Server impersonation and SIP
Last updated: Oct 24, 2020
Was reading Sipera’s latest advisories. The server impersonation advisory caught my eye mostly because we’ve seen something similar to this over here during testing. We hadn’t published this information until now .. so here goes.
A good number of SIP softphones, and we would assume VoIP phones (hardware), will ring upon receiving an INVITE request. Three months ago we worked on 3 stories, two of which describe protagonists abusing this behavior and are still unpublished. I’m working on getting these two stories published soon.
As hinted by the Sipera advisory, this behavior has a few implications; major ones being that it can be abused for spamming and social engineering attacks.
These are the softphones that were found to display this behavior:
- X-lite release 1011b
- Ekiga 2.0.11 (beta)
- SJPhone 1.65.377a
Also quickly tested Gizmo project 3.1.2 and it did not exhibit the same behavior. Did not try to spoof packet source ip etc.
How do you test for this?
Use your favorite SIP phone to call an address like sip:email@example.com:5060, where 192.168.1.1 is the destination IP of the SIP phone. There is no need to spoof IP addresses or anything like that for the above. In the story (that I’ll try to publish tomorrow), the attacker makes use of X-lite. If making use of X-lite, select the option “target domain” in the “Send outbound via:” config.
If you have any results please post a comment or send me an email.