discovery Date: October 19th, 2004
Vendor Contacted: October 27, 2004
Advisory publication date: November 5th, 2004
Vendor Description:
-------------------
uReach.com strives to provide solutions that meet a wide range of customer needs
from point solutions that address a specific need to robust bundles that can
simplify managing all forms of communications - email, voice mail, fax,
reminders, alerts and phone calls.
Abstract:
---------
Ureach.com's Uscreen Desktop is included in many services that Ureach.com
provides. It is used as a desktop alert and control service, enabling users to
identify the caller, forward the calls to arbitrary numbers, send to voicemail,
and call back missed calls. Ureach.com provides 1-800 virtual numbers to their
customers that will forward to numbers selected by the customer. Example Case:
Many VOIP phone networks allow the use of toll-free calling (18xxx) (such as
freeworld dialup and sipphone.com) and provide you with a sip id or number.
In most cases, the sip id is not the same format as the Caller-Id given on
a PSTN network (usually 7 or 10 digit sets), e.g. freeworld provides 5 or 6 digit
numbers instead. When calling a ureach number with a sip-phone that does
not match the criteria of proper caller id format, Ureach will correct it
by calling the destination number using the Caller-id display of the
destination number.
Description:
------------
In Pseudocode:
if (UscreenReceiveCall(!PROPERCIDFORMAT)) { cid = destination_target; ForwardCall(cid, destination_target); }
By sending a non-proper formatted id as identification, the target number is
displayed as the caller. This allows for trivial abuse by arbitrary attackers,
including remote compromise of voicemail systems such as T-mobile Wireless and
Verizon Northwest (refer to Secure Science Corporation Advisory TSA-051).
Tested Vendors:
---------------
Ureach.com
Vendor and Patch Information:
-----------------------------
Secure Science Corporation has made attempts to contact the vendor and has received no response.
Solution:
---------
Ureach.com receives calls with Caller ID signal first, ANI second (if
Caller-ID is blocked): If the Caller-ID does not match proper format, then ANI
should be utilized or the customers 877 virtual number should be displayed to the destination.
Credits:
--------
Secure Science Corporation: Lance James
Disclaimer:
-----------
Secure Science Corporation is not responsible for the misuse of any of the
information we provide on this website and/or through our security advisories.
Our advisories are a service to our customers intended to promote secure
installation and use of Secure Science Corporation products.
--------------050908050904050106040702--
--------------enig18BFD4384DAA22D54E1230D8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBi7p3S5qPmxIxbpkRAkTNAJ4w55z4BtR6DzAiMGJH6Z49IPnX0ACgnhm4
0c2AA/kKQ5/uj6FsU8zWKG4=
=mzmJ
-----END PGP SIGNATURE-----
--------------enig18BFD4384DAA22D54E1230D8--
