Security
Book Review: Hacking VoIP
If you use any flavor of voice-over-IP (VoIP) technology, whether free software or proprietary, lone softphone or multi-line office Asterisk server, then you need to take a hard look at VoIP security. Himanshu Dwivedi's Hacking VoIP: protocols, attacks, and countermeasures from No Starch Press provides a thorough, but clear, examination of the landscape. It systematically examines the core VoIP protocols, server and connection infrastructure, and social engineering weaknesses in VoIP deployment. It also provides example attacks that the reader can reproduce on test machines, and details the effective safeguards.
![[Book cover]](https://static.lwn.net/images/voip_cov.jpg)
The book covers security for all major breeds of voice-over-IP technology: Session Initiation Protocol (SIP)-based, H.323-based, and Inter-Asterisk Exchange (IAX)-based. SIP is found in most current-generation VoIP software, such as Twinkle, KPhone, and Telepathy. H.323 is an older protocol stack, but is still in widespread use, particularly through the Ekiga project. Both SIP and H.323 use Real-time Transport Protocol (RTP) to handle audio streams. IAX handles connection management and audio data in one protocol, and is used by the Asterisk telephony server, although Asterisk can handle SIP and H.323 as well.
Part I examines each protocol in turn: SIP, H.323, RTP, and IAX. The author provides an overview of the authentication, call set-up, session management, and audio transport of each protocol stack. He then explores weaknesses and potential attacks against each protocol in depth.
Part II looks at potential attacks on VoIP networks that exploit underlying Internet infrastructure that connects both clients and servers, such as Simple Network Management Protocol (SNMP) and DNS. It also examines non-technical security threats such as phishing and Spam Over IP Telephony (SPIT), and includes a brief roundup of the security status of various widely available public VoIP services.
Part III explores how to harden VoIP systems, using encryption and secure authentication based on technologies such as Transport Layer Security (TLS), Secure RTP (SRTP), and Phil Zimmermann's ZRTP. The book concludes with a step-by-step VoIP Security Audit Program created by the author.
Dwivedi's writing makes the subject matter accessible without sacrificing detail. His explanations of topics like SIP authentication handshakes are clear enough for a novice to understand. That clarity is critical for explaining more complicated issues like Man-in-the-Middle and eavesdropping attacks that consist of a precise sequence of events.
Better still, for each loophole exploited, he provides step-by-step instructions for executing the attack in a laboratory environment. The laboratory consists of an Asterisk server and one or more client applications connecting via SIP, H.323, or IAX. Some exploits — such as username sniffing — require only common network analysis tools like Wireshark. For those that require special capabilities, like injecting SIP packets, the author provides links to the appropriate applications.
If you are not already familiar with VoIP security, the outlook may frighten you. All three protocol stacks are assailable on a number of fronts, from identity spoofing to denial-of-service, and the chinks in the armor are part of the stacks themselves, not poor implementations.
For example, SIP and H.323 both use MD5 to hash authentication credentials, making them vulnerable to offline dictionary attacks. IAX supports stronger RSA authentication in addition to MD5, but it can be downgraded to plaintext authentication with a single spoofed packet. Denial of service attacks on all three protocols are as simple as flooding the network with registration rejection, call rejection, or call termination packets. RTP eavesdropping and audio insertion are possible because RTP assumes that the connection — established by SIP or H.323 — is secure.
The good news is that the strength of SIP, H.323, and IAX can be significantly improved. TLS can secure call set-up, SRTP can harden audio transport, and careful security auditing can close holes on gateway servers and proxies. But this takes active measures; as Dwivedi observes in the book, end users and administrators often make assumptions about the security of VoIP based on their past experience with the comparatively robust security of traditional phone systems and GSM networks.
Those assumptions are by and large wrong. Dwivedi devotes a chapter to scrutinizing the security of widespread VoIP products, from free services like Google Talk and Yahoo Messenger to commercial products like Vonage. Vonage uses neither TLS nor SRTP, making it vulnerable to every attack on SIP or RTP. Yahoo and Google gain some security by using TLS on their sign-on processes, but are still exposed to a long list of exploits.
In light of that chapter, I did a brief survey of the open source VoIP project scenes to see which supported TLS, SRTP, and ZRTP; the results are not much better. A few projects, such as minisip and Twinkle, make security a priority, but most do not. Notably, Asterisk and Ekiga have long planned to support TLS and SRTP, but have yet to release a working build.
Hacking VoIP is a must-read for anyone interested in Internet telephony, whether as a developer or an end-user. Dwivedi clears away the fog surrounding VoIP security, revealing it for what it is: attainable, but only through conscious effort.
Every day, I see more and more TV commercials advertising "magic" boxes that plug in to your telephone and your broadband, allowing you to make free or cheap telephone calls. These products are undoubtedly SIP-and-RTP-based devices with no security. VoIP is still in its infancy compared to email and the Web; making security commonplace is still possible. By spreading a good understanding of the seriousness of the issues and how to solve them, this book could go a long way towards making that a reality.
Brief items
Need help on possible PG 8.4 security features
PostgreSQL is considering adding some security features for version 8.4 and is looking for security folks to review the code. "The PostgreSQL community is considering including security enhancements in Postgres 8.4, e.g. row-level permissions and SE-Linux security. However, to evaluate the patch and its usefulness, we need security experts who want to use this capability or have used it in other databases." Click below for the full message. (Thanks to Alvaro Herrera).
New vulnerabilities
cups: insecure tmp file usage
| Package(s): | cups | CVE #(s): | CVE-2009-0032 | ||||||||||||
| Created: | January 26, 2009 | Updated: | January 28, 2009 | ||||||||||||
| Description: | From the Mandriva advisory: A vulnerability has been discovered in CUPS shipped with Mandriva Linux which allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file (CVE-2009-0032) | ||||||||||||||
| Alerts: |
| ||||||||||||||
DevIL: off by one error
| Package(s): | DevIL | CVE #(s): | CVE-2008-5262 | ||||||||||||||||
| Created: | January 22, 2009 | Updated: | March 9, 2009 | ||||||||||||||||
| Description: | DevIL, the Developer's Image Library has an off by one error. From the Red Hat Bug entry: Multiple stack-based buffer overflows in the iGetHdrHeader function in src-IL/src/il_hdr.c in DevIL 1.7.4 allow context-dependent attackers to execute arbitrary code via a crafted Radiance RGBE file. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
dia: arbitrary code execution
| Package(s): | dia | CVE #(s): | |||||||||
| Created: | January 27, 2009 | Updated: | January 28, 2009 | ||||||||
| Description: | From the Fedora advisory: Filter out untrusted python modules search path to remove the possibility to run arbitrary code on the user's system if there is a python file in dia's working directory named the same as one that dia's python scripts try to import. | ||||||||||
| Alerts: |
| ||||||||||
ganglia-monitor-core: arbitrary code execution
| Package(s): | ganglia-monitor-core | CVE #(s): | CVE-2009-0241 | ||||||||||||
| Created: | January 26, 2009 | Updated: | June 9, 2009 | ||||||||||||
| Description: | From the Debian advisory: Spike Spiegel discovered a stack-based buffer overflow in gmetad, the meta-daemon for the ganglia cluster monitoring toolkit, which could be triggered via a request with long path names and might enable arbitrary code execution. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: several vulnerabilites
| Package(s): | kernel | CVE #(s): | CVE-2009-0029 CVE-2009-0065 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 27, 2009 | Updated: | October 5, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora advisory:
CVE-2009-0029 Linux Kernel insecure 64 bit system call argument passing CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ktorrent: arbitrary uploads, code execution
| Package(s): | ktorrent | CVE #(s): | CVE-2008-5905 CVE-2008-5906 | ||||||||
| Created: | January 27, 2009 | Updated: | February 24, 2009 | ||||||||
| Description: | From the Ubuntu advisory:
It was discovered that KTorrent did not properly restrict access when using the web interface plugin. A remote attacker could use a crafted http request and upload arbitrary torrent files to trigger the start of downloads and seeding. (CVE-2008-5905) It was discovered that KTorrent did not properly handle certain parameters when using the web interface plugin. A remote attacker could use crafted http requests to execute arbitrary PHP code. (CVE-2008-5906) | ||||||||||
| Alerts: |
| ||||||||||
moodle: insecure temp file
| Package(s): | moodle | CVE #(s): | CVE-2008-5153 | ||||||||||||||||||||||||
| Created: | January 22, 2009 | Updated: | June 25, 2009 | ||||||||||||||||||||||||
| Description: | moodle has an insecure temp file vulnerability. From the Red Hat Bug entry: spell-check-logic.cgi in Moodle 1.8.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/spell-check-debug.log, /tmp/spell-check-before, or /tmp/spell-check-after temporary file. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
mumbles: unsafe shell usage
| Package(s): | mumbles | CVE #(s): | |||||
| Created: | January 22, 2009 | Updated: | January 28, 2009 | ||||
| Description: | mumbles uses the shell in an unsafe manner. From the Red Hat Bug entry: The Firefox plugin uses os.system in an insecure fashion. | ||||||
| Alerts: |
| ||||||
nessus-core: signature verification flaw
| Package(s): | nessus-core | CVE #(s): | CVE-2009-0125 | ||||||||||||||||||||||||||||||||
| Created: | January 26, 2009 | Updated: | October 13, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: ** DISPUTED ** NOTE: this issue has been disputed by the upstream vendor. nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library (aka libnasl) 2.2.11 does not properly check the return value from the OpenSSL DSA_do_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: the upstream vendor has disputed this issue, stating "while we do misuse this function (this is a bug), it has absolutely no security ramification." | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
php: information disclosure
| Package(s): | php | CVE #(s): | CVE-2008-5498 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 22, 2009 | Updated: | January 6, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | php has an information disclosure vulnerability. From the Mandriva alert: An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
scilab: insecure temp file
| Package(s): | scilab | CVE #(s): | CVE-2008-4983 | ||||
| Created: | January 22, 2009 | Updated: | January 28, 2009 | ||||
| Description: | Scilab, a scientific software package for numerical computations, has an insecure temporary file usage, this can be used for a symlink attack. | ||||||
| Alerts: |
| ||||||
tor: heap corruption
| Package(s): | tor | CVE #(s): | |||||||||
| Created: | January 26, 2009 | Updated: | January 28, 2009 | ||||||||
| Description: | From the Tor release notes: Fix a heap-corruption bug that may be remotely triggerable on some platforms. Reported by Ilja van Sprundel. | ||||||||||
| Alerts: |
| ||||||||||
typo3-src: multiple vulnerabilities
| Package(s): | typo3-src | CVE #(s): | CVE-2009-0255 CVE-2009-0256 CVE-2009-0257 CVE-2009-0258 | ||||||||
| Created: | January 27, 2009 | Updated: | February 11, 2009 | ||||||||
| Description: | From the Debian advisory:
Chris John Riley discovered that the TYPO3-wide used encryption key is generated with an insufficiently random seed resulting in low entropy which makes it easier for attackers to crack this key. (CVE-2009-0255) Marcus Krause discovered that TYPO3 is not invalidating a supplied session on authentication which allows an attacker to take over a victims session via a session fixation attack. (CVE-2009-0256) Multiple cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various arguments and user- supplied strings used in the indexed search system extension, adodb extension test scripts or the workspace module. (CVE-2009-0257) Mads Olesen discovered a remote command injection vulnerability in the indexed search system extension which allows attackers to execute arbitrary code via a crafted file name which is passed unescaped to various system tools that extract file content for the indexing. (CVE-2009-0258) | ||||||||||
| Alerts: |
| ||||||||||
vnc: arbitrary code execution
| Package(s): | vnc | CVE #(s): | CVE-2008-4770 | ||||||||||||||||||||||||
| Created: | January 27, 2009 | Updated: | March 9, 2009 | ||||||||||||||||||||||||
| Description: | From the CVE entry: The CMsgReader::readRect function in the VNC Viewer component in RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0 through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote VNC servers to execute arbitrary code via crafted RFB protocol data, related to "encoding type." | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
xine-lib: multiple vulnerabilities
| Package(s): | xine-lib | CVE #(s): | CVE-2008-5233 CVE-2008-5241 CVE-2008-5245 CVE-2008-5246 | ||||||||||||||||||||
| Created: | January 22, 2009 | Updated: | June 1, 2010 | ||||||||||||||||||||
| Description: | xine-lib has multiple vulnerabilities. From the Mandriva alert:
Failure on manipulation of either MNG or Real or MOD files can lead remote attackers to cause a denial of service by using crafted files (CVE: CVE-2008-5233). Integer underflow allows remote attackers to cause denial of service by using Quicktime media files (CVE-2008-5241). Vulnerabilities of unknown impact - possibly buffer overflow - caused by a condition of video frame preallocation before ascertaining the required length in V4L video input plugin (CVE-2008-5245). Heap-based overflow allows remote attackers to execute arbitrary code by using crafted media files. This vulnerability is in the manipulation of ID3 audio file data tagging mainly used in MP3 file formats (CVE-2008-5246). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
xine-lib: multiple vulnerabilties
| Package(s): | xine-lib | CVE #(s): | CVE-2008-5238 CVE-2008-5242 CVE-2008-5244 CVE-2008-5248 | ||||||||||||||||
| Created: | January 27, 2009 | Updated: | June 1, 2010 | ||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that the Matroska, MOD, Real, and Real Audio demuxers in xine-lib did not correctly handle malformed files, resulting in integer overflows. If a user or automated system were tricked into opening a specially crafted Matroska, MOD, Real, or Real Audio file, an attacker could execute arbitrary code as the user invoking the program. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5238) It was discovered that the QT demuxer in xine-lib did not correctly handle an invalid metadata atom size, resulting in a heap-based buffer overflow. If a user or automated system were tricked into opening a specially crafted MOV file, an attacker could execute arbitrary code as the user invoking the program. (CVE-2008-5234, CVE-2008-5242) It was discovered that xine-lib did not correctly handle certain malformed AAC files. If a user or automated system were tricked into opening a specially crafted AAC file, an attacker could could cause xine-lib to crash, creating a denial of service. This issue only applied to Ubuntu 7.10, and 8.04 LTS. (CVE-2008-5244) It was discovered that xine-lib did not correctly handle MP3 files with metadata consisting only of separators. If a user or automated system were tricked into opening a specially crafted MP3 file, an attacker could could cause xine-lib to crash, creating a denial of service. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5248) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>