DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

sipvicious exploits port 5060 on 2820Vn with latest firmware

  • 414nsw
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
05 May 2011 14:34 #67605 by 414nsw
As you point out there is no PBX server at the 2820Vn IP destination so why should port 5060 be responding at all as its not a PBX ??

The ISP is not stopping any traffic, the SaaS VoIP service provider (ITSP) is stopping outgoing voice traffic.

The 2820Vn is acting as a client aggregator (and does have ALL client login in details for each analogue handset), each handset or device is routed through the 2820Vn giving these dumb handsets (or other devices) an IP presence on the ITSP network.

My question still remains why is a port that is neither open nor port forwarded responding to a probe ?

How can I or the ITSP provider be confident that a hacker cannot spoof themselves as a client ??

Please Log in or Create an account to join the conversation.

More
05 May 2011 15:35 #67607 by admin

414NSW wrote: As you point out there is no PBX server at the 2820Vn IP destination so why should port 5060 be responding at all as its not a PBX ??



Becuase it is a SIP client and can receive VoIP calls to its analogue phone ports.

The 2820Vn is acting as a client aggregator (and does have ALL client login in details for each analogue handset)



I don't understand what you mean; the router has no facility for storing client logins for handsets behind it!

My question still remains why is a port that is neither open nor port forwarded responding to a probe ?



Your question doesn't "remain" as you didn't ask it previously :-) You issued a "warning" to other users (one which appears to be bogus so far) and have alleged a vulnerability, which you have yet to explain.

How can I or the ITSP provider be confident that a hacker cannot spoof themselves as a client ?



"Spoof" ? Do you mean uses someone else's SIP ID and password? That;s not "spoofing" and I don't see how it's relevant to this, nor that there is any vulnerability whatsoever.



Forum Administrator

Please Log in or Create an account to join the conversation.

  • 414nsw
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
09 May 2011 11:36 #67651 by 414nsw
So all SIP clients on the internet respond to any probe on port 5060 ??

If I can't store client login's for each analogue handset, (analogue port) how do they register as a SIP client, is it magic ??

My question does remain as I asked it to the DrayTek tech suport team who have not responded since voipfone contact them directly and outlined the issue ??

http://en.wikipedia.org/wiki/Session_Initiation_Protocol

Each transaction consists of a client request that invokes a particular method or function on the server and at least one response...if I'm not running a server why is port 5060 responding to a probe as no server / client session has been established ??

http://blog.sipvicious.org/2007/11/introduction-to-svmap.html

UPDATE: Darytek tech support are now asking which commands are being used in Sipvicious to reveal the open system

Please Log in or Create an account to join the conversation.

  • 414nsw
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
09 May 2011 11:40 #67652 by 414nsw
btw it is spoofing....

"the act of one person pretending to be someone else"

http://answers.ask.com/Computers/Other/what_is_spoofing
http://www.wisegeek.com/what-is-spoofing.htm
http://www.blurtit.com/q679877.html

Please Log in or Create an account to join the conversation.

  • 414nsw
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
09 May 2011 12:22 #67653 by 414nsw
p.s. I'm not trying to be awkward / funny here - I've got a service provider that is concerned about network security and my accounts outgoing traffic has been disabled.

SIP exploits are on the rise so we have to be vigilant and check this out.

Somebody has got this wrong and I don't care who, I just want this fixed as I'm a customer of both organisations.

What is happening does not appear to be correct as far as I am concerned and with my little knowledge / experience I am going to push this issue until I'm satisfied that I have a crystal clear response, which as of yet I do not.

All I have is "its vulnerable" or "its not vulnerable".....from either side....you can imagine my concern and frustration.

UPDATE: Draytek say that no vulnerability has been identified.

Please Log in or Create an account to join the conversation.

More
09 May 2011 13:29 #67654 by admin

414NSW wrote: p.s. I'm not trying to be awkward / funny here - I've got a service provider that is concerned about network security and my accounts outgoing traffic has been disabled.



Okay, fair enough but you used the term 'vulnerability and warned others to beware - you didn't say that was advice passed on by a third party and you're just an innocent :-)

SIP exploits are on the rise so we have to be vigilant and check this out.



Quite right; VoIP theft is on the rise (although most theft is apparently from poorly secured PBXs where people use default or weak passwords like 1234).

Somebody has got this wrong and I don't care who, I just want this fixed as I'm a customer of both organisations.



Okay, but I'm not sure anything needs to be fixed. Yoru router is listening on Port 5060, presumably so that it can receive incoming calls. If it doesn't listen, it can't hear !


What is happening does not appear to be correct as far as I am concerned and with my little knowledge / experience



Well, I have not undetstood why.

UPDATE: Draytek say that no vulnerability has been identified.



Well, unless someone identifies a vulnerability, that is always the correct and default position and even saying "listening to 5060 is a vulnerability" is not correct unless there was an actual exploit discovered.



Forum Administrator

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami