Re: New article on SecurityFocus: Two attacks against VOIP

[Tobias Glemser <tglemser () tele-consulting com>]

Oh my ..

1. Hijack a user's VoIP Subscription
As to be seen on beginning of page 2 the author describes an attack on a 
SIP Proxy without user authentication!
"This attack can be successful even if the remote SIP proxy server 
requires authentication of user registration, because the SIP messages 
are transmitted in the clear and can be captured, modified and replayed."

This is also false if we discuss an actual SIP-Proxy implementation.
E. g. a standard asterisk SIP-Proxy will always reply with a "SIP/2.0 
401 Unauthorized", also submitting a digest and a realm value. The 
client then has to authenticate using a response value which is normally 
a MD5 Hash consisting of Username, Password, nonce, HTTP Request Method 
and Request URI.

This prevents the describend attacks.

2. Eavesdropping
Right, in a switched network environment the attack is easy as described.

BUT: Any other service using IP is also "vulnerable"! This is NOT a 
VoIP-Problem in the first row if ARP-Poisoning is possible. This is a 
problem of your LAN-implementation.

If I would have a choice between sniffing IP Traffic between CIO and 
File-Server using SMB or CEO and his/her secretary using RTP, I 
definitely would choose SMB-Traffic.

Conclusion:
Use a "state of the art" SIP-Proxy implementation using authentication 
(of course you already have one), secure your LAN-environment e.g. using 
VLANs to seperate, 802.1x to authenticate and so on. This is sth. we're 
preaching since years.

Cheers,

Toby

--
Tobias Glemser


##### ###  tglemser () tele-consulting com         +49 (0)7032/97580  (fon)
  #  #     www.tele-consulting.com              +49 (0)7032/74750  (fax)
  #  #
  #   ###  Tele-Consulting   security  |  networking  |  training  GmbH
                 Siedlerstrasse 22-24, 71126 Gaeufelden, Germany

Erin Carroll wrote on 06.04.2006 07:47:
> The following Infocus article was published on SecurityFocus recently:
>
> Two attacks against VoIP
> By Peter Thermos
> 2006-04-04
>
> This purpose of this article is to discuss two of the most well known
> attacks that can be carried out in current VoIP deployments. The first
> attack demonstrates the ability to hijack a user's VoIP Subscription and
> subsequent communications. The second attack looks at the ability to
> eavesdrop in to VoIP communications.
>
> http://www.securityfocus.com/infocus/1862
>
>
> Also note: We enjoy publishing article submissions from the community. 
> For submission guidelines and contact information please see
> http://www.securityfocus.com/static/submissions.html
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball" 

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------