Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Phreaking General Information :: tb13040.htm

Nortel IP Phone Surveillance Mode



Nortel IP Phone Surveillance Mode
Nortel IP Phone Surveillance Mode



#############################################################=0D
#=0D
# COMPASS SECURITY ADVISORY http://www.csnc.ch/=0D 
#=0D
#############################################################=0D
#=0D
# Product: IP Phone=0D
# Vendor:  Nortel=0D
# Subject: IP Phone Surveillance Mode=0D
# Risk:    High=0D
# Effect:  Currently exploitable=0D
# Author:  Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch)=0D
# Date:    October, 18th 2007=0D
#=0D
#############################################################=0D
=0D
Introduction:=0D
-------------=0D
An IP phone can be put into surveillance mode if the correct UNIStim message is sent to the IP phone. The UNIStim message ID must match the expected ID between the signaling server and the IP phone. The protocol uses only 16bit for the ID number. If a malicious user sends 65536 spoofed UNIStim message with all possible ID numbers he is able to successfully launch this attack.=0D
=0D
Nortel has noted this as:=0D
Title:  UNIStim IP Phone Remote Eavesdrop Potential Vulnerability=0D
Number: 2007008383=0D
http://support.nortel.com/go/main.jsp?cscat=SECUREADVISORY=0D 
=0D
Vulnerable:=0D
-----------=0D
Nortel IP Phone 1140E=0D
IP Softphone 2050=0D
and others.=0D
=0D
See associated products on the Nortel advisory.=0D
=0D
Vulnerability Management:=0D
-------------------------=0D
June 2007:    Vulnerability found=0D
June 2007:    Nortel Security notified=0D
October 2007: Nortel Advisory & Patches available=0D
October 2007: Compass Security Information=0D
=0D
Remediation:=0D
------------=0D
Follow the recommended actions for the affected systems, as identified in the Nortel Advisory.=0D
=0D
Technical Description:=0D
----------------------=0D
A malicious user sends n spoofed "Open Audio Stream" messages to an IP phone which it intents to put into surveillance mode. If the ID of the message matches the ID number between the signaling server and the IP phone, the message is accepted and the audio stream is opened to the host given in the "Open Audio Stream" message.=0D
=0D
To increase the probability of exploiting this vulnerability the number of spoofed messages need to be as close as possible to the maximum. The RUDP datagram uses a 32bit field for the ID number. However, the implementation of Nortel makes only use of 16bit. That means if we send 65536 messages with different IDs we will hit the correct ID by 100%. However, there is a small catch, if the number of spoofed messages is too high, the IP phone will crash and a manual reboot is required to bring it back online.=0D
=0D
Reference:=0D
http://www.csnc.ch/static/advisory/secadvisorylist.html 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH