[NEWS] Sony's Instant Video Everywhere Service Replay Attack

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Sony's Instant Video Everywhere Service Replay Attack
------------------------------------------------------------------------


SUMMARY

" <http://sony.glowpoint.com/> IVE makes video and voice calling from you
PC as easy as placing a telephone call - but with the added power of
face-to-face communications. "

By exploiting a replay attack on Sony's Instant Video Everywhere,
attackers can steal calls and impersonate the users.

DETAILS

Vulnerable Systems:
* Sonny IVE version 4.4.0 MCS

After starting the IVE client application and entering the username and
password into the initial dialog the application sends an HTTP request to
one of the servers of the service provider GlowPoint to fetch initial
provisioning data. This request is sent over a non-secured TCP connection.
The request URI of this initial HTTP request contains two parameters named
"userLogin" and "userPassword". The userLogin parameter contains the
username (his email address) of the customers in clear text. The
userPassword contains a hexadecimal string, but this string is constant
for every provisioning request as long as the user does not change his
password.

The response to this HTTP request contains a list of attribute value
pairs. One of the attributes is named "token". The value of this "token"
changes for every new HTTP request which is send to the server.
Furthermore the value of the "token" appears in the request URI of several
additional HTTP requests and in the SIP signaling. In the SIP REGISTER
requests from the IVE client the "token" value is present in the
"X-DyLogic-MCS-Token" header.

Only if the REGISTER request contains the "X-DyLogic-MCS-Token" header
with the exact value from the provisioning data set (from the HTTP request
before) the server responds to the request.

If someone else then the real user (the attacker) knows the "userLogin"
and "userPassword" values he can send the same HTTP request (with any HTTP
client) to the provisioning server to get an up-to-date provisioning data
set. If the attacker copies the "token" value from this provisioning data
set into a SIP REGISTER request he can login to the IVE service with any
SIP client and receive calls for the real user (as long as the real user
is not currently online with his IVE client at the same time).
The most recent "token" value is accepted by the server for several hours
as long as no additional HTTP provisioning request was sent to the server.

As the hexadecimal string value of the "userPassword" is not equal to the
real password of the user, the potential attacker would not able to login
to the IVE web frontend by just knowing the "userPassword" value.

Disclosure Timeline:
12/07/2005 Initial vendor notification - GlowPoint
12/07/2005 Initial vendor response
12/31/2005 Public disclosure


ADDITIONAL INFORMATION

The information has been provided by <mailto:lists@xxxxxxxxxxxx> Nils
Ohlmeier.
The original article can be found at:
<http://www.iptel.org/security/2005-12-31.html>
http://www.iptel.org/security/2005-12-31.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages