Penetration Testing mailing list archives
RE: Voice over IP
From: John Bumgarner <JBumgarner () matrixnetworking net>
Date: Fri, 15 Jun 2001 10:07:07 -0400
Brandon, We are a Cisco VAR and have been using Cisco's VoIP products for 18 months. We have spoken with Cisco concerning security, which is not their priority. Both the Call Manager and the phones have problems. Some security flaws: (1) sniffing the traffic is one, which provides any items key into the phone (i.e. SSN, PIN #). This is great if you want to access banking records. (2) killing the Call Manager, this product has several buffer overflows. One overflow via HTTP allows you to gain access to entire phone system. (3) cracking the admin screen for both the Call Manager and the Phones. The web access screen for both the devices can be cracked. The only way to prevent this is with strong passwords and password procedures. (4) Of course the Phones can be killed with DoS. (5) There are also some proprietary tools that can capture and decompress the calls. You must have access to the internal network for this, which usually not a problem (especially with wireless). The only item that I have not tested is: sending traffic to the phones through the Internet to crash or control the phones or Call Manager. I hope that this information helps. John Bumgarner, MA, CISSP -----Original Message----- From: Young, Brandon [mailto:byoung () Calence com] Sent: Thursday, June 14, 2001 11:48 To: 'pen-test () securityfocus com' Subject: Voice over IP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, A couple of colleagues and I are working on a security audit for a VOIP system. Anyone know of any exploits and vulnerabilities that may exist with Cisco's call manager? One thing we have found is that the traffic can be sniffed during phone calls. TCP is used for the initial connection setup and then once the phone has setup a session to the call manager it then uses the RTP protocol. We found that the conversation is placed in the PCMU audio codec. We are looking to find a way to extract the payloads and reassemble the audio so that we can play back the phone conversations. We are also looking at launching a man in the middle attack and getting access to the conversation and trying and listen to it in real time instead of capturing and replaying. Any ideas on some possible ways to execute this? Thanks in advance, //CALENCE Brandon Young Consultant - Consulting Services 480.889.9736 byoung () calence com www.calence.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOyjc1HTH1Q5UAycjEQLCfgCfaesfZXb/E35EaTqE9sZdcPCZlGsAoJxf wh1QNRb61/lEJMHS5LhUDMS6 =atyJ -----END PGP SIGNATURE-----
Current thread:
- Voice over IP Young, Brandon (Jun 14)
- RE: Voice over IP Ofir Arkin (Jun 14)
- Re: Voice over IP Dug Song (Jun 15)
- Re: Voice over IP mht (Jun 19)
- Re: Voice over IP Dug Song (Jun 15)
- Re: Voice over IP Ryan Russell (Jun 14)
- Re: Voice over IP Desmond Irvine (Jun 15)
- Re: Voice over IP Andreas Östling (Jun 15)
- <Possible follow-ups>
- RE: Voice over IP John Bumgarner (Jun 15)
- RE: Voice over IP Ofir Arkin (Jun 14)