Penetration Testing mailing list archives
Re: New article on SecurityFocus: Two attacks against VOIP
From: Tobias Glemser <tglemser () tele-consulting com>
Date: Thu, 06 Apr 2006 11:08:48 +0200
Oh my .. 1. Hijack a user's VoIP SubscriptionAs to be seen on beginning of page 2 the author describes an attack on a SIP Proxy without user authentication! "This attack can be successful even if the remote SIP proxy server requires authentication of user registration, because the SIP messages are transmitted in the clear and can be captured, modified and replayed."
This is also false if we discuss an actual SIP-Proxy implementation.E. g. a standard asterisk SIP-Proxy will always reply with a "SIP/2.0 401 Unauthorized", also submitting a digest and a realm value. The client then has to authenticate using a response value which is normally a MD5 Hash consisting of Username, Password, nonce, HTTP Request Method and Request URI.
This prevents the describend attacks. 2. Eavesdropping Right, in a switched network environment the attack is easy as described.BUT: Any other service using IP is also "vulnerable"! This is NOT a VoIP-Problem in the first row if ARP-Poisoning is possible. This is a problem of your LAN-implementation.
If I would have a choice between sniffing IP Traffic between CIO and File-Server using SMB or CEO and his/her secretary using RTP, I definitely would choose SMB-Traffic.
Conclusion:Use a "state of the art" SIP-Proxy implementation using authentication (of course you already have one), secure your LAN-environment e.g. using VLANs to seperate, 802.1x to authenticate and so on. This is sth. we're preaching since years.
Cheers, Toby -- Tobias Glemser ##### ### tglemser () tele-consulting com +49 (0)7032/97580 (fon) # # www.tele-consulting.com +49 (0)7032/74750 (fax) # # # ### Tele-Consulting security | networking | training GmbH Siedlerstrasse 22-24, 71126 Gaeufelden, Germany Erin Carroll wrote on 06.04.2006 07:47:
The following Infocus article was published on SecurityFocus recently: Two attacks against VoIP By Peter Thermos 2006-04-04 This purpose of this article is to discuss two of the most well known attacks that can be carried out in current VoIP deployments. The first attack demonstrates the ability to hijack a user's VoIP Subscription and subsequent communications. The second attack looks at the ability to eavesdrop in to VoIP communications. http://www.securityfocus.com/infocus/1862Also note: We enjoy publishing article submissions from the community. For submission guidelines and contact information please seehttp://www.securityfocus.com/static/submissions.html -- Erin Carroll Moderator SecurityFocus pen-test list"Do Not Taunt Happy-Fun Ball"
------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- New article on SecurityFocus: Two attacks against VOIP Erin Carroll (Apr 05)
- Re: New article on SecurityFocus: Two attacks against VOIP Tobias Glemser (Apr 07)