Info

Disclosure

Aug 11, 2004

Discovery

Jul 09, 2004

Dates

Exploit

Aug 11, 2004

Solution

Unknown

Description

Several products of T-Mobile and Verizon Northwest contains a flaw that may allow a remote attacker to bypass authentication settings. The issue is due to the implicit trust of Caller-IDs (CID) as the sole authentication mechanism. By spoofing the target number and calling the target, the voice mailbox would go into administation mode without verifying any authentication if the call stays unanswered. It is possible for a remote attacker to arbitrarily access the targets voicemail message center resulting in a loss of integrity and/or confidentiality.

Classification

Location: Dialup Access Required
Attack Type: Authentication Management, Hijacking, Information Disclosure
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

T-Mobile Wireless

Unspecified

Unknown or Unspecified

Verizon Northwest

Unspecified

Unknown or Unspecified

References

Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0466.html

Credit

Samy Kamkar - Dachb0den Research Labs
Lance James - Secure Science Corporation

Direct URL: http://osvdb.org/36218