Rule Submit: Centrality IP Phone (PA-168 Chipset) Session Hijacking

This rule detects when an attempt is made to Hijack a session using 
specific IP Phones. After initially authenticating with the device, 
there is no authentication token passed back and forth, therefore any 
well-formed request will be performed by the server.

An example session includes:

POST /g HTTP/1.1
Host: 192.168.1.100
Content-Length: 13

back=++Back++


HTTP/1.1 200 OK
Content-Length: 16727
Content-Type: text/html
Connection: close

<TITLE>IP Phone V1.54</TITLE>
[output omitted]
<INPUT name=sipproxy value="sip.test.com">
<INPUT name=domain value="sip.test.com">
<INPUT name=account value="myaccount" size=24 maxlength=32>
<INPUT name=pin type=password value="1234">
<INPUT name=superpassword type=password value="12345678">
<INPUT name=password type=password value="1234">
[output omitted]


The signature requires the URI to be /g followed by # (anchors), ? (GET 
parameters), or $ (End of URI) so that longer URI's do not create false 
alerts.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
EXPLOIT Centrality IP Phone (PA-168 Chipset) Session Hijacking"; 
flow:established,to_server; content:"POST "; nocase; depth:5; 
uricontent:"/g"; nocase; content:"back=++Back++"; nocase; 
pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; 
classtype:attempted-user; sid:2003328; rev:1; )

Thanks Shirkdog for pointing out this issue and helping put this 
signature together.
Commited with sid:2003328

-Blake

--
This email and any files transmitted with it are solely intended for the use of 
the addressee(s) and may contain information that is confidential and 
privileged.  If you receive this email in error, please advise us by return 
email immediately. Please also disregard the contents of the email, delete it 
and destroy any copies immediately.  Demarc Security, Inc. does not accept 
liability for the views expressed in the email or for the consequences of any 
computer viruses that may be transmitted with this email.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or transmitted without the written consent of the copyright owner.

bhartstein.vcf
Description: Vcard

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs