draft-state-sip-relay-attack-00 documents yet another vulnerability in SIP, this time allowing an attacker to use a victims credentials to send authenticated requests as the victim.  This could be used, for example, to charge calls to the victim.

Any scalable solutions i've been able to come up with so far have been blown away by the fact the attacker can cause the target URI (as the victim sees it) to be whatever we want, as I just commented on sip@ietf.org:

Thanks for documenting this!

page 10:

  It is worth noting that the protection 
  provided on the request URI is purely theoretical, as [RFC3261] 
  introduces an exception to the request URI checking required by 
  [RFC2617] in section 22.4:

Another important consideration to keep in mind while thinking about solutions is that the Contact header in the dialog creating request can be pretty much anything bob likes if he also adds a Record-Route header in, leading to the dialog target URI at alice's UA being whatever bob wants, and thus the Authentication header can be manipulated to contain whatever the attacker wants in the uri parameter.  To explain - consider Figure 1 in the draft.

F1 could be sent by bob@rouge.com as:

INVITE sip:alice@proxy.com SIP/2.0 
Contact: <sip:+1-900-xxx@proxy.com> 
Record-Route: <sip:bob@rouge.com;lr>

thus, when alice creates the dialog, the remote URI will indeed be +1-900-xxx@proxy.com, and your in-dialog F10 message will be:

  F10 INVITE Alice -> Bob

     INVITE sip:+1-900-xxx@proxy.com SIP/2.0 
     Route: <sip:bob@rouge.com;lr> 
     Proxy-Authorization: Digest username="alice", realm="proxy.com",  uri="sip:+1-900-xxx@proxy.com", nonce="f84f1cec41e6cbe5aea9c8e88d359543",  response="3bea678acef9875433487f23a567d876",  opaque="", algorithm=MD5 
     Content-Type: application/sdp 
     Content-Length:...

presto - the authentication header now even contains the URI you want to call.  note that a re-INVITE could also be done to change the target URI a few times to get different Authentication headers with different URIs in, all legitimate.

As to the potential solutions: both only accepting from registered contact or any attempt at avoiding sending re-INVITE [1] are in my opinion unfeasible and broken - i'll have some thought on others, though :-)

~ Theo

1 - REFER is another in-dialog method that could be abused - an OOD REFER may be accepted with authentication by - for example - a PSTN gateway.  Social engineering of alice could result in alice's UA sending a REFER that could then be used.

I've just been for a long run and thought about this, and not come up with even a half sane solution: blurgh.

bed.

endors that don't provide me with an email  address of an english speaking human point of contact that can handle protocol bugs and isn't a front desk ticket person who has no idea what i'm talking about or tries to tell me to use another protocol like h323 instead can get their bugs stuck here instead!

Call from an E1:

INVITE sip:xxxxxx@X.X.X.X SIP/2.0

To: <sip:xxxxxx@X.X.X.X>

User-Agent: Cisco-SIPGateway/IOS-12.x

Our SIP server returns a 302 with new Contact:

SIP/2.0 302 Directed

Contact: <sip:Y.Y.Y.Y;param>

Server: InUrSIPPacketzRedirectingUr/INVITES

New INVITE following the 3xx FAIL:

INVITE sip:Y.Y.Y.Y;param SIP/2.0

To: <sip:@Y.Y.Y.Y>

User-Agent: Cisco-SIPGateway/IOS-12.x

Anyone from Cisco reading (and i know you do) - please can you get someone to fix it: I gave up trying to get bugs in your stacks fixed a long time ago :-)

Cisco IOS Software, 5350 Software (C5350-JK9S-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)

As SIP-enabled phones capable of receiving calls from callers with SIP URIs as identifiers, much thought needs to be given to how these identifiers (assuming they are verified) are rendered to end users.

It is common for a phone to render the "Display Name" in a SIP request on the phone's UI.  This value is set by the caller themselves, an in the case where a caller is an attacker, can manipulate it to make the UI display a value of it's choice, for example:

  From: "manager@hsbc.co.uk" <sip:attacker@evil.example.com>;tag=xxx

Every single SIP device I tested displayed this as manager@hsbc.co.uk on the screen.

Even more thought needs to be taken when allowing Call-Info.  A picture of a padlock could be sent with Call-Info to render a picture of a padlock on the screen, lulling the user into thinking the call is secure.

Some people suggest instead you render the URI of the identity, but how do UIs render this?

From: <sip:manager%40hsbc.co.uk%00@evil.example.com>;tag=xxx

You guessed it, on the phone on my desk, I get:

manager@hsbc.co.uk

Ahem.

Identity in SIP is more than just technical solutions.  User Interfaces need to be carefully considered.