The Sys-Security Group Security Advisory "More Vulnerabilities with Pingtel xpressa SIP-based IP Phones" Release Date: 08/20/2002 Affected Platforms: Pingtel xpressa SIP IP phones model PX-1 with software version 2.0.1 and below; Pingtel instant xpressa softphones with software version 2.0.1 and below Severity: High Author: Ofir Arkin (ofir@sys-security.com) Summary Pingtel (http://www.pingtel.com) develops intelligent Java-based voice-over-IP phones and softphones for service providers and enterprises. Using the vulnerabilities enumerated within this advisory it is possible to jeopardize critical telephony infrastructure based on Pingtel's xpressa SIP-based IP phones and softphones. Additionally, certain vulnerabilities allow an attacker to take complete control over an IP Phone or a softphone node either directly or by circumventing other SIP entities on the network by abusing the 'node's credentials'. The most severe issue discussed is the way an attacker can exploit vulnerabilities with MyPingtel Portal (http://my.pingtel.com) to subvert a VoIP infrastructure which includes IP Phones and/or softphones from Pingtel. Full Details in PDF format (~500kb): http://www.sys-security.com/archive/advisories/More_Vulnerabilities_with _Pingtel_xpressa_Phones.pdf Full Details in HTML format: http://www.sys-security.com/archive/advisories/html/More_Vulnerabilities _with_Pingtel_xpressa_Phones.htm Moderated text version is attached to this email and available from: http://www.sys-security.com/archive/advisories/More_Vulnerabilities_with _Pingtel_xpressa_SIP-based_IP_phones.txt Ofir Arkin [ofir@sys-security.com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA For more information: http://www.sys-security.com Copyright (c) The Sys-Security Group 2002, all rights reserved.
The Sys-Security Group Security Advisory "More Vulnerabilities with Pingtel xpressa SIP-based IP phones" Release Date: 08/20/2002 Affected Platforms: Pingtel xpressa SIP-based IP phones model PX-1 with software version 2.0.1 and below; Pingtel instant xpressa softphones with software version 2.0.1 and below Severity: High Authors: Ofir Arkin (ofir@sys-security.com) Summary Pingtel (http://www.pingtel.com) develops intelligent Java-based voice-over-IP phones and softphones for service providers and enterprises. Using the vulnerabilities enumerated within this advisory it is possible to jeopardize critical telephony infrastructure based on Pingtel's xpressa SIP-based IP phones and softphones. Additionally, certain vulnerabilities allow an attacker to take complete control over an IP Phone or a softphone node either directly or by circumventing other SIP entities on the network by abusing the 'node's credentials'. The most severe issue discussed is the way an attacker can exploit vulnerabilities with MyPingtel portal (http://my.pingtel.com) to subvert a VoIP infrastructure which includes IP Phones and/or softphones from Pingtel. Background Information Please see the full advisory available from the Sys-Security Group's web site for more information on VoIP, SIP, and SIP Registrar's. A PDF is available from: http://www.sys-security.com/archive/advisories/ More_Vulnerabilities_with_Pingtel_xpressa_Phones.pdf An HTML version is available from: http://www.sys-security.com/archive/ advisories/html/More_Vulnerabilities_with_Pingtel_xpressa_Phones.htm The Vulnerabilities A. Predictable Parameter Values with SIP REGISTER requests sent from Pingtel's IP Phones The following is a SIP REGISTER request sent from a Pingtel SIP-based IP Phone to a SIP Registrar SERVER: REGISTER sip:192.168.1.57 SIP/2.0 To: sip:carol@192.168.1.57 From: sip:carol@192.168.1.57;tag=456248 Call-ID: 8-reg@192.168.1.59 CSeq: 1 REGISTER Contact: sip:carol@192.168.1.59 Expires: 3600 Content-Length: 0 Accept-Language: en Supported: sip-cc, sip-cc-01, timer User-Agent: Pingtel/1.2.6 (VxWorks) Via: SIP/2.0/UDP 192.168.1.59 The values required to subvert a registration which are used by the request are all predictable. The "Call-ID" is fixed (with another Pingtel IP phones it was always fixed to "9-reg@myIP"), the sequence number sent is 1 (so setting it to any higher number would be sufficient), the "To" and "From" SIP URIs are also predictable allowing a remote attacker to circumvent the SIP Registrar and write any bindings to the location service remotely (if no authentication is required). Although authentication will be required in some cases, requiring the attacker to have the right credentials for the user before having the ability to circumvent the SIP Registrar and to write false records into the location service, there are a number of ways to extract the username and password from a Pingtel SIP-based IP phone, some outlined in this advisory some in other[1]. B. Compromising VoIP infrastructure using the MyPingtel Portal MyPingtel is a Portal (http://my.pingtel.com) for one to use and manage his Pingtel xpressa softphone or IP phone. The MyPingtel web site can be used to: "Learn about new applications and services and install them from your PC. Create and manage your speed dial phone book using the PC keyboard. Set your call handling preferences for call forwarding when you're away from the phone and on the phone. Get tips and online help for using your phone. Stay current with news from Pingtel..." In order to use the application/Portal, a user needs to register his Pingtel xpressa SIP-based IP phone with the MyPingtel Portal. This is done in two stages: A user needs to register to Pingtel's Portal, and than the user needs to register his IP phone (physically accessing the IP phone) using the details (and credentials) he supplied when registering with Pingtel's Portal. This first stage is simply accomplished by browsing to http://my.pingtel.com and filling the required registration form[2]. The user's credentials supplied to Pingtel's Portal with the registration process must be a valid username and password that allows the registering user to login to his IP phone via the web server interface of his IP Phone. The next step would be to use the MyPingtel Sign-In application, which is supplied by default with Pingtel's IP phone and softphone, to register the IP phone, physically accessing the phone. This is simply done by pressing: More -> MyPingtel Sign-In -> Next -> [Enter your username] -> [Enter your password] -> OK -> [Enter Admin Password] -> [Enter Phone Name] -> Next -> OK A message will be displayed confirming the registration[3]. B.1 E.T. Phones Home - Information Leakage leading to the compromise of the IP Phone When the IP phone (or softphone) boot-up, the IP phone will send all registration information to Pingtel's MyPingtel Portal (http://my.pingtel.com) utilizing the HTTP protocol. The information sent to Pingtel's Portal will include the following: - Admin name in clear text - Admin Password in MD5 hash - Mac Address in clear text - Physical Password in MD5 hash - Admin Domain in clear text - IP Address of the IP phone in clear text - Web Server Port in clear text - And other information Any malicious party able to extract this information from the wire (upstream to Pingtel, local network to the phone, intermediate network, etc.) will have the ability to brute force the user's password offline. This might be done utilizing the same hashing/crypto algorithm used. A malicious party might choose to actively brute force the password either against the IP phone's web server or utilizing Pingtel's Portal. The value of the information is even greater when the IP address of the IP phone is routable from the Internet. This will allow a remote attacker to connect to the IP phone's web server remotely (the web server access is required for the operation of MyPingtel Portal) either directly or through MyPingtel Portal using the credentials he extracted. Although administrator access is needed to circumvent some of the IP phone's features (the username is "admin" and the out-of-the-box password is clear) having a valid username and password would allow a malicious party to circumvent the "Call Handling" features of the IP phone, such as the various "Call Forwarding" features[4]. B.2 E.T. Get's a Call - Information Leakage leading to the compromise of the IP Phone To use Pingtel's Portal one needs to supply his username and password. The web page is composed of 2 parts. The left part contains a login page which is using HTTP over SSL (HTTPS), where the right part of the page is simply a list of application and other miscellaneous pieces of information. B.2.1 Username and password enumeration using the http://my.pingtel.com Web Site The problems starts even before successfully authenticating to the web site since the web site will be kind enough to tell you if the username exists or not... and of course when the password is wrong... This will allow any malicious party to actively enumerate any user ever registered to MyPingtel Portal as well as his password (no account lockout policy seems to be in place). B.2.2 What a successful authentication can bring... If the authentication to Pingtel's Portal is successful, MyPingtel Portal will send an authentication request to the authenticated user's IP phone's web server with the user's credentials (the same credentials used to logon to the Portal). Since the IP Phone sent its IP address and web server port number, among other pieces of data, to the Portal when a user registered its IP phone to MyPingtel services (and automatically after every boot-up if no changes are made), the Portal will have the knowledge to which IP address to send the authentication request to. The problem is that the Pingtel xpressa SIP-based IP Phone's (and softphone's) web server is only able to receive (and handle) HTTP BASIC authentication (Base 64). Any malicious party able to extract this information from the wire (downstream to Pingtel, local network to the phone, intermediate network, etc.) will have the username and password of a legitimate user for that particular IP phone. The value of the information is even greater when the IP address of the IP phone is routable from the Internet. This will allow a remote attacker to connect to the IP phone's web server remotely (the web server access is required for the operation of MyPingtel Portal) either directly or through MyPingtel Portal using the credentials he extracted. Although administrator access is needed to circumvent some of the IP phone's features (the username is "admin" and the out-of-the-box password is clear) having a valid username and password would allow a malicious party to circumvent the "Call Handling" features of the IP phone, such as the various "Call Forwarding" features[5]. C. Onto the Critical Path With the Pingtel xpressa SIP-based IP phones and softphones there are a number of instances where user credentials will be required to be presented, for example: - When a non-privileged user or an "admin" wishes to use the IP phone's web server to manage some of the IP phone's functionality. - When outgoing SIP requests will have to be authenticated against the targeted SIP entity before the entity will be willing to process the requests. The Pingtel xpressa SIP-based IP phone is able to have two different sets of credentials for any user for those scenarios. One set of user credentials allowing a user to use the IP phone's web server, and another to authenticate the SIP requests the IP phone will make on behalf of that user targeting different SIP entities within the VoIP network. Unfortunately the documentation with Pingtel's xpressa SIP-based IP phones and softphones does not make the appropriate distinction between the different cases and does not highlight the enormous security hazards associated[6]. Therefore I believe that with several deployments of Pingtel's xpressa SIP-based IP phones the credentials information was set the same for a user to logon to the IP phone's web server and for authentication information for outgoing SIP requests. The same credentials used for outgoing SIP requests and for accessing the IP phone's web server will also be those who will be provided as part of the registration process to MyPingtel Portal. This is since a user is not able to deploy another IP phone user unless he has the "admin" password. Therefore a user will be limited to use his login name and password, used to login to the IP phone's web server (and in most of the cases to authenticate outgoing SIP requests), to register to MyPingtel Portal allowing him to be able to successfully authenticate to the web server after authenticating to MyPingtel Portal. This will lead to the following scenario: The authentication credentials the Pingtel xpressa SIP-based IP phone will be required to present when it will be needed to authenticate a call request or a registration request to a SIP entity (or entities) within the VoIP network the Pingtel IP phone is part of, will be the same credentials used for the MyPingtel Portal and the MyPingtel Sign-In application on the IP phone!. A malicious party able to extract the credentials from the MyPingtel Portal, using one of the methods presented within this advisory, will be able to pass any authentication required by any SIP entity for the particular user! The potential risk is devastating for the VoIP network where any authentication required in order to block misuse of the network can now be easily bypassed: - Using a user's credentials a malicious attacker will be able to successfully authenticate to the SIP Registrar server and make changes to the binding information stored in the location service for that particular user. This fault combined with the ability to predict SIP REGISTER request parameters sent from Pingtel SIP-based IP Phones and softphones leads to the total control of the binding information for a particular user. This will allow, among other things, for a malicious party to associate the user's SIP or SIPS URI with an IP address or a hostname which do not represent the IP Phone. In other words it would allow a malicious party to perform "Call Hijacking" in a very easy manner even remotely! - Abusing the SIP Registrar server would allow a malicious party to forward incoming call requests outside of the organization using Pingtel's xpressa SIP-based IP Phones which its nodes and credentials were compromised. - When a user places a call, he might need to provide authentication information in order to be allowed to place the call. This is usually performed for the user by its IP Phone where the user's username and password are stored and used when needed. Since the user's credentials are compromised, a malicious party will be able to use the credentials he extracted to make free phone calls using the VoIP network the Pingtel xpressa SIP-based IP phone(s) belongs to. - Etc. D. More Issues There are more, less severe issues I have found with Pingtel's xpressa IP phones and softphones which are listed below allowing people to understand what they are exposed to. D.1 Availability - Random Reboots of the IP Phone Using a Pingtel xpressa SIP-based IP Phone I have encountered situations were the IP phone have rebooted out-of-the-blue. There was no attack lunched on the phone, and the network traffic was HTTP, HTTPS, POP3 and SMTP only. Although this was not observed in small intervals, still the availability of the IP phone, which is sometimes regarded as critical infrastructure, is at risk. I do feel it is not my role to perform various tests against the IP phone in order to determine the exact cause of the random reboots. This is something I save for Pingtel and WindRiver (manufactures of the VxWorks platform). D.2 No verification of downloaded software As part of the IP phone's boot up process the IP phone will fetch several JAVA applications from Pingtel's web site. There are no verification checks against the downloaded software resulting in a possibility for anyone circumventing DNS records to try to "feed" the IP Phone with the wrong application (malicious?). D.3 User Enumeration by Physically Accessing the IP phone If physical access is gained to the phone, a malicious party will be able to view the username one is using for his IP phone if using the MyPingtel Sign-In application simply by pressing: More -> MyPingtel Sign-In If the user is using MyPingtel Sign-In application a message will be displayed alerting the IP phone is already signed-in to MyPingtel displaying the current signed-in login name and the server it is connected to. This information should be hidden. D.4 Hard coded usernames and passwords within web pages served with MyPingtel Portal Although the login to MyPingtel Portal is done securely using HTTPS, any malicious user using a workstation previously used by a legitimate MyPingtel Portal user, will be able to, by pressing the browser's back button and viewing the web page source, see in clear text, the user's username and password as well as the IP Phone's IP address... Temporary Solution There are a number of risk mitigation network configurations a VoIP network administrator might do in order to mitigate some of the risk involved with using Pingtel's xpressa SIP-based IP phones and softphones on his network: Issues related the configuration and usage of the IP phones: - Deploy users using the IP Phone's admin GUI in a lab environment BEFORE issuing the IP phone's to your users - Change the "admin" password on the IP phones. Remember - the default is blank! - Shut down the Pingtel xpressa IP phone's web server after initial setup if this function is not required or used by your users - Configure different credentials set for each user for: - Outgoing SIP requests that needs to be authenticated, and for - Web Server logon for managing some of the IP phone's abilities - Do not disclose the credentials needed to authenticate the outgoing SIP requests to your users! - Do not perform remote management tasks using the Pingtel xpressa IP phone's web server since authentication is literally in clear text! Issued related to MyPingtel Portal: - Do not allow your users to use the MyPingtel Portal (actively block this with the appropriate access controls on your network filtering devices until the issues with this advisory are resolved), they can directly access their Pingtel xpressa IP phone's locally. Educate them how to do that! - Do not allow your users to use the MyPingtel Sign-In application on their Pingtel xpressa SIP-based IP phones (actively block this with the appropriate access controls on your network filtering devices until the issues with this advisories are resolved) - Block access to http://my.pingtel.com General Issues: - Block access to your SIP Registrar server from the Internet (and from other networks that should not access it) - Make your VoIP network non-routable for users coming from the Internet - Do not allow any access to your VoIP infrastructure from the Internet Other type of solutions should be provided by Pingtel. Conclusion MyPingtel Portal does not take security into account which might lead to a total compromise of any VoIP network using the MyPingtel Portal with Pingtel's SIP-based IP phones and softphones. This is a direct result of the lack of proper security centric documentation, understanding, and education on the part of Pingtel. This is another example how a new-comer technology still needs to go through several cycles before it might be regarded as "ok" to use regarding its security risks. [1] Ofir Arkin & Joshua Anderson: Multiple Vulnerabilities with Pingtel xpressa SIP Phones July 12, 2002. Available from: http://www.sys-security.com/archive/ advisories/a071202-1.txt [2] Although I have previously indicated to Pingtel that the information entered is not validated against any record of sale or other, it is still possible for anyone to register with completely fake information and be able to receive the services from the Portal. [3] When entering the password for the MyPingtel user, the last digit will be displayed for ever on the instant xpressa softphones making shoulder surfing even easier than ever before. [4] Please see section C for more hazards [5] Please see section C for more hazards. [6] Pingtel's own "Best Practices for Deploying Pingtel phones" document (http://www.pingtel.com/docs/best_practices_20x.txt) does not address this issue. For more information: http://www.sys-security.com Copyright (c) The Sys-Security Group 2002, all rights reserved
