Replay Attack Vulnerability on Sonys Instant Video Everywhere Service

http://www.iptel.org/security/2005-12-31.html
December 31, 2005

I. Background

Sony offers a SIP based voice and video service called IVE.
By downloading a client application for the Windows operating system
everybody can make free voice and video calls between the members
of the IVE service. For additional monthly charges the users can
also make calls into the PSTN (normal telephones and cell phones).

More information is available from the website:

http://www.myive.com

II. Description

After starting the IVE client application and entering the username
and password into the initial dialog the application sends a HTTP
request to one of the servers of the service provider GlowPoint to
fetch initial provisioning data. This request is sent over a non-secured
TCP connection. The request URI of this initial HTTP request contains
two parameters named "userLogin" and "userPassword". The userLogin
parameter contains the username (his email address) of the customers
in clear text. The userPassword contains a hexadecimal string, but
this string is constant for every provisioning request as long as the
user does not change his password.

The response to this HTTP request contains a list of attribute value
pairs. One of the attributes is named "token". The value of this "token"
changes for every new HTTP request which is send to the server. Furthermore
the value of the "token" appears in the request URI of several additional
HTTP requests and in the SIP signaling. In the SIP REGISTER requests
from the IVE client the "token" value is present in the "X-DyLogic-MCS-Token"
header.

III. Analysis

Only if the REGISTER request contains the "X-DyLogic-MCS-Token" header
with the exact value from the provisioning data set (from the HTTP
request before) the server responds to the request.

If someone else then the real user (the attacker) knows the "userLogin" and
"userPassword" values he can send the same HTTP request (with any HTTP
client) to the provisioning server to get an up-to-date provisioning data
set. If the attacker copies the "token" value from this provisioning data
set into a SIP REGISTER request he can login to the IVE service with any
SIP client and receive calls for the real user (as long as the real user
is not currently online with his IVE client at the same time).
The most recent "token" value is accepted by the server for several hours
as long as no additional HTTP provisioning request was sent to the server.

As the hexadecimal string value of the "userPassword" is not equal to the
real password of the user, the potential attacker would not able to login to
the IVE web frontend by just knowing the "userPassword" value.

IV. Affected Versions

The IVE client version "v4.4.0 MCS" is affected by this vulnerability.

V. Workarounds


* Change your IVE user password very often.
* Use the IVE client only from trustworthy networks.
* Wait for a new IVE client version which fixes the described problems.


VI. Disclosure Timeline

12/07/2005 Initial vendor notification - GlowPoint
12/07/2005 Initial vendor response
12/31/2005 Public disclosure

VII. Credit

Nils Ohlmeier discovered this vulnerability.

VIII. Legal Notice

Copyright © 2005 iptelorg GmbH

Permission is granted for the redistribution of this alert electronically.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.