As described in my last post, the BT Home Hub 5 A and B have a flaw where some port 5060 UDP traffic outbound seems to open up that port to the world to connect back inbound to the LAN computer that made the request.
I set about thinking of the ways to exploit this, especially as UDP is an insecure protocol where the source IP address can be very easily spoofed.
In my testing it seems that just any old traffic on UDP SRC and DST port 5060 isn’t enough to trigger the Home Hub to open and map the wan side.
Secondly it isn’t enough to send just a failed SIP auth request either.. this removes my idea of simply creating a program that would spoof a SIP request and allow any internal user to map 5060 to any server in the LAN.
It looks like you need a successful SIP authentication / register request.
I am not an expert on the SIP protocol so I don’t really know how easy this is to spoof. My packet captures seem to suggest that you first have to send an initial request to a SIP server without a password which gets rejected along with a nonce for you to encrypt the password against. Your SIP client then encrypts the password and sends it back to the SIP server a second time along with the nonce and you then get authenticated or rejected depending if you used the right details.
This two way conversation makes the ability to spoof the source IP difficult.. I don’t know if you can send an authentication request without encryption or if you can send the first request from a real IP, sign/hash the password and then send the second successful request from the spoofed LAN IP.
This all gets into the realm of too much effort for little reward but the above information may be useful for someone else doing research on the BT Home Hub SIP ALG Flaw (Application Layer Gateway).