5/19/2023 0 Comments Signalwire freepbxWARN security issue detected: digest leaked INFO call picked up by 23:09:18] received BYE, challenging that with a 407 To reproduce this issue, we made use of SIPVicious PRO's SIP digest leak tool as follows: However, because many gateways are actually public, this information can easily be retrieved. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party.Īdditionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. An authenticated SIP endpoint calling another registered malicious endpoint, where the malicious endpoint challenges the incoming INVITE request.Ībuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response.ĭo note that the attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue.FreeSWITCH initiating a call to a malicious party, for example by making use of the originate command in fs_cli, where the malicious party challenges the incoming INVITE request.We identified the following additional scenarios which allow exploitation: The above example consists of challenging the BYE message coming from FreeSWITCH. The challenge response may then be subjected to a fast offline password bruteforce attack using tools such as hashcat and John the Ripper. Proxy-Authorization: Digest username="1000", realm="", User-Agent: FreeSWITCH-mod_sofia/1.10.7-dev+git~20210325T155256Z~67cec5c3e8~64bitĪllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
0 Comments
Leave a Reply. |