January 28, 2009
This article was contributed by Nathan Willis
If you use any flavor of voice-over-IP (VoIP) technology, whether free
software or proprietary, lone softphone or multi-line office Asterisk
server, then you need to take a hard look at VoIP security. Himanshu
Dwivedi's Hacking VoIP:
protocols, attacks, and countermeasures from No Starch Press
provides a thorough, but clear, examination of the landscape. It
systematically examines the core VoIP protocols, server and connection
infrastructure, and social engineering weaknesses in VoIP deployment. It
also provides example attacks that the reader can reproduce on test
machines, and
details the effective safeguards.
![[Book cover]](/images/voip_cov.jpg)
The book covers security for all major breeds of voice-over-IP
technology: Session Initiation Protocol (SIP)-based, H.323-based, and
Inter-Asterisk Exchange (IAX)-based. SIP is found in most
current-generation VoIP software, such as Twinkle, KPhone, and
Telepathy. H.323 is an older protocol stack, but is still in widespread
use, particularly through the Ekiga project. Both SIP and H.323 use
Real-time Transport Protocol (RTP) to handle audio streams. IAX handles
connection management and audio data in one protocol, and is used by the
Asterisk telephony server, although Asterisk can handle SIP and H.323 as
well.
Part I examines each protocol in turn: SIP, H.323, RTP, and IAX. The
author provides an overview of the authentication, call set-up, session
management, and audio transport of each protocol stack. He then explores
weaknesses and potential attacks against each protocol in depth.
Part II looks at potential attacks on VoIP networks that exploit
underlying Internet infrastructure that connects both clients and servers,
such as Simple Network Management Protocol (SNMP) and DNS. It also examines
non-technical security threats such as phishing and Spam Over IP Telephony
(SPIT), and includes a brief roundup of the security status of various
widely available public VoIP services.
Part III explores how to harden VoIP systems, using encryption and
secure authentication based on technologies such as Transport Layer
Security (TLS), Secure RTP (SRTP), and Phil Zimmermann's ZRTP. The book
concludes with a step-by-step VoIP Security Audit Program created by the
author.
Dwivedi's writing makes the subject matter accessible without
sacrificing detail. His explanations of topics like SIP authentication
handshakes are clear enough for a novice to understand. That clarity is
critical for explaining more complicated issues like Man-in-the-Middle and
eavesdropping attacks that consist of a precise sequence of events.
Better still, for each loophole exploited, he provides step-by-step
instructions for executing the attack in a laboratory environment. The
laboratory consists of an Asterisk server and one or more client
applications connecting via SIP, H.323, or IAX. Some exploits — such as
username sniffing — require only common network analysis tools like
Wireshark. For those that require special capabilities, like injecting SIP
packets, the author provides links to the appropriate applications.
If you are not already familiar with VoIP security, the outlook may
frighten you. All three protocol stacks are assailable on a number of
fronts, from identity spoofing to denial-of-service, and the chinks in the
armor are part of the stacks themselves, not poor implementations.
For example, SIP and H.323 both use MD5 to hash authentication
credentials, making them vulnerable to offline dictionary attacks. IAX
supports stronger RSA authentication in addition to MD5, but it can be
downgraded to plaintext authentication with a single spoofed packet. Denial
of service attacks on all three protocols are as simple as flooding the
network with registration rejection, call rejection, or call termination
packets. RTP eavesdropping and audio insertion are possible because RTP
assumes that the connection — established by SIP or H.323 — is
secure.
The good news is that the strength of SIP, H.323, and IAX can be
significantly improved. TLS can secure call set-up, SRTP can harden audio
transport, and careful security auditing can close holes on gateway servers
and proxies. But this takes active measures; as Dwivedi observes in the
book, end users and administrators often make assumptions about the
security of VoIP based on their past experience with the comparatively
robust security of traditional phone systems and GSM networks.
Those assumptions are by and large wrong. Dwivedi devotes a chapter to
scrutinizing the security of widespread VoIP products, from free services
like Google Talk and Yahoo Messenger to commercial products like
Vonage. Vonage uses neither TLS nor SRTP, making it vulnerable to every
attack on SIP or RTP. Yahoo and Google gain some security by using TLS on
their sign-on processes, but are still exposed to a long list of
exploits.
In light of that chapter, I did a brief survey of the open source VoIP
project scenes to see which supported TLS, SRTP, and ZRTP; the results
are not much better. A few projects, such as minisip and Twinkle, make
security a priority, but most do not. Notably, Asterisk and Ekiga have long
planned to support TLS and SRTP, but have yet to release a working
build.
Hacking VoIP is a must-read for anyone interested in
Internet telephony, whether as a developer or an end-user. Dwivedi clears
away the fog surrounding VoIP security, revealing it for what it is:
attainable, but only through conscious effort.
Every day, I see more and more TV commercials advertising "magic" boxes
that plug in to your telephone and your broadband, allowing you to make
free or cheap telephone calls. These products are undoubtedly
SIP-and-RTP-based devices with no security. VoIP is still in its infancy
compared to email and the Web; making security commonplace is still
possible. By spreading a good understanding of the seriousness of the
issues and how to solve them, this book could go a long way towards making
that a reality.
Comments (2 posted)
Brief items
PostgreSQL is considering adding some security features for version 8.4 and is looking for security folks to review the code. "
The PostgreSQL community is considering including security enhancements
in Postgres 8.4, e.g. row-level permissions and SE-Linux security.
However, to evaluate the patch and its usefulness, we need security
experts who want to use this capability or have used it in other
databases." Click below for the full message. (Thanks to Alvaro Herrera).
Full Story (comments: 1)
New vulnerabilities
cups: insecure tmp file usage
| Package(s): | cups |
CVE #(s): | CVE-2009-0032
|
| Created: | January 26, 2009 |
Updated: | January 28, 2009 |
| Description: |
From the Mandriva advisory:
A vulnerability has been discovered in CUPS shipped with Mandriva
Linux which allows local users to overwrite arbitrary files via a
symlink attack on the /tmp/pdf.log temporary file (CVE-2009-0032) |
| Alerts: |
|
Comments (none posted)
DevIL: off by one error
| Package(s): | DevIL |
CVE #(s): | CVE-2008-5262
|
| Created: | January 22, 2009 |
Updated: | March 9, 2009 |
| Description: |
DevIL, the Developer's Image Library has an off by one error.
From the
Red Hat Bug entry:
Multiple stack-based buffer overflows in the iGetHdrHeader function in
src-IL/src/il_hdr.c in DevIL 1.7.4 allow context-dependent attackers
to execute arbitrary code via a crafted Radiance RGBE file. |
| Alerts: |
|
Comments (none posted)
dia: arbitrary code execution
| Package(s): | dia |
CVE #(s): | |
| Created: | January 27, 2009 |
Updated: | January 28, 2009 |
| Description: |
From the Fedora advisory: Filter out untrusted python modules search path
to remove the possibility to run arbitrary code on the user's system if
there is a python file in dia's working directory named the same as one
that dia's python scripts try to import. |
| Alerts: |
|
Comments (none posted)
ganglia-monitor-core: arbitrary code execution
| Package(s): | ganglia-monitor-core |
CVE #(s): | CVE-2009-0241
|
| Created: | January 26, 2009 |
Updated: | June 9, 2009 |
| Description: |
From the Debian advisory:
Spike Spiegel discovered a stack-based buffer overflow in gmetad, the
meta-daemon for the ganglia cluster monitoring toolkit, which could be
triggered via a request with long path names and might enable
arbitrary code execution.
|
| Alerts: |
|
Comments (none posted)
kernel: several vulnerabilites
| Package(s): | kernel |
CVE #(s): | CVE-2009-0029
CVE-2009-0065
|
| Created: | January 27, 2009 |
Updated: | October 5, 2009 |
| Description: |
From the Fedora advisory:
CVE-2009-0029 Linux Kernel insecure 64 bit system call argument passing
CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID. |
| Alerts: |
|
Comments (none posted)
ktorrent: arbitrary uploads, code execution
| Package(s): | ktorrent |
CVE #(s): | CVE-2008-5905
CVE-2008-5906
|
| Created: | January 27, 2009 |
Updated: | February 24, 2009 |
| Description: |
From the Ubuntu advisory:
It was discovered that KTorrent did not properly restrict access when using the
web interface plugin. A remote attacker could use a crafted http request and
upload arbitrary torrent files to trigger the start of downloads and seeding.
(CVE-2008-5905)
It was discovered that KTorrent did not properly handle certain parameters when
using the web interface plugin. A remote attacker could use crafted http
requests to execute arbitrary PHP code. (CVE-2008-5906)
|
| Alerts: |
|
Comments (none posted)
moodle: insecure temp file
| Package(s): | moodle |
CVE #(s): | CVE-2008-5153
|
| Created: | January 22, 2009 |
Updated: | June 25, 2009 |
| Description: |
moodle has an insecure temp file vulnerability. From the
Red Hat Bug entry:
spell-check-logic.cgi in Moodle 1.8.2 allows local users to overwrite
arbitrary files via a symlink attack on the
/tmp/spell-check-debug.log, /tmp/spell-check-before, or
/tmp/spell-check-after temporary file. |
| Alerts: |
|
Comments (none posted)
mumbles: unsafe shell usage
| Package(s): | mumbles |
CVE #(s): | |
| Created: | January 22, 2009 |
Updated: | January 28, 2009 |
| Description: |
mumbles uses the shell in an unsafe manner.
From the
Red Hat Bug entry: The Firefox plugin uses os.system in an insecure fashion.
|
| Alerts: |
|
Comments (none posted)
nessus-core: signature verification flaw
| Package(s): | nessus-core |
CVE #(s): | CVE-2009-0125
|
| Created: | January 26, 2009 |
Updated: | October 13, 2009 |
| Description: |
From the CVE entry:
** DISPUTED ** NOTE: this issue has been disputed by the upstream vendor. nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library (aka libnasl) 2.2.11 does not properly check the return value from the OpenSSL DSA_do_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: the upstream vendor has disputed this issue, stating "while we do misuse this function (this is a bug), it has absolutely no security ramification." |
| Alerts: |
|
Comments (none posted)
php: information disclosure
| Package(s): | php |
CVE #(s): | CVE-2008-5498
|
| Created: | January 22, 2009 |
Updated: | January 6, 2010 |
| Description: |
php has an information disclosure vulnerability.
From the Mandriva alert:
An array index error in the imageRotate() function in PHP allowed
context-dependent attackers to read the contents of arbitrary memory
locations via a crafted value of the third argument to the function
for an indexed image (CVE-2008-5498). |
| Alerts: |
|
Comments (none posted)
scilab: insecure temp file
| Package(s): | scilab |
CVE #(s): | CVE-2008-4983
|
| Created: | January 22, 2009 |
Updated: | January 28, 2009 |
| Description: |
Scilab, a scientific software package for numerical computations,
has an insecure temporary file usage, this can be used for a
symlink attack. |
| Alerts: |
|
Comments (none posted)
tor: heap corruption
| Package(s): | tor |
CVE #(s): | |
| Created: | January 26, 2009 |
Updated: | January 28, 2009 |
| Description: |
From the Tor release notes:
Fix a heap-corruption bug that may be remotely triggerable on
some platforms. Reported by Ilja van Sprundel. |
| Alerts: |
|
Comments (none posted)
typo3-src: multiple vulnerabilities
| Package(s): | typo3-src |
CVE #(s): | CVE-2009-0255
CVE-2009-0256
CVE-2009-0257
CVE-2009-0258
|
| Created: | January 27, 2009 |
Updated: | February 11, 2009 |
| Description: |
From the Debian advisory:
Chris John Riley discovered that the TYPO3-wide used encryption key is
generated with an insufficiently random seed resulting in low entropy
which makes it easier for attackers to crack this key. (CVE-2009-0255)
Marcus Krause discovered that TYPO3 is not invalidating a supplied session
on authentication which allows an attacker to take over a victims
session via a session fixation attack. (CVE-2009-0256)
Multiple cross-site scripting vulnerabilities allow remote attackers to
inject arbitrary web script or HTML via various arguments and user-
supplied strings used in the indexed search system extension, adodb
extension test scripts or the workspace module. (CVE-2009-0257)
Mads Olesen discovered a remote command injection vulnerability in
the indexed search system extension which allows attackers to
execute arbitrary code via a crafted file name which is passed
unescaped to various system tools that extract file content for
the indexing. (CVE-2009-0258)
|
| Alerts: |
|
Comments (none posted)
vnc: arbitrary code execution
| Package(s): | vnc |
CVE #(s): | CVE-2008-4770
|
| Created: | January 27, 2009 |
Updated: | March 9, 2009 |
| Description: |
From the CVE entry: The CMsgReader::readRect function in the VNC Viewer component in RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0 through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote VNC servers to execute arbitrary code via crafted RFB protocol data, related to "encoding type." |
| Alerts: |
|
Comments (none posted)
xine-lib: multiple vulnerabilities
| Package(s): | xine-lib |
CVE #(s): | CVE-2008-5233
CVE-2008-5241
CVE-2008-5245
CVE-2008-5246
|
| Created: | January 22, 2009 |
Updated: | June 1, 2010 |
| Description: |
xine-lib has multiple vulnerabilities. From the Mandriva alert:
Failure on manipulation of either MNG or Real or MOD files can lead
remote attackers to cause a denial of service by using crafted files
(CVE: CVE-2008-5233).
Integer underflow allows remote attackers to cause denial of service
by using Quicktime media files (CVE-2008-5241).
Vulnerabilities of unknown impact - possibly buffer overflow - caused
by a condition of video frame preallocation before ascertaining the
required length in V4L video input plugin (CVE-2008-5245).
Heap-based overflow allows remote attackers to execute arbitrary
code by using crafted media files. This vulnerability is in the
manipulation of ID3 audio file data tagging mainly used in MP3 file
formats (CVE-2008-5246). |
| Alerts: |
|
Comments (none posted)
xine-lib: multiple vulnerabilties
| Package(s): | xine-lib |
CVE #(s): | CVE-2008-5238
CVE-2008-5242
CVE-2008-5244
CVE-2008-5248
|
| Created: | January 27, 2009 |
Updated: | June 1, 2010 |
| Description: |
From the Ubuntu advisory:
It was discovered that the Matroska, MOD, Real, and Real Audio demuxers in
xine-lib did not correctly handle malformed files, resulting in integer
overflows. If a user or automated system were tricked into opening a specially
crafted Matroska, MOD, Real, or Real Audio file, an attacker could execute
arbitrary code as the user invoking the program. This issue only applied to
Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5238)
It was discovered that the QT demuxer in xine-lib did not correctly handle
an invalid metadata atom size, resulting in a heap-based buffer overflow. If a user or automated system were tricked into opening a specially crafted MOV file, an attacker could execute arbitrary code as the user invoking the program. (CVE-2008-5234, CVE-2008-5242)
It was discovered that xine-lib did not correctly handle certain malformed AAC files. If a user or automated system were tricked into opening a specially crafted AAC file, an attacker could could cause xine-lib to crash, creating a denial of service. This issue only applied to Ubuntu 7.10, and 8.04 LTS. (CVE-2008-5244)
It was discovered that xine-lib did not correctly handle MP3 files with metadata
consisting only of separators. If a user or automated system were tricked into
opening a specially crafted MP3 file, an attacker could could cause xine-lib to
crash, creating a denial of service. This issue only applied to Ubuntu 6.06 LTS,
7.10, and 8.04 LTS. (CVE-2008-5248)
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
