Re: Voice over IP

[Ryan Russell <ryan () securityfocus com>]

On Thu, 14 Jun 2001, Young, Brandon wrote:

> A couple of colleagues and I are working on a security audit for a
> VOIP system. Anyone know of any exploits and vulnerabilities that may
> exist with Cisco's call manager?

The last time I spoke with Cisco about this, the call manager was
basically an embedded NT box.  They would ship you an image, and you
weren't supposed to modify it yourself.  You can take this to mean that
any NT exploits won't be patched in a timely manner.  It's been a year or
two, so this may have changed.


> One thing we have found is that the
> traffic can be sniffed during phone calls. TCP is used for the
> initial connection setup and then once the phone has setup a session
> to the call manager it then uses the RTP protocol. We found that the
> conversation is placed in the PCMU audio codec. We are looking to
> find a way to extract the payloads and reassemble the audio so that
> we can play back the phone conversations.  We are also looking at
> launching a man in the middle attack and getting access to the
> conversation and trying and listen to it in real time instead of
> capturing and replaying. Any ideas on some possible ways to execute
> this?

Most commercial packet-capture software claims to have VoIP decoding, for
example SnifferPro from NAI.  Do a google search on "voip decode".  I
haven't had an opportunity yet to try any of them in this capacity.

                                        Ryan