Skip to main content
Sandro Gauci

Sandro Gauci, Enable Security

Server impersonation and SIP

Published on Oct 28, 2007 in ,

Was reading Sipera’s latest advisories. The server impersonation advisory caught my eye mostly because we’ve seen something similar to this over here during testing. We hadn’t published this information until now .. so here goes.

A good number of SIP softphones, and we would assume VoIP phones (hardware), will ring upon receiving an INVITE request. Three months ago we worked on 3 stories, two of which describe protagonists abusing this behavior and are still unpublished. I’m working on getting these two stories published soon.

As hinted by the Sipera advisory, this behavior has a few implications; major ones being that it can be abused for spamming and social engineering attacks.

These are the softphones that were found to display this behavior:

  • X-lite release 1011b
  • Ekiga 2.0.11 (beta)
  • SJPhone 1.65.377a

Also quickly tested Gizmo project 3.1.2 and it did not exhibit the same behavior. Did not try to spoof packet source ip etc.

How do you test for this?
Use your favorite SIP phone to call an address like sip:whatever@, where is the destination IP of the SIP phone. There is no need to spoof IP addresses or anything like that for the above. In the story (that I’ll try to publish tomorrow), the attacker makes use of X-lite. If making use of X-lite, select the option “target domain” in the “Send outbound via:” config.

If you have any results please post a comment or send me an email.

Sandro Gauci

Sandro Gauci

CEO, Chief Mischief Officer at Enable Security

Sandro Gauci leads the operations and research at Enable Security. He is the original developer of SIPVicious OSS, the SIP security testing toolset. His role is to focus on the vision of the company, design offensive security tools and engage in security research and testing. Therefore, he is the proud owner of the title of Chief Mischief Officer at Enable Security.

He offers public office hours and is reachable here.