voip security vulnerabilities 2036

127
8/22/2019 Voip Security Vulnerabilities 2036 http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 1/127 Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. VoIP Security Vulnerabilities e advanced there have been subsequent efforts to keep those communications secret by one party, and to identify the clear message by a second party.... Copyright SANS Institute Author Retains Full Rights       A       D

Upload: dinh-duy-hiep

Post on 08-Aug-2018

254 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 1/127

Interested in learningmore about security?

SANS Institute

InfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

VoIP Security Vulnerabilitiese advanced there have been subsequent efforts to keep those communications secret by one party, and toidentify the clear message by a second party....

Copyright SANS Institute

Author Retains Full Rights

      A      D

Page 2: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 2/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 1

 VoIP Security Vulnerabilities

Aut hor : Davi d Per sky

Advi sor : J oey Ni em

Fal l 2007

Page 3: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 3/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 2

Outline

I .  I nt r oducti on ...........................................................................................................3 

I I .  Secur i t y vul ner abi l i t i es t r ansi t i oni ng f r om POTS t o VoI P......4 

I I I . Real Ti me Pr ot ocol ( RTP) ..............................................................................42 

I V.  Ast er i sk and I nt er - Ast er i sk Exchange ( I AX) ....................................50 

V.  Sessi on I ni t i at i on Pr ot ocol ( SI P) .........................................................58 

VI .  Skype .........................................................................................................................85 

VI I . Ci sco VoI P ..............................................................................................................95 

VI I I .  Concl usi on............................................................................................................110 

I X.  Ref erences .............................................................................................................112 

X.  Appendi x .................................................................................................................120 

XI .  I mage Fi gur es .......................................................................................................124 

Page 4: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 4/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 3

I.  Introduction

Si nce t he dawn of t i me, humans have t r i ed t o communi cat e

wi t h eachother . As l anguages and di al ect s pr ospered, t he f orms

of communi cat i on became more advanced by usi ng l et t ers i n

var i ous al phabet s and wr i t i ng messages on paper s or l et t er s.

From t he Caeser ci pher t hat J ul i us Caesar used wher e l et t er s i n

encr ypt ed messages wer e act ual l y t hr ee l et t er s of f , t o t he Nazi s

i n WWI I who bui l t and used t he Eni gma machi ne t o encr ypt

mi l i t ar y communi cat i ons, t o SI P- TLS t o encr ypt VoI P

conver sat i ons, as f orms of communi cat i on have advanced t here

have been subsequent ef f or t s t o keep t hose communi cat i ons secr et

by one par t y, and t o i dent i f y t he cl ear message by a second

par t y.

Page 5: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 5/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 4

II.  Security vulnerabilities transitioning from POTS to VoIP

 The publ i c swi t ched t el ephone networ k ( PSTN) i s a gl obal

syst em of i nt er connect ed, var i ous si zed phone net wor ks t hat

pr ovi des user s t he abi l i t y t o car r y voi ce conver sat i ons wi t h

each other . “The most basi c ki nd of net work servi ce wi t h whi ch

we ar e f ami l i ar f r om chi l dhood i s cal l ed POTS ( Pl ai n Ol d

 Tel ephone Servi ce) . Usi ng a pai r of t wi st ed copper wi r es, a

r esi dent i al phone i s connect ed t o a cent r al of f i ce ( CO) f r om

wher e a r esi dent i al cust omer can di al out i n t he PSTN or around

t he wor l d” ( Ramt eke 2001) . The PSTN at i t s bi r t h, st ar t ed

wi t hout t el ephone networks or exchanges. They were si mpl e one

t o one t el ephone l i nes connect i ng phones f r om one r oom t o

anot her , a busi ness t o a home, etc. As t i me went on and

busi nesses gr ew, pr i vat e br anch exchanges ( PBX) were desi gned,

and depl oyed i n of f i ce set t i ngs t o pr ovi de t he i ncr easi ng of 

t el ephone l i nes, addi t i onal ser vi ces, and t o connect i nt er nal

cal l er s t hr ough t he PBX, over t r unk l i nes, t hr ough t he PSTN, and

event ual l y t o dest i nat i on cal l er s.

A POTS phone i s not VoI P hard phone, nor i s i t a PC.

However a POTS phone and the l i ne connect i ng to i t are

suscept i bl e t o vul ner abi l i t i es t hat woul d al l ow somebody

determi ned enough t o l i st en i n on your phone cal l s. When most

peopl e t hi nk of secur i t y and pr i vacy wi t h r espect t o POTS phones,

t hey i mmedi at el y thi nk of wi r e t appi ng and/ or i nt er cept i ng phone

cal l s. Under t he f eder al Communi cat i ons Assi st ance f or Law

Enf orcement Act ( CALEA) of 1994, car r i er s ar e r equi r ed t o have a

pr ocedur e and t echnol ogy i n pl ace f or i nt er cept i ng cal l s. Thi s

al so appl i es t o I nt er net t el ephone ser vi ce pr ovi der s ( I TSPs) . As

most coul d pr obabl y guess, t her e ar e general l y t wo methods of 

r ecor di ng phone cal l i nf or mat i on; cal l pat t er n t r acki ng, whi ch

Page 6: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 6/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 5

i dent i f i es t he quant i t y of cal l s made, i ncl udi ng t i mes,

dur at i ons, and dest i nat i ons of phone cal l s. The second and mor e

f ear ed met hod woul d be t o recor d t he cont ent of t he phone cal l or

conver sat i on eavesdr oppi ng. Thi s i s par t i cul ar l y scar y due t o

t he f act t hat mul t i pl e banks, cr edi t car d compani es, and ot her

or gani zat i ons use voi ce syst ems t o access secur e account s, of t en

r equi r i ng a cal l er t o punch i n hi s/ her PI N, soci al secur i t y

number , or any ot her pr i vat e credent i al s wi t h a t ouch t one phone.

Dual - t one mul t i f r equency ( DTMF) t ones or t ouch t ones ar e used t o

ent er i n t hose secur e credent i al s. Ther e i s a si mpl e t ool cal l ed

DTMF Decoder ( www. pol ar - el ect r i c. com/ DTMF/ I ndex. ht ml ) t hat can be

used t o t r ansl at e capt ur ed t ones f r om a sound car d t o t he di gi t st hat wer e pr essed. Thi s i s because each di gi t t hat i s pr essed

sends a t one wi t hi n a gi ven f r equency r ange. Essent i al l y t he

f r equency ranges heard ar e mapped t o t he number s associ at ed t o

t hem. I t est ed t hi s wi t h a PC mi cr ophone pl aced near t he speaker

of my POTS cordl ess phone, whi l e di al i ng my mobi l e phone number .

Af t er r unni ng t he . wave f i l e capt ur ed t hr ough t he DTMF Decoder ,

my mobi l e phone number was di spl ayed as bei ng heard.

“The most common t ype of t ap i s a pen r egi st er ( ot herwi se

known as t r ap and t r ace) , whi ch pr oduces a l og, showi ng what

number s wer e cal l ed, and t he dates, t i mes and dur at i ons of 

t he cal l s. The second t ype i nt er cept s t he cont ent of t he

cal l … The way i t wor ks i s t hat a car r i er t aps i nt o a di gi t al

swi t ch at i t s cent r al of f i ces or at an aggr egat i on poi nt and

pr ogr ams i n what number wi l l be t r aced or what cal l s wi l l be

i nt er cept ed. Once t he i nf or mat i on i s gat her ed, i t i s sent

vi a a pr i vat e l i nk pai d f or by l aw enf or cement t o t he agency

t hat r equest ed i t ” ( Gi t t l en, 2006) .

Page 7: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 7/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 6

Pl ease vi ew t he f ol l owi ng di agr am f or a vi sual

r epr esent at i on of t he above descr i pt i on:

Figure 1 

Anot her POTS phone secur i t y i ssue t hat has car r i ed over t o

VoI P i s t he ar t of cal l er I D spoof i ng. On t he PSTN, wi t h usi ng

POTS or mobi l e phones, cal l er I D works i n t he f ol l owi ng met hod:

“Your l ocal phone company or cel l phone car r i er sends your

"Cal l i ng Par t y Number " ( CPN) wi t h ever y cal l , l i ke a retur n

address on an envel ope. Transmi t t ed al ong wi t h your CPN i s

a pr i vacy f l ag t hat t el l s t he t el ephone swi t ch at t he

r ecei vi ng end of t he cal l whet her or not t o shar e your

number wi t h t he r eci pi ent : i f you have bl ocki ng on your

l i ne, t he phone company you' r e di al i ng i nt o knows your

number , but won' t shar e i t wi t h t he per son you' r e cal l i ng”

( Poul sen, 2004) .

Page 8: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 8/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 7

 There have been l egi t i mat e r easons why one woul d want t o

spoof one’ s cal l er I D. For exampl e, l et ’ s say t hat ABCbank ( f ake

bank name) has many t el ephone l i nes t hat ar e used by many

i nt er nal banker s t o pl ace out bound cal l s. Rat her t han havi ng

each number on t he dest i nat i on cal l er ’ s cal l er I D come up as a

uni que ABCbank number , i t makes more sense f or al l out bound cal l s

t o have one st andard sour ce t el ephone CPN. For t hi s t o work,

ABCbank must have a PBX wi t h many i nternal l i nes connect ed t o an

I SDN pr i mar y r at e i nt er f ace l i ne ( PRI ) . The ext er nal l y vi ewabl e

cal l er I D or CPN can be conf i gur ed t o map t o an i nt er nal

ext ensi on on t he PBX. Thi s i s si mi l ar i n t heor y t o I P net wor k

addr ess t r ansl at i on ( NAT) on a f i r ewal l or r out er . The f ol l owi ngi s a di agr am depi ct i ng t he above exampl e of ABCbank:

Figure 2 

Page 9: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 9/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 8

Al ong wi t h CALEA as st at ed above, t her e i s l egi sl at i on i n

congr ess at t he t i me of wr i t i ng t hi s r epor t t hat at t empt s t o

st r engt hen t he aut hent i ci t y of cal l I D. I t i s H. R. 251: Tr ut h i n

Cal l er I D Act of 2007.

“Tr ut h i n Cal l er I D Act of 2007 - Amends t he Communi cat i ons

Act of 1934 t o make i t unl awf ul f or any per son i n t he Uni t ed

St ates, i n connect i on wi t h any t el ecommuni cat i on servi ce or

VOI P ( voi ce over I nt er net pr ot ocol ) ser vi ce, t o cause any

cal l er i dent i f i cat i on ser vi ce t o t r ansmi t mi sl eadi ng or

i naccur at e cal l er i dent i f i cat i on i nf or mat i on ( “spoof i ng”)

wi t h t he i nt ent t o def r aud or cause har m. Pr ohi bi t s

const r ui ng t hese pr ovi si ons t o pr event bl ocki ng cal l er

i dent i f i cat i on or t o aut hor i ze or pr ohi bi t l aw enf or cement

or U. S. i nt el l i gence agency act i vi t i es” ( Unknown, 2007) .

 Thi s bi l l passed i n t he U. S. House of Representat i ves on

6/ 12/ 2007, and i t r emai ns i n t he U. S. Senat e. Ther e i s an

emergi ng new method f or pl aci ng phone cal l s, and t he

i nf r ast r uct ur e t hat i s needed f or i t . Whi l e on t he t opi c of 

gover nment i t ' s i mpor t ant t o not e t hat as VoI P i s depl oyed i n

mor e f i nanci al and medi cal envi r onment s, an or gani zat i on’ s VoI P

i nf r ast r uct ur e wi l l l i kel y have t o be i n compl i ance wi t h f eder al

r egul at i ons such as SOX, GLBA, and HI PPA. Voi ce over i nt er net

pr ot ocol ( f r om now on r ef er r ed t o as “VoI P”) i s a met hod of 

havi ng a voi ce conver sat i on t r avel acr oss a dat a net wor k

( I nt er net or pr i vat e net wor k) i n a packet swi t ched, r at her t han

ci r cui t swi t ched manner . "VoI P net wor ks car r y SS7- over - I P usi ngpr ot ocol s def i ned by Si gnal i ng Tr anspor t ( si gt r an) wor ki ng gr oup

of t he I nt er net Engi neer i ng Task For ce ( I ETF) , t he i nt er nat i onal

or gani zat i on responsi bl e f or r ecommendi ng I nt er net st andar ds"

( Per f ormance Technol ogi es, 2004) . However si nce t he maj or i t y of 

cal l s t hr oughout t he wor l d st i l l t r avel over t he PSTN, t her e must

Page 10: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 10/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 9

be some poi nt where VoI P and the PSTN meet . "Gat eways and medi a

r esour ces are devi ces t hat conver t an I P Tel ephony cal l i nt o a

PSTN cal l . When an out si de cal l i s pl aced, t he gat eway or medi a

r esour ce i s one of t he f ew pl aces wi t hi n an I P Tel ephony net work

t o whi ch al l t he voi ce RTP st r eams f l ow ( RTP di scussed l at er ) "

( Ci sco, 2005) . Ther e ar e al so secur i t y consi der at i ons that must

be made at t hi s poi nt , but t hat wi l l be di scussed l at er . t her e

i s no si ngl e met hod or corr ect way i n depl oyi ng VoI P phone

servi ces i n t hat t he met hod i s dependent upon t he

envi r onment / pur pose i t wi l l be used i n/ f or . To i l l ust r at e

f ur t her , t he f ol l owi ng ar e a number of di agr ams depi ct i ng si mpl e

VoI P net works t hat woul d be used i n a SOHO ( Smal l Of f i ce HomeOf f i ce) envi r onment :

Figure 3 

 The l ast di agram of t he f our i s an i l l ust r at i on of t he most

t ypi cal cal l pat h when maki ng a cal l usi ng a VoI P phone servi ce

Page 11: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 11/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 10

provi der such as Vonage or SunRocket i n a SOHO envi r onment ” ( VoI P

Revi ew 2004) .

 The di agr ams do not show how compl ex a l ar ger ent er pr i se VoI P

depl oyment may become.

“VoI P has f i nal l y come of age and i s bei ng r api dl y embr aced

acr oss most mar ket s as an al t er nat i ve t o t he t r adi t i onal

PSTN. VoI P i s a br oad t er m, descr i bi ng many di f f er ent t ypes

of appl i cat i ons ( har d phones, sof t phones, pr oxy server s,

i nst ant messagi ng cl i ent s, peer - t o- peer cl i ent s, et c. ) ,

i nst al l ed on a wi de var i et y of pl at f or ms ( Li nux, Wi ndows,

VxWor ks, mobi l e devi ces, PCs, et c) , and usi ng a wi de var i et yof bot h pr opr i et ar y and open pr ot ocol s ( SI P, RTP, H. 323,

MGCP, SCCP, Uni st i m, SRTP, ZRTP, et c. ) , t hat depends heavi l y

on your pr eexi st i ng dat a net wor k’ s i nf r ast r uct ur e and

ser vi ces ( r out er s, swi t ches, DNS, TFTP, DHCP, VPNs, VLANs,

et c. ) ” ( Endl er , 2007) .

 Ther e i s a sl ew of var i ous propr i et ar y and open- sour ce, pai d

and f r ee VoI P sof t war e cl i ent s avai l abl e f or use. These ar e al socal l ed sof t phones. A f ew exampl es of t hese ar e:

•  Skype

•  Googl e t al k

•   Yahoo Messenger

•  ComunI P Cl i cVoz

•   J abbi n

•  Kcal l

A l ar ge l i st of t hese VoI P sof t war e cl i ent s and compar i sons of 

t hei r var i ous capabi l i t i es can be f ound at

ht t p: / / en. wi ki pedi a. or g/ wi ki / Compar i son_of _VoI P_sof t war e and

ht t p: / / www. voi p- i nf o. or g/ wi ki - Open+Sour ce+VOI P+Sof t war e. For

Page 12: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 12/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 11

t hi s repor t , I wi l l di scuss the use and secur i t y vul ner abi l i t i es

r el at ed t o t he Skype VoI P f r eewar e appl i cat i on. Thi s however

wi l l be di scussed l at er on i n t hi s r epor t .

 There ar e many di f f er ent t ypes of VoI P ser vi ces andt echnol ogi es avai l abl e t o t he publ i c. My r esear ch wi l l be

f ocused on i dent i f yi ng VoI P pr ot ocol s, por t s, enumer at i on

t echni ques, vul ner abi l i t i es, depl oyment s, ver si ons, appl i cat i ons,

at t acks t ool s and met hods, of t he f ol l owi ng VoI P ser vi ces:

•  Real - Ti me Pr ot ocol ( RTP)

•  I nt er - Ast er i sk Exchange ( I AX)

•  Sessi on I ni t i at i on Pr ot ocol ( SI P)•  Skype

•  Ci sco VoI P

 You wi l l see t hat RTP i s ment i oned i n many sect i ons of t hi s

r epor t si mpl y because i t i s so wi del y depl oyed i n var i ous VoI P

t echnol ogi es. Or gani zat i ons l ooki ng t o cut cost s on mai nt ai ni ng

l egacy phones, phone syst ems, and phone bi l l s ar e adopt i ng VoI P

at a f ast er pace, but di sr egar di ng t he secur i t y concer ns i nher enti n mul t i pl e VoI P r esour ces. VoI P i nher i t s many of t he same

t hr eat s t hat once f aced and st i l l do f ace dat a net wor k resour ces.

“Because of VoI P, f i r ewal l s may never be the same. New

r esear ch shows t hat organi zat i ons underest i mat e t he demands

t hat ent er pr i se VoI P secur i t y pl aces on exi st i ng f i r ewal l s,

and that t hose demands ar e al t er i ng t he l andscape of t he

f i r ewal l mar ket . Ar i z. - based r esear ch f i r m I nSt at i n J unesur veyed 220 I T pr of essi onal s f r om compani es of al l si zes,

and more t han 75% of r espondent s at compani es t hat have

i mpl ement ed VoI P pl an t o r epl ace t hei r secur i t y appl i ances

wi t hi n t he next year . That coul d f ur t her bol st er t he

Page 13: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 13/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 12

secur i t y appl i ance mar ket , whi ch I nSt at has f or ecast t o

ecl i pse $7 bi l l i on i n r evenue by 2009" ( Par i zo, 2005) .

However bef or e get t i ng i nt o t he speci f i cs of compar i ng t he

vul ner abi l i t i es r el at ed t o t he VoI P t opi cs above, I wi l l di scussmor e gener al VoI P secur i t y consi der at i ons. Thi s r epor t wi l l not

pr omote one VoI P t echnol ogy over another si nce each i s uni que i n

desi gn, has i t s own shar e of vul ner abi l i t i es, can be depl oyed

secur el y or i nsecur el y based on VoI P and exi st i ng pol i ci es,

pr ocedur es, and i nf r ast r uct ur e, and each met hod can be

f i nanci al l y benef i ci al t o or gani zat i ons of di f f er ent si zes. Thi s

r epor t i s al so not meant t o be an exhaust i ve l i st of al l

vul ner abi l i t i es expl oi t ed agai nst any VoI P t echnol ogy. The goal

of t hi s repor t i s t o i dent i f y secur i t y vul ner abi l i t i es and

consi der at i ons f or some of t he most popul ar VoI P t echnol ogi es

avai l abl e t oday. Si nce VoI P i s bei ng mor e wi del y depl oyed, gr eat

consi der at i on must be t aken t o i nt r oduce i t i n an or gani zat i on’ s

net wor k i nf r ast r uct ur e i n t he most secur e manner possi bl e.

Net wor k and secur i t y engi neer s must be vi gi l ant i n t hei r ef f or t s

t o secur el y depl oy VoI P. Ot her wi se, t he r et ur n on i nvest ment( ROI ) and cost savi ngs af f or ded by VoI P coul d be l ost i f t he new

VoI P i nf r ast r uct ur e i s hacked, r esul t i ng i n monet ar y l osses.

" I P phone crooks are l ear ni ng how t o rake i n t he dough. An

owner of t wo smal l Mi ami Voi ce over I P tel ephone compani es

was ar r est ed l ast week and charged wi t h maki ng mor e t han $1

mi l l i on by br eaki ng i nt o t hi r d- par t y VoI P ser vi ces and

r out i ng cal l s t hr ough t hei r l i nes. That l et hi m col l ect f r omcust omer s wi t hout payi ng any f ees t o r out e cal l s. . .

He pai d $20, 000 t o Spokane, Wash. , r esi dent Robert Moor e,

who hel ped Pena scan VoI P pr ovi der s f or secur i t y hol es wi t h

a code cr acki ng met hod cal l ed br ut e f orce. They sent t hese

Page 14: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 14/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 13

compani es mi l l i ons of t est cal l s, guessi ng at pr opr i et ar y

pr ef i xes encoded on packet headers used t o show t hat VoI P

cal l s ar e l egi t , unt i l t he r i ght one gave t hem access. The

t wo al so hacked i nt o comput er s at a Rye Br ook, N. Y. ,

i nvest ment company and set up ot her ser ver s t o make i t seem

l i ke t hey wer e sendi ng cal l s f r om t hi r d par t i es t hr ough mor e

t han 15 VoI P pr ovi der s. . . Those compani es have t o pay f or

access t o t he I nt er net ' s backbone, and t hey f ound t hemsel ves

wi t h up t o $300, 000 i n char ges f or access st ol en. . . "

( Hoover , 2006) .

 Thi s speci f i c t ype of at t ack f or f i nanci al gai n t hat was

expl oi t ed i s r ef er r ed t o as ' VoI P t ol l f r aud' . Thi s i s t he

equi val ent of ‘ phr eaki ng’ t hat was per f or med agai nst car r i er

t el ecom syst ems i n t he past ( di scussed l at er ) . Due t o

or gani zat i ons depl oyi ng VoI P and bei ng l ax on VoI P secur i t y, i t

i s l i kel y t r i vi al t o r epl i cat e t he t ol l f r aud per f or med above

agai nst ot her organi zat i ons wi t h a VoI P i nf r ast r uct ur e. I n my

opi ni on, gr eat er l og anal ysi s pr ovi di ng cl ear er ‘ vi si on’ i nt o an

or gani zat i on’ s VoI P cal l s woul d af f or d net wor k secur i t y engi neer smor e scrut i ny i n def i ni ng what VoI P t r af f i c i s and i s not

accept abl e. Were a company t o empl oy a voi ce managed secur i t y

ser vi ces pr ovi der t hat coul d moni t or VoI P l ogs i n near r eal t i me,

t ol l f r aud scams such as t hi s woul d pr obabl y be st opped bef ore

t hey cause an or gani zat i on massi ve f i nanci al l oss.

 The secur i t y of VoI P r esources, as wi t h ot her dat a r esour ces

on net wor ks, i s dependent par t l y upon an or gani zat i on’ s exi st i ngnet wor k i nf r ast r uct ur e t o mai nt ai n i t s secur i t y st r engt h. Thi s

i s i n r ef er ence t o bui l di ng secur i t y, r out er , f i r ewal l , host, and

OS secur i t y, passwor d pol i ci es, et c. Bef or e del vi ng i nt o t he

i nt r i caci es of var i ous VoI P vul ner abi l i t i es, I want t o st r ess

t hat any or gani zat i on want i ng t o secur e t hei r VoI P i nf r ast r uct ur e

Page 15: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 15/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 14

shoul d al so cont i nual l y pr omot e VoI P secur i t y awar eness t r ai ni ng.

 J ust as t here ar e i nf or mat i on secur i t y t r ai ni ng sess i ons f or non-

I T st af f t o make t hem awar e of soci al engi neer i ng, not accept i ng

e- mai l at t achment s f r om unknown sender s or cl i cki ng on l i nks i n

e- mai l s, avoi di ng cl i cki ng on adwar e adds, et c. , si mi l ar t r ai ni ng

shoul d be i mpl ement ed f or VoI P secur i t y. Si mpl y put , t hi s i sn’ t

your grandmot her ’ s ol d r ot ary phone anymore…

 The met hods of secur i ng VoI P phones and VoI P I P PBXs/ cal l

management ser ver s, i n some r espect s are not much di f f erent t hen

secur i ng dat a net wor ks. The physi cal gear must be r est r i ct ed t o

access by onl y aut hor i zed user s. J ust as wi t h secur i ng

conf i dent i al dat a, r i gor ous access cont r ol s must be i n pl ace t o

speci f i cal l y per mi t cer t ai n user s and phones f r om maki ng cal l s,

what ser vi ces ar e per mi t t ed, et c. and deny al l ot her s. Al so VoI P

phones and server s shoul d have the l atest patches and/ or f i r mware

updat es avai l abl e, and t hey shoul d be del i ver ed/ i nst al l ed vi a a

sound pat ch management pol i cy. However f i r ewal l s or VoI P network

edge devi ces must be VoI P pr otocol awar e. Af t er al l VoI P

secur i t y measur es have been t aken, an organi zat i on shoul d al sor egul ar l y i mpl ement 3r d par t y VoI P penet r at i on t est i ng.

VoI Pshi el d Syst ems i s a company t hat pr ovi des such servi ce

( www. voi pshi el d. com) . VoI P secur i t y shoul d not be an af t er -

t hought when depl oyi ng any si zed VoI P i nf r ast r uct ur e. J ust as

net wor k avai l abi l i t y and qual i t y of ser vi ce shoul d be desi gned

wi t h net wor k secur i t y i n mi nd, so too goes VoI P avai l abi l i t y,

QOS, and secur i t y.

Si mi l ar t o t he Conf i dent i al i t y, I nt egr i t y, and Avai l abi l i t y

( CI A) of voi ce, t he f ol l owi ng i s a cl ever way of r emember i ng VoI P

t hr eat cat egor i es:

Page 16: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 16/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 15

Figure 4  ( Mat erna, 2007)

Pr obabl y the best and f i r st t hi ng an or gani zat i on shoul d do

when depl oyi ng VoI P i s t o segment t hei r dat a and VoI P t r af f i ci nt o separ at e Vi r t ual Local Ar ea Net wor ks ( VLANs) . Al so i f VoI P

t r af f i c i s seen sour ci ng f r om a ‘ dat a onl y’ net wor k, t he host

pr oduci ng t he VoI P t r af f i c shoul d be i nvest i gat ed t o i dent i f y

what i s causi ng, i t si nce i t woul d be agai nst an or gani zat i on’ s

accept abl e use and/ or secur i t y pol i cy. That scenar i o, whi l e

hi ghl y benef i ci al f r om a secur i t y standpoi nt , coul d become

conf usi ng i f an or gani zat i on t hen depl oys wi r el ess VoI P phones.

 The quest i on becomes, do you t hen depl oy separ at e access poi nt s

f or wi r el ess VoI P phones, separ at e access poi nt s f or wi r el ess

dat a? However t hat i s f or an or gani zat i on t o consi der i n a

r equest f or pr oposal , and i s out of t he scope of t hi s r epor t .

For t he dat a onl y t r af f i c, a st at ef ul f i r ewal l shoul d be used t o

Page 17: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 17/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 16

bl ock al l out bound t r af f i c f or known dest i nat i on VoI P ser vi ce

por t s. Al so, an I PS t hat i s not i n l i ne wi t h t r af f i c coul d be

used t o send TCP RST/ ACK or I CMP unreachabl e packet s t o i nternal

host s t hat ar e gener at i ng t he VoI P t r af f i c t hat i s mat chi ng any

VoI P I DS si gnat ur es. A r eason f or not put t i ng t he I PS i nl i ne

wi t h t he t r af f i c i s t o avoi d a si ngl e poi nt of f ai l ur e f or al l

voi ce conver sat i ons t o go t hr ough as wel l as bandwi dt h

consi der at i ons. Pl ease vi ew t he f ol l owi ng di agr am t o i l l ust r at e

t he VLAN separ at i on of dat a f r om VoI P t r af f i c:  

Figure 5 

As you can see, whi l e t he VoI P phones and t he PCs ar eshar i ng t he same physi cal l i nk net wor k cabl e t o t he swi t ch, t hey

ar e i n l ogi cal l y di f f er ent net wor ks (VLANS) due t o t he I EEE

802. 1q Et her net f r ame taggi ng that t he phone i s per f ormi ng, but

not per mi t t i ng i n t hr ough i t s PC Et her net i nt er f ace. Once VoI P

and dat a r esour ces have been segment ed i nt o di f f erent VLANS, t he

Page 18: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 18/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 17

best pr act i ce woul d be t o t est access t o ensur e t hat t he VoI P

VLANs cannot be used t o gai n access t o ot her dat a VLANS, and vi ce

ver sa si nce t here are many documented VLAN hoppi ng

vul nerabi l i t i es.

Some vendors such as Ci sco Syst ems i ncl ude aut hent i cat i on

and encr ypt i on measur es i n t hei r pr opr i et ary VoI P depl oyment s as

a means of secur i ng VoI P t r af f i c t o and f r om cal l manager

ser ver s, TFTP ser ver s, and VoI P phones. Thi s wi l l be di scussed i n

gr eat er det ai l i n t he Ci sco VoI P sect i on. Whi l e aut hent i cat i on

and encr ypt i on t o and f r om I P phones, and ot her VoI P server s i s

i mpor t ant , i t by no means achi eves t he obj ect i ve of secur i ng VoI P

r esour ces. Thi s i s because when most peopl e t hi nk of VoI P

phones, t hey thi nk of t he VoI P phone as onl y bei ng abl e t o

f unct i on as a phone, j ust l i ke a POTS phone. They over l ook the

f act t hat t he VoI P phone can possess a web management GUI , and

can be compr omi sed t o t hen at t ack other VoI P and dat a r esour ces,

wi t hout pl aci ng any cal l s.

“Some of t he methods of at t acki ng VoI P resour ces are deni al

of ser vi ce at t acks ( DOS) , man- i n- t he- mi ddl e at t acks, cal l

f l oodi ng, eavesdr oppi ng, VoI P f uzzi ng, si gnal i ng and audi o

mani pul at i on, voi ce SPAM ( cal l ed ‘ SPI T’ ) , and al so voi ce phi shi ng

at t acks” ( Endl er , 2007) . Al l of t he ment i oned at t acks t hr eat en

t he busi ness cri t i cal voi ce conver sat i ons, as wel l as t he

secur i t y of ot her conf i dent i al dat a. One can onl y i magi ne t he

f ear and anger t hat woul d ar i se i f an or gani zat i on’ s VoI P

i nf r ast r uctur e f el l under a deni al or di st r i but ed deni al of ser vi ce at t ack, especi al l y dur i ng an emer gency. I t i s l i kel y

t hat t he Qual i t y of Ser vi ce ( QOS) of voi ce cal l s woul d be so

degr aded that user s’ voi ce conver sat i ons woul d be choppy and f ul l

of st at i c when t r yi ng t o di al emer gency ser vi ces. Thankf ul l y i n

t oday’ s wor l d, wi t h most peopl e owni ng a mobi l e phone, t he i mpact

Page 19: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 19/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 18

of a DDOS woul d be subst ant i al , but i nt er nal user s woul d st i l l be

abl e t o make voi ce cal l s f r om t hei r mobi l e phones t hat ar e

connect ed t o t hei r wi r el ess car r i er . Si nce VoI P, j ust l i ke dat a,

uses I P packet s, i t woul d be possi bl e t o hack i nt o and VoI P

server wher e l ogs ar e st ored and modi f y t hem. Thi s coul d al l ow

an at t acker t o add f ake l ogs such as t housands of l ong di st ance

cal l s made f r om a speci f i c i nt er nal user . Thi s i s an exampl e

wher e a di sgr unt l ed f ormer empl oy woul d want t o get back at a

supervi sor who f i r ed t he empl oyee.

When depl oyi ng and t r yi ng t o secur e a VoI P i nf r ast r uct ur e,

one must r emember t hat phone cal l s ar e not si mpl y uni cast , one-

t o- one voi ce conver sat i ons. Mul t i pl e cal l scenar i os must be

expect ed, pl anned f or , and secur ed:

•  Uni cast Peer - t o- Peer Cal l s

 Thi s i s t he st andar d one- t o- one cal l most peopl e t hi nk of 

r el at ed t o POTS phones. Wi t h VoI P, t hi s woul d/ coul d be a SI P

or H. 323 based cal l t hat i s set up. RTP t r af f i c woul d have t o

be encr ypt ed bet ween t wo par t i es.

•  Mul t i cast One- t o- f ew Cal l s

An exampl e of t hi s woul d be a t hr ee- part y conf er ence cal l ,

wher e t he i ni t i al cal l er di al s t he second, and t hen t hi r d

par t y, and est abl i shes t he secur i t y f or al l voi ce t r af f i c.

 Thi s can be def i ned as a smal l hub and spoke t opol ogy cal l .

RTP t r af f i c woul d have t o be encrypt ed bet ween one and t wo

par t i es.

Page 20: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 20/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 19

•  Mul t i cast One- t o- Many or Many- t o- Many Cal l s

An exampl e of t hi s woul d be a company- wi de conf erence cal l .

 Thi s conf er ence cal l may or may not i ncl ude a cent r al

poi nt / i ni t i at or t hat def i nes secur i t y par amet er s. Mul t i pl e

si t es, wi t h mul t i pl e VoI P conf er ence and r egul ar phones woul d

be i ncl uded i n t he cal l . Thi s can be def i ned as a l ar ge hub

and spoke or a l ar ge spoke- t o- spoke t opol ogy cal l . RTP t r af f i c

woul d have t o be encr ypt ed between mul t i pl e par t i es.

 The t hree cal l scenar i os above exi st t oday f or POTS phones,

t hrough PBXs, over t he PSTN and t hey must al so be desi gned,

depl oyed, and secur ed i n any VoI P i mpl ement at i on. The f ol l owi ng

are t hr ee di agr ams depi ct i ng t he above t hr ee expl ai ned cal lscenar i os:

Figure 6  

Page 21: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 21/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 20

Figure 7 

Page 22: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 22/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 21

Figure 8 

 J ust as any count r y woul d pl an an at t ack bef or e i nvadi ng

anot her count r y, successf ul l y expl oi t i ng or hacki ng a VoI P

r esour ce ( net wor k, ser ver , har d/ sof t phone, et c) r equi r esr econnai ssance t o be per f or med t o f oot pr i nt , or i dent i f y what t he

posi t i on of t he ‘ enemy/ vi cti m’ i s. I t i s al so i mpor t ant t o

under st and t hat expl oi t s t hat used t o be ef f ect i ve ( but no l onger

ar e) at at t acki ng dat a on I P net wor ks, can have di f f er ent r esul t s

when t arget ed at VoI P r esour ces.

“For i nst ance, a SYN f l ood deni al of ser vi ce at t ack agai nst

your organi zat i on’ s r out er mi ght mean t hat web br owsi ng i s al i t t l e sl ow f or i nt er nal user s. Whi l e t he ver y same SYN f l ood

agai nst a VoI P network or VoI P devi ce mi ght mean t hat voi ce

conver sat i ons ar e uni nt el l i gi bl e because of j i t t er or cal l s

cannot be pl aced because of net work l atency” ( Endl er , 2007) .

Rat her t han br ut e f or ci ng or per f or mi ng VoI P expl oi t at t empt s f or

vul ner abi l i t i es agai nst a VoI P r esour ce, i t makes sense t o f i r st

go f or t he l ow hangi ng f r ui t ( AKA, pr obi ng t he under l yi ng

i nf r ast r uct ur e such as t he VoI P server ’ s weak passwor d, t el net

daemon enabl ed, l ow pat chi ng, et c. ) . A si mpl e way of i dent i f yi ng

what t ype of network devi ces a company uses i n t hei r

i nf r ast r uct ur e i s r esear chi ng t he publ i c domai n. That means

r esearchi ng on the company’ s websi t e f or new pr oduct use, open

net wor k/ voi ce engi neer posi t i ons avai l abl e wi t h a f ocus on one

VoI P vender vs. anot her ( Ci sco vs. Avaya vs. Ast er i sk, et c. ) .

 Thi s i nf or mat i on can of t en al so be f ound by spendi ng a f ewmi nut es r esear chi ng on t he Googl e sear ch engi ne. Whi l e i t i s

necessary f or an or gani zat i on t o adver t i se open posi t i ons i n t he

I T depar t ment t o meet st af f i ng needs, i t i s al so a vul ner abi l i t y

of l eavi ng t hat i nf or mat i on i n t he publ i c domai n. I t t ook me

l ess t han one mi nut e t o per f orm an advanced sear ch f or t he

Page 23: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 23/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 22

keywords “Ci sco VoI P” and “Bank” t o i dent i f y t hat Bank of Amer i ca

i s wi del y depl oyi ng Ci sco VoI P:

Figure 9 I f you r ead t he ar t i cl e car ef ul l y, i t al so st at es that

Boei ng, For d, and even t he Depar t ment of Def ense ar e empl oyi ng

Ci sco VoI P. What i s even a gr eat er t r easur e t r ove of i nf or mat i on

i s t hat t he ar t i cl e speci f i cal l y l ays out whi ch of t he Ci sco

devi ces ar e bei ng used f or t he depl oyment s. “The speci f i c

equi pment t hat r ecei ved cer t i f i cat i on i ncl udes Ci sco Cat al yst

3550, 4500 and 6500 swi t ches; Ci sco 2600 and 3700 gat eways; and

Cal l Manager 3. 3 cal l pr ocessi ng sof t war e”

( ht t p: / / bl og. t mcnet . com/ bl og/ r i ch- t ehr ani / ci sco- voi p- success- dod-

and- bank- of - amer i ca. ht ml ) . As such, any det ermi ned hacker t hat

woul d want t o di sr upt or hack VoI P servi ces f or t he Bank of 

Amer i ca, Boei ng, Ford, or even t he DoD, now knows t hat he/ she

Page 24: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 24/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 23

coul d expl oi t any of t he vul ner abi l i t i es of t he above devi ces.

As you can see, t hi s i s a r at her t r i vi al met hod of i dent i f yi ng

pi eces of an or gani zat i on’ s net wor k i nf r ast r uct ur e f or f ut ur e

expl oi t at i on. Anot her r el at ed met hod of i dent i f yi ng what VoI P

har dwar e/ sof t war e servi ces an or gani zat i on empl oys i s t o read

r esumes of peopl e who have wor ked t her e. Those r esumes may of t en

i ncl ude det ai l ed i nf or mat i on on VoI P resour ces depl oyed i n the

per son’ s pr i or j ob.

Many net work devi ces, both data and voi ce, t ypi cal l y have a

web based GUI , whi ch i s used f or admi ni st r at i ve management .

However cl umsy net wor k admi ni st r at or s wi l l f or get f ul l y and

f ool i shl y connect t hese VoI P phones t o the net work, and have t hem

be accessi bl e f r om t he I nt er net , wi t h t he web i nt er f ace enabl ed.

 The f ol l owi ng i s an exampl e of a Ci sco VoI P phone t hat I f ound

connect ed t o t he I nt er net wi t h i t s web i nt er f ace enabl ed:

Figure 10 

Page 25: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 25/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 24

Figure 11 

 There i s no good r eason why any Ci sco VoI P phone shoul d be

l ef t i n a DMZ wi t h a publ i cal l y r out abl e I P addr ess. To pr ot ect

t he i nnocent or gani zat i on wi t h t hei r f or get f ul ness, I have f uzzedout i nf or mat i on t hat coul d be used t o hack t hi s I P phone, and

ot her r esour ces of t hei r i nf r ast r uct ur e. I f ound t hi s Ci sco VoI P

phone by t ypi ng t he f ol l owi ng i nt o Googl e’ s sear ch engi ne:

i nur l : ”Net wor kConf i gur at i on” Ci sco. As you can see f r om t he

above t wo i mages, a Ci sco VoI P phone l ef t hangi ng on t he I nt ernet

wi t h t he web management i nt er f ace enabl ed i s al so a t r easur e

t r ove of i nf or mat i on. From t he devi ce i nf or mat i on page, a

pot ent i al at t acker can now see t he speci f i c I P phone i n use, t he

MAC addr ess, host name, I OS ver si on, ser i al number , et c. From t he

net wor k conf i gur at i on page, an at t acker can see t he I P addr ess,

MAC addr ess, subnet mask, t f t p ser ver addr ess ( whi ch you coul d

t hen hack t o st eal / change/ del et e conf i gur at i ons si nce Ci sco VoI P

Page 26: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 26/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 25

phones quer y t he t f t p server s upon boot up) , Ci sco cal l manager

addr esses, and ot her i nf or mat i on t hat coul d not f i t i nt o t he

scr eenshot . From her e you coul d t hen r esear ch vul ner abi l i t i es

r eport ed f or t he Ci sco I P- phone 7960 ser i es and pr obe t he phone

f or t hem. Ci sco VoI P phone vul ner abi l i t i es wi l l be di scussed

l at er on i n t he Ci sco sect i on. I t woul d al so be r at her easy f or

an at t acker t o f i r e up Nessus or any ot her vul ner abi l i t y scanner ,

and pr obe the or gani zat i on’ s I nt er net accessi bl e TFTP, DNS, cal l

manager ser ver s, and t hei r bor der r out er . However af t er

obt ai ni ng t he I P addr esses seen, t hose can t hen be used t o

per f orm “who i s” and r ever se DNS quer i es t o i dent i f y what

organi zat i on t he I P addr esses bel ong t o. A qui ck NMAP ( NMAPexpl ai ned l at er ) ver si on scan, wi t hout i ni t i al I CMP pi ng pr obes,

f or por t s 1- 1024, of t he VoI P phone’ s I P addr ess f ound onl y por t

HTTP: 80/ t cp open:

Figure 12 

 Two f ol l ow up exampl es of cl umsi ness woul d be not onl y

l eavi ng a VoI P phone’ s HTTP management GUI enabl ed, but i f doi ng

so, not changi ng t he I P phone’ s def aul t passwor d. Thi s, al ong

wi t h changi ng a user ’ s def aul t voi cemai l passwor d f r om l i kel y

hi s/ her phone extensi on, ar e si mpl e st eps t o pr event i ng

addi t i onal at t ack vect or s. Ther e ar e many websi t es on t he

Page 27: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 27/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 26

I nt er net t hat l i st def aul t user names and passwor ds f or VoI P

devi ces. The Uni den UI P1868P VoI P phone “by def aul t has t he web

admi n i nt er f ace use a password wi t h a val ue equal s t o "admi n"

( wi t hout quot at i on mar ks) . Al so, t her e i s no username r equi r ed;

onl y passwor d i s r equi r ed. Thi s means t hat t he secur i t y of t he

devi ce ul t i mat el y r el i es on knowi ng one st r i ng of char act er s,

r at her t han t wo ( username/ password) ” ( Unknown, 2006) . Anot her

exampl e of a VoI P phone I f ound t hat had the web management GUI

enabl ed, and was connect ed t o t he I nt ernet was a Pol ycom

SoundPoi nt phone:

Figure 13 

 Thankf ul l y f or t he or gani zat i on owni ng t he Pol ycom phone

seen above, cur i ous hacker s at t empt i ng t o vi ew t he net work

conf i gur at i on i nf or mat i on ar e at l east pr ompt ed wi t h a user name

and password. When I t est ed t he phone by t r yi ng t o l ogon wi t h a

r andom user name and password, I pr oduced a l ogon f ai l ur e t hat

Page 28: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 28/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 27

r ender ed a HTTP 401 unaut hor i zed r esponse. Thi s user name and

password pr ompt coul d of cour se be br ut e f orced. Fr om t he

or gani zat i on’ s per spect i ve, t o pr ot ect agai nst br ut e f or ce l ogon

at t empt s t hey woul d have t o empl oy possi bl y a host or network

based I PS, wi t h a t hr eshol d of f ai l ed l ogon at t empt s unt i l t he

of f endi ng ext er nal I P addr ess was t empor ar i l y bl ocked. I n doi ng

my resear ch, I coul d f i nd no good r eason f or a VoI P phone to be

r eachabl e f r om t he I nt er net wi t h a publ i cal l y r out abl e I P

addr ess. I f an or gani zat i on and i t s net wor k of syst em

admi ni st r at or s concl ude t hat al l VoI P phones shoul d have t hei r

web GUI s enabl ed f or management pur poses, at t he ver y l east t he

def aul t user names and passwor ds shoul d be changed.

An at t acker t hat has t he obj ect i ve of hacki ng an

or gani zat i on’ s VoI P i nf r ast r uct ur e shoul d not nar r ow hi s ef f or t s

t o j ust devi ces r unni ng VoI P ser vi ces.

“I t behooves hi m t o i dent i f y and map out ot her cor e net wor k

devi ces, i ncl udi ng r out ers and VPN gat eways, web, TFTP, DNS,

DHCP, and RADI US ser ver s, f i r ewal l s, I PSs, et c. For

i nst ance, i f an at t acker wer e abl e to l ocat e and knock down

your t f t p ser ver , sever al model s of phones t r yi ng t o

downl oad conf i gur at i on f i l es on boot up mi ght cr ash or

st al l ” ( Endl er , 2007) .

Goi ng back t o t he war anal ogy, j ust as a commander prepares

f or an at t ack by i dent i f yi ng how many t r oops t he enemy has, and

what t hei r weaknesses ar e, somebody want i ng t o at t ack an

or gani zat i on’ s VoI P r esour ces must i dent i f y l i ve/ l i st eni ng t ar get

I P addr esses. One of ways t hat t hi s can be done i s by per f ormi ng

I CMP echo r equest s ( t ype: 8 code: 0) t o t he or gani zat i on’ s t ar get

I P addr esses. I f t he or gani zat i on i sn’ t bl ocki ng al l i nbound

I CMP t r af f i c by a packet f i l t er i ng r out er , stat ef ul f i r ewal l ,

Page 29: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 29/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 28

et c. t hen t he t ar get ed host s wi l l l i kel y r espond wi t h I CMP echo

r epl i es ( t ype: 0 code: 0) . Keepi ng t r ack of t he t ar get ed host s

t hat r espond, a hacker now has a l i st of l i ve host s f or f ut ur e

enumer at i on, and event ual l y possi bl e expl oi t at i on. Now you coul d

manual l y t r y and I CMP pi ng one speci f i c dest i nat i on I P addr ess,

and i f your pl an of at t ack i s onl y t wo one t ar get , t hen t hat

woul d be suf f i ci ent . However t o successf ul l y and ef f i ci ent l y

i dent i f y l i ve/ l i st eni ng host s as wel l as whi ch dest i nat i on por t s

are open/ accept i ng connect i ons, I r ecommend usi ng a r obust

scanni ng t ool ; par t i cul ar l y one r eads a t ar get I P addr ess l i st

f r om f i l e. Ther e ar e many f r ee net wor k host and devi ce di scover y

scanni ng t ool s avai l abl e on t he I nt er net . Each of t he f ol l owi ngt ool s di f f er s sl i ght l y i n desi gn, however al l ar e gr eat f or host

di scover y, and some a gr eat er f or vul ner abi l i t y scanni ng

( Nessus) :

•  NMAP

•  Fpi ng

•  Hpi ng

•  Super scan•  Nessus

•  Sol ar wi nds ( not f r ee)

A qui ck search on a sear ch engi ne wi l l pr oduce a l arge

amount of document at i on on how t o use each of t he above t ool s as

wel l as l i nks on where t o downl oad t hem. There are ot her

scanni ng t ool s t hat ar e desi gned t o speci f i cal l y t ar get cer t ai n

VoI P pr ot ocol s/ ser vi ces; however I wi l l ment i on t hem l at er i nt hi s repor t . J ust as ther e ar e cer t ai n har dwar e wi r et appi ng

t ool s avai l abl e t o t r acki ng and l i st eni ng t o POTS phone

conver sat i ons, t her e ar e al so many f r eewar e t ool s avai l abl e t o

‘ sni f f ’ , modi f y, and at t ack VoI P t r af f i c. The f ol l owi ng ar e a

f ew popul ar VoI P sni f f i ng t ool s:

Page 30: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 30/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 29

•  Vomi t ( Voi ce over mi sconf i gur ed I nt er net t el ephones) - Can be

used wi t h t cpdump t o conver t RTP st r eams i nt o . wav f i l es.

•  Or eka – “Or eka i s a modul ar and cr oss- pl at f or m syst em f or

r ecor di ng and r et r i eval of audi o st r eams. The pr oj ect cur r ent l y

suppor t s VoI P and sound devi ce based capt ur e. Recor di ngs

met adata can be st ored i n any mai nst r eam database. Ret r i eval of 

capt ur ed sessi ons i s web based” ( Sour cef orge, 2005) .

•  VoI Pong – “Ut i l i t y whi ch det ect s al l Voi ce over I P cal l s on a

pi pel i ne, and f or t hose whi ch ar e G711 encoded, dumps act ual

conver sat i on t o separ at e wave f i l es. I t suppor t s SI P, H323,

Ci sco' s Ski nny Cl i ent Protocol , RTP and RTCP…Produces r eal . Wav

f i l es f or di r ect audi o hear i ng, et c. ” ( Bal aban, 2004) .

 The Voi ce over I P Secur i t y Al l i ance ( VoI PSA) i s an

or gani zat i on t hat was cr eat ed t o pr ovi de i nsi ght and exper t i se t o

vendor neut r al VoI P secur i t y. They mai nt ai n a l i st of l i nks t o

var i ous VoI P secur i t y t ool s t hat can be used f or sni f f i ng,

scanni ng and enumer at i on, packet cr eat i on and f l oodi ng, f uzzi ng,

si gnal i ng and medi a mani pul at i on, and ot her mi scel l aneous t ool s.

 Thi s l i st can be f ound atht t p: / / www. voi psa. or g/ Resour ces/ t ool s. php. I have used some of 

t he t ool s i n my resear ch, however t hey wi l l be di scussed i n

sect i ons ahead. Ret ur ni ng t o enumer at i on, once a l i st of 

l i ve/ act i ve I P addr esses has been gener ated, t he next st ep must

be t o por t scan each one of t hem t o i dent i f y open por t s and

ser vi ces r unni ng. NMAP, as i ncl uded above, i s an excel l ent f r ee

t ool f or por t scanni ng. J ust t o br i ef l y ment i on some VoI P

ser vi ce por t s, SI P uses por t s 5060/ t cp and udp f or VoI P t r af f i c.

Por t 5061/ t cp i s used f or VoI P runni ng over Tr anspor t Layer

Secur i t y ( TLS) . Skype uses many r andom t cp por t s. I nt er -

Ast er i sk Exchange ( I AX) uses por t 4569/ udp.

Page 31: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 31/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 30

An ef f ect i ve and t r i vi al met hod of enumer at i ng appl i cat i ons

and servi ces on a VoI P net work ( data al so) i s banner gr abbi ng.

 The Net cat t ool , cr eat ed Sour cef or ge, i s hel pf ul i n per f or mi ng

manual banner grabbi ng. I t can al so be used as a por t scanner

and t o set up backdoor connect i ons. I r an Net cat agai nst my t est

SI P ser ver and was abl e t o est abl i sh a connect i on. I al so r an

Net cat agai nst t he Ci sco VoI P phone f or por t s HTTP: 80/ t cp and

SI P: 5060/ t cp, t hat I f ound hangi ng on t he I nt er net ear l i er .

However , i n t he i nt er est of not crossi ng t he l i ne, I di d not

at t empt t o upl oad any f i l es t o i t :

Figure 14 

Usi ng Net cat wi t h t he ‘ - u’ opt i ons al l ows t he scanner t o

servi ce check UDP port s, as was t he case wi t h pr obi ng t he f uzzed

out I nt er net f ound Ci sco Uni f i ed Cal l Manager and t f t p server

l i st eni ng on por t t f t p: 69/ udp. Whi l e banner gr abbi ng i n and of 

i t sel f does not compr omi se a VoI P r esour ce t ar get , i t does

i dent i f y t he ser vi ce/ ver si on r unni ng, whi ch woul d be usef ul

i nf or mat i on t o an at t acker t hat woul d f i nd an un- pat ched VoI P

phone of VoI P PBX.

Ent er pr i se VoI P r el i es si gni f i cant l y on ser vi ces such as

LDAP, DNS, RADI US, TFTP, et c. I f an at t acker coul d f i nd a TFTP

Page 32: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 32/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 31

server l ef t unsecur ed i n an organi zat i on’ s DMZ, si nce TFTP does

not pr ovi de any t ype of aut hent i cat i on, t he conf i gur at i on f i l es

of var i ous VoI P phones and ot her cr i t i cal devi ces l i ke r out er s,

swi t ches, f i r ewal l s, can be pul l ed t o the at t acker ’ s machi ne.

For exampl e, each t i me a Ci sco 7912 VoI P phone boot s up, i t

quer i es t he l ocal TFTP ser ver f or t he SI PDef ual t . cnf t o l oad

( Unknown/ Ci sco, 2006) . However because of TFTP bei ng i nherent l y

i nsecur e due t o t r af f i c not bei ng encrypt ed, i t ' s f ai r l y easy t o

i dent i f y al l t he di f f er ent conf i gur at i on f i l es ser ved on an

or gani zat i on’ s TFTP ser ver wi t hout at t acki ng i t . However t hi s i s

dependent upon t he at t acker bei ng abl e t o sni f f t r af f i c on t he

 TFTP ser ver ’ s networ k. I f an at t acker woul d be abl e t o overwhel ma swi t ch by f l oodi ng i t wi t h ARPs, t hen t he swi t ch woul d f ai l

open t ur ni ng i t essent i al l y i nt o a hub. Al l VLAN conf i gur at i ons

woul d be i gnor ed and al l swi t ch por t s woul d r ecei ve copi es of al l

packet s. The at t acker coul d t hen r un a t cpdump or Wi r eshark

( f or mer l y Et her eal ) packet capt ur e j ust f or TFTP t r af f i c. Agai n,

si nce TFTP i s sent i n cl ear t ext , t he conf i gur at i on f i l es ser ved

on t he server woul d be vi si bl e, and t he at t acker coul d t hen

r equest t hem hi msel f . Goi ng back t o t he Ci sco VoI P phone wi t h

t he HTTP GUI enabl ed f ound i n t he exampl e above, an at t acker

coul d easi l y use t f t p t o pul l t he SI PDef aul t . cnf conf i gur at i on

f i l e t o r eveal var i ous ext ensi ons, user names, passwor ds, et c.

No conf i gur at i on f i l es wer e t r ansf er r ed f r om any of t he t f t p

ser ver s f ound whi l e sear chi ng f or t hem f or t hi s r epor t . The best

pr act i ce f or secur i ng t f t p ser ver s necessar y f or t he successf uloper at i on of VoI P r esour ces woul d be t o appl y a l ayer ed secur i t y

appr oach such as i ncl udi ng host based f i r ewal l s on t f t p ser ver s

and speci f i cal l y def i ni ng t he I P addr ess r anges per mi t t ed t o

‘ GET’ f i l es f r om t he t f t p ser ver , and t o deny al l ot her s.

Page 33: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 33/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 32

However t hi s can be easi l y ci r cumvent ed vi a spoof i ng one’ s sour ce

I P addr ess.

Si mpl e Net work Management Prot ocol or SNMP i s an appl i cat i on

l ayer pr otocol t hat i s used t o exchange var i ous t ypes of 

management i nf ormat i on bet ween r out er s, swi t ches, f i r ewal l s,

server s, and other var i ous devi ces used on a net work such as VoI P

phones bot h wi r ed and wi r el ess. SNMP ver si on 1 and 2 are

i nher ent l y i nsecur e si nce t hey use cl ear t ext communi t y st r i ngs

or passwords f or aut hent i cat i on. SNMPv3, as def i ned i n RFC 3411,

however empl oys t he use of 3DES and AES encr ypt i on and

aut hent i cat i on f or t he exchange of management t r af f i c. SNMPv1 i s

wi del y suppor t ed by most VoI P phones f or f unct i onal i t y andbackwards compat i bi l i t y pur poses. However most VoI P phones come

wi t h SNMPv1 daemons enabl ed and net work admi ni st r at or s cl umsi l y

f orget t o change t he def aul t SNMP communi t y st r i ng. An exampl e

of t hi s i s t he US- CERT/ NI ST CVE- 2005- 3722, wher e i t i s not ed that

t he SNMP v1/ v2c daemon i n Hi t achi I P5000 VOI P WI FI Phone 1. 5. 6

al l ows r emot e at t acker s t o gai n r ead or wr i t e access t o syst em

conf i gur at i on usi ng ar bi t r ar y SNMP credent i al s. Thi s

vul ner abi l i t y woul d al l ow unaut hor i zed access, par t i al

conf i dent i al i t y, i nt egr i t y, and avai l abi l i t y vi ol at i on, al l ow

unaut hor i zed di scl osur e of i nf or mat i on , and al l ow a di sr upt i on

of ser vi ce. ” Upon f ur t her r esear ch, t he f ol l owi ng was f ound:

1)   The phone has an undocumented open por t 3390/ t cp t hat al l ows

access t o the Uni dat a Shel l upon connect i on. The servi ce

r epor t edl y cannot be di sabl ed and can pot ent i al l y be expl oi t ed

t o gai n access t o sensi t i ve i nf or mat i on and t o cause a DoS.

2)   The phone has a hardcoded admi ni st r at i ve passwor d of "0000" .

 Thi s may be expl oi t ed by a user wi t h physi cal access t o t he

phone t o modi f y the phone' s conf i gur at i on.

Page 34: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 34/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 33

3)   The def aul t i ndex page of t he phone' s HTTP ser ver ( 8080/ t cp)

di scl oses i nf or mat i on l i ke phone sof t war e ver si ons, phone MAC

addr ess, I P addr ess and rout i ng i nf or mat i on.

4)   The vul nerabi l i t i es have been r epor t ed i n f i r mwar e ver si ons

pr i or t o 2. 0. 1.

Fi xes f or t hese pr obl ems were added i n t he updat ed f i r mware

ver si on 2. 0. 1 or l at er wher e an admi ni st r at or was t hen st r ongl y

encour aged t o change t he passwords ASAP ( Merdi nger , 2005) . A

si mi l ar SNMP vul ner abi l i t y was f ound i n US- CERT/ NI ST CVE- 2005-

3803 f or t he Ci sco 7920 Wi r el ess I P Phone, f i r mware ver si on 2. 0

and ear l i er .

Dur i ng my r esear ch I f ound t hat are pl ent y of pi eces of 

document at i on not i ng t he def aul t SNMP communi t y st r i ngs used on

devi ces out of t he box. One such websi t e whi ch I br owsed t o was

ht t p: / / www. phenoel i t - us. or g/ dpl / dpl . ht ml . The di sabl i ng of 

SNMPv1 and v2 daemons on VoI P phones where possi bl e, and usei ng

SNMPv3 woul d be opt i mal f or al l VoI P devi ces.

Al l net wor k devi ces are suscept i bl e t o deni al and

di st r i but ed deni al of ser vi ce at t acks i ncl udi ng VoI P r esour ces.

However even i f t he DOS or DDOS i s not t arget ed agai nst an

i nt er nal VoI P r esour ce ( phone, pr oxy ser ver , et c. ) , f l oodi ng t he

i nt er nal net wor ks ( r out er s, swi t ches, f i r ewal l s et c. ) wi t h

 j unk/ non- busi ness packet s woul d st i l l degr ade t he QOS of VoI P.

 The DOS at t acks can i ncl ude TCP SYN scans, I CMP f l oods ( i f I CMP

i s permi t t ed) . When t argeted agai nst a SI P PBX by t he means of 

sendi ng many I NVI TE, REGI STER, and BYE r equest s si mul t aneousl y,

t hi s coul d hal t al l VoI P cal l ser vi ce. Ther e ar e var i ous vendor s

t hat sel l appl i ances t hat can be depl oyed at t he per i met er or

cor e of a net wor k to det ect , t hr eshol d, or bl ock i nf ect ed host

Page 35: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 35/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 34

out bound DOS or ext er nal i nbound DOS such as Arbor Net wor ks,

Mi r age Networ ks, and Ti ppi ngPoi nt ( Endl er , 2007) .

I n t he past as or gani zat i ons began i ncr easi ngl y usi ng e-

mai l , SPAM e- mai l s became mor e pr eval ent i n sol i ci t i ng t he

r eci pi ent s t o cl i ck on l i nks t o mor t gage, er ect i l e dysf unct i on,

medi cal ser vi ces, debt consol i dat i on, and ot her si t es t o r ecei ve

di scount s. Si mi l ar l y, VoI P pr eval ence i nt o t he ent er pr i se and at

home i s i ncr easi ng voi ce SPAM or SPAM over I nt er net Tel ephony

( SPI T) .

“SPI T i s not a pr obl em r i ght now because, whi l e t her e i s a

f ai r amount of VoI P depl oyed and t he amount i s cer t ai nl y

gr owi ng, most of i t i s pr esent i n di sconnect ed i nt er nal VoI P

depl oyment s. Whi l e ent er pr i ses have a f ai r amount of VoI P,

i t i s uncommon t o connect t hese depl oyment s t o ot hers.

Ci r cui t - swi t ches access and t he PSTN cont i nue t o be t he

pr i mar y i nt er connect s bet ween ent er pr i ses… Over t i me, mor e

ent er pr i ses wi l l i nt er connect t hemsel ves vi a VoI P, most

l i kel y thr ough SI P t r unks t o ser vi ce pr ovi der s and/ or t he

I nt er net ” ( Endl er , 2007) .

Whi l e e- mai l SPAM i s a nui sance r equi r i ng r eci pi ent s t o del et e

t he e- mai l s and update SPAM f i l t ers, SPI T woul d consume much more

t i me of r eci pi ent s by havi ng t o answer t he phone and l i st en, i f 

even f or shor t per i ods of t i me. Thi s wi l l consi der abl y cut i nt o

empl oyee pr oduct i vi t y, and si nce t he cal l er I D can be spoof ed,

t he r eci pi ent may wel l t hi nk i t ’ s a l egi t i mat e sour ce cal l i ng.

Whi l e sendi ng SPAM i s vi r t ual l y f r ee, a SPI T i nf r ast r uctur e cost s

money t o set up i n t erms of buyi ng a PC or ser ver t o run SER or

Ast er i sk, as wel l as pur chasi ng SI P t r unki ng ser vi ces f r om an

I TSP. Fur t her r esear ch l ead me t o t he

www. hacki ngvoi p. com/ sec_t ool s. ht ml websi t e t hat pr ovi des a f r ee

SPI T t ool cal l ed ‘ SPI TTER’ . Anot her SPI T pr oduci ng t ool f ound

Page 36: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 36/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 35

onl i ne was ‘ Tel eYapper ’ , t hat wor ks i n conj unct i on wi t h t r i xbox

( ht t p: / / ner dvi t t l es. com/ i ndex. php?p=113) .

SPI T wi l l most l i kel y not be sour ced i nt er nal l y wi t hi n an

ent er pr i se net work, unl ess of cour se t her e i s a compr omi sed or

r ogue SI P pr oxy usi ng t he or gani zat i on’ s net wor k t o send SPI T

out bound t o t he next vi ct i ms. VoI Pshi el d syst ems sel l s a pr oduct

cal l ed ‘ VoI Pbl ock TM Ant i - SPI T ( Voi ce Spam) ” t hat cl ai ms t o be

ef f ect i ve at mi t i gat i ng SPI T t hr eat s by whi t e/ bl ack l i st i ng based

of f of user f eedback, empl oyi ng t he use of a cor r el at i on engi nes

and ant i - spi t pol i ci es

( ht t p: / / www. voi pshi el d. com/ pr oduct s/ voi pbl ock. ht ml ) . Thi s

pr oduct i s desi gned t o si t i nl i ne wi t h a SI P pr oxy t o st op SPI Tt r af f i c bef or e i t r eaches t he pr oxy, si mi l ar t o snor t i nl i ne I PS.

Wi t hout bei ng abl e t o downl oad i t and t est f or mysel f , I cannot

t est t o see i f t he pr oduct i s ef f ect i ve at st oppi ng t hr eat s as i t

cl ai ms t o.

“Voi ce phi shi ng or vi shi ng, i nvol ves an at t acker set t i ng up

a f ake i nt er act i ve voi ce r esponse syst em ( I VR) t o t r i ck vi ct i ms

i nt o ent er i ng sensi t i ve i nf or mat i on such as account , PI N, and

soci al secur i t y number s, or any aut hent i cat i on i nf o t hat i s used

t o ver i f y your i dent i t y” ( Endl er , 2007) . Vi shi ng, j ust l i ke

phi shi ng and ot her exi st i ng soci al engi neer i ng t hr eat s r el y on

t he vi cti m t o t r ust t he sour ce. Whet her i t i s l i nks or

at t achment s i n e- mai l s, suspi ci ous f axes, I Ms f r om peopl e you

don’ t know, et c. , i f t he t r ust and l ook of aut hent i ci t y i s

mai nt ai ned t o a cer t ai n degr ee, t hen vul ner abi l i t i es l i ke t hi s

wi l l pers i s t :“More t han 1, 000 peopl e i n t he J ef f er son Ci t y ar ea r ecei ved

a pr er ecor ded phone message Wednesday t hat sought cust omer

i nf or mat i on and cl ai med t o be f r om “Cent r al Tr ust Bank”- a

name Cent r al Bank does not go by - and, i n f act , showed

Cent r al Bank' s cust omer servi ce l i ne on cal l er I D syst ems.

Page 37: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 37/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 36

 The f r audul ent at t empt t o obt ai n peopl e' s i nf or mat i on by

l ur i ng t hem wi t h an “account deact i vat i on” t hr eat was deal t

wi t h qui ckl y by Cent r al Bank, J ef f er son Ci t y Pol i ce

Depar t ment and empl oyees, sai d Dan West hues, seni or vi ce

pr esi dent of r et ai l banki ng. By Thur sday mor ni ng, mor e t han

400 concer ned cust omer s had not i f i ed Cent r al Bank of t he

si t uat i on. The l at est scam agai n pr ompt ed of f i ci al s t o war n

peopl e not gi ve out pi n number s or account number s f or

credi t car ds, debi t car ds or bank account s t o ent i t i es t hat

al r eady have t hem" ( Br ooks, 2007) .  Fundament al l y f or t hi s t o wor k i n a somewhat anonymous way f or

t he at t acker , he woul d have t o have compromi sed a r emot e PC orr emot e SI P pr oxy. Tr i xbox, f or mer l y cal l ed Ast er i sk@Home, i s a

SOHO ver si on of t he f r ee Ast er i sk VoI P PBX. I f an at t acker coul d

copy t he t r i xbox . i so f i l e t o t he compr omi sed host and i nst al l

i t , he coul d pot ent i al l y have a wor ki ng r emot e VoI P PBX/ I VR. A

1- 800 number coul d be pur chased f r om any random I TSP such as

Fr eedomVoi ce or Si xt el ( ht t p: / / t ol l f r ee. f r eddomvoi ce. com/ ) ,

( ht t p: / / s i xtel . net / ) . That ‘ 800’ number woul d r out e cal l s t o

your r ogue Ast er i sk pr oxy ser ver . For t hi s real i st i cal l y t o

work, t he f i r ewal l r ul es bet ween t he I nt er net and t he compr omi sed

host woul d have t o per mi t t he VoI P t r af f i c t o your new r ogue

Ast er i sk pr oxy. The t r i xbox I VR syst em coul d be conf i gur ed, and

t hen t he voi ce response messages f or vi ct i ms t o hear must be

r ecor ded. Whi l e t hi s i s al l possi bl e and f easi bl e, i f an

or gani zat i on i s moni t or i ng f i r ewal l , VoI P, and ot her l ogs

cl osel y, t hen t hi s suspi ci ous acti vi t y f r om t he r ogue ast er i skser ver woul d be br i ef . Thi s t opi c al so goes back t o

user / empl oyee VoI P secur i t y awar eness t o not t r ust cal l er s as

much and t o ver i f y i ndependent l y what t hey ar e sayi ng ( i dent i f y

phone number s, e- mai l s, et c. i ndependent l y) .

Page 38: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 38/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 37

"Much i n keepi ng wi t h t he t heme of Bl ack Hat , where honest

i s not t he best pol i cy but t he onl y pol i cy, i Sec Par t ner s

secur i t y exper t s Hi manshu Dwi vedi and Zane Lackey t ook t he

st age t o del i ver t he bad news: VoI P syst ems based on H. 323

and t he I nt er Ast er i sk eXchange ( I AX) pr ot ocol s can be

f ai r l y easy compromi sed and brought down" ( Messmer , 2007) .

Navi gat i ng t o www. i secpar t ner s. com/ voi p_t ool s. ht ml br i ngs

you t o a si t e cont ai ni ng mul t i pl e VoI P secur i t y t ool s; some f or

audi t i ng use and some f or expl oi t at i on use:

•  VSAP

VSAP i s an aut omat ed quest i on/ answer t ool t o audi t t he secur i t yof VoI P net wor ks ( SI P/ H. 323/ RTP) . I t pr ovi des secur i t y t opi cs and

audi t quest i ons f or t he end user t o compl et e. Once al l t he

quest i ons are answer ed, VSAP wi l l show al l sat i sf act or y and

unsat i sf act or y r esponses and di spl ay a f i nal scor e.

•  RTP I nj ecti on Fi l es

RTP i nj ect i on f i l es can be used wi t h nemesi s, a packet i nj ect i on

t ool , f or a var i et y of at t acks on VoI P net wor ks usi ng RTP.

At t acks f i l es i ncl ude Fl ood, BYE, and Deni al of Ser vi ce.

•  I AXHangup

 The I AXHangup i s a t ool i s used t o di sconnect I AX cal l s. I t f i r st

moni t or s t he net wor k i n or der t o det er mi ne i f a cal l i s t aki ng

pl ace. Once a cal l has been i dent i f i ed, i t t hen i nj ect s a HANGUP

cont r ol f r ame i nt o t he cal l .

•  I AXAut hJ ack

Page 39: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 39/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 38

I AXAut hJ ack i s a t ool used t o act i vel y per f or m an aut hent i cat i on

downgr ade at t ack and f orce an endpoi nt t o reveal i t s password i n

pl ai nt ext over t he net wor k. I t per f or ms t hi s at t ack by sni f f i ng

t he net wor k f or t r af f i c i ndi cat i ng t hat a r egi st r at i on i s t aki ng

pl ace, and t hen i nj ect i ng a REGAUTH speci f yi ng t hat t he endpoi nt

shoul d aut hent i cat e i n pl ai nt ext r at her t han MD5 or RSA.

 These t ool s shoul d be used car ef ul l y and can be used i n a VoI P

penet r at i on t est agai nst an or gani zat i on' s VoI P i nf r ast r uct ur e.

At t acker s have been dr eadf ul l y successf ul at empl oyi ng cr oss

si t e scri pt i ng at t acks ( XSS) t o gai n conf i dent i al i nf or mat i on

f r om vi ct i ms f r om dat a r esour ces. As expect ed i t was onl y a

mat t er of t i me unt i l a XSS vul ner abi l i t y woul d be f ound andexpl oi t ed agai nst a VoI P phone. The new US- CERT/ NI ST CVE- 2007-

5411 det ai l s a “Cr oss- si t e scri pt i ng ( XSS) vul ner abi l i t y i n t he

Li nksys SPA941 VoI P Phone wi t h f i r mware 5. 1. 8 al l ows r emot e

at t acker s t o i nj ect ar bi t r ar y web scr i pt or HTML vi a t he From

header i n a SI P message. " The Secur i t yFocus page pr ovi ded

gr eat er det ai l s on t hi s expl oi t :

“Li nksys SPA941 devi ces ar e pr one t o HTML- i nj ect i on

vul ner abi l i t y because t he bui l t - i n web ser ver f ai l s t o

pr oper l y sani t i ze user - suppl i ed i nput bef or e usi ng i t i n

dynami cal l y gener ated cont ent . At t acker - suppl i ed HTML and

scr i pt code woul d execut e i n t he cont ext of t he af f ect ed

websi t e, pot ent i al l y al l owi ng an at t acker t o st eal cooki e-

based aut hent i cat i on cr edent i al s or t o cont r ol how t he si t e

i s r ender ed t o the user ; ot her at t acks are al so possi bl e”

( St at e, 2007) . Thi s i s vul nerabi l i t y f al l s i nt o t he cat egor y i nsecure

pr ogr ammi ng wi t hout i nput val i dat i on j ust as so many ot her

vul ner abi l i t i es have been due t o, and accor di ng t o Secur i t yFocus,

t her e i s no r emedy avai l abl e as of Oct ober 2007 f or or gani zat i ons

Page 40: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 40/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 39

usi ng t hi s phone. Wi t h f ur t her r esear chi ng t hi s, I f ound t he

expl oi t i ve SI P I NVI TE message i n quest i on:

I NVI TE si p: h@192. 168. 1. 3 SI P/ 2. 0

Vi a: SI P/ 2. 0/ UDP 192. 168. 1. 9: 5060; r por t To: si p: h@192. 168. 1. 3Fr om: "<scri pt >al er t ( ' hack' ) </ scri pt >"" nat r aj "<si p: nat r aj @l or i a. f r >; t ag=002f 000cCal l - I D: 401010907@192. 168. 1. 9CSeq: 4857 I NVI TECont ent - Type: appl i cat i on/ sdpSubj ect : s i p: nat r aj @l or i a. f rCont act : "nat r aj " <si p: 192. 168. 1. 9: 5060; t r anspor t =udp>Cont ent - Lengt h: 214

v=0o=r oot 47650 47650 I N I P4 192. 168. 1. 9s=sessi onc=I N I P4 192. 168. 1. 9t =0 0m=audi o 5070 RTP/ AVP 3 0 110 5a=r t pmap: 3 GSM/ 8000/ 1a=r t pmap: 0 PCMU/ 8000/ 1a=r t pmap: 110 speex/ 8000/ 1a=r t pmap: 5 DVI 4/ 8000/ 1( St at e, 2007) .

As you can see, t he ‘ Fr om: ’ header cont ai ns a scr i pt . Due

t o t he l ack of i nput val i dat i on, at t acker s ar e abl e t o modi f y t he

‘ From: ’ header s t o i ncl ude scr i pt s or spoof cal l er I D number s ( as

di scussed l at er ) . Ther e ar e l i kel y ot her such XSS expl oi t s

agai nst VoI P phone web ser ver s t hat have not yet been r epor t ed

but wi l l be over t i me.  Anot her f r i ght eni ng pr ospect i ve VoI P vul ner abi l i t y i s t hat

of VoI P SI P botnet s. Bots ar e zombi e PCs t hat have been i nf ect ed

wi t h some sor t of mal ware and unbeknownst t o t he owner , i s under

cont r ol of a bot her der or command and cont r ol ser ver . The bot

her der cont r ol s t he bot s t hr ough a cont r ol channel such as

I nt er net Rel ay Chat ( I RC) , or peer - t o- peer ( P2P) net wor ks.

Page 41: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 41/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 40

“I n j ust ei ght mont hs t he St or m wor m has i nf ect ed mor e t han

20 mi l l i on comput er s and bui l t a zombi e army - - or botnet - -

capabl e of l aunchi ng DDoS at t acks t hat coul d be used agai nst any

or gani zat i on or even damage cr i t i cal i nf r ast r uct ur e, accor di ng t o

secur i t y exper t s” ( Tung, 2007) . As you can see, t her e i s a

l egi t i mat e f ear her e t hat i f St or m Wor m can i nf ect mi l l i ons of 

PCs, t hat VoI P SI P phones wi l l al so become i nf ect ed and j oi n

ot her bot s i n at t acks agai nst dat a and/ or VoI P resour ces

t hr oughout t he wor l d. As such, devi ce l ogs shoul d be al ways

scrut i ni zed t o bl ock of f endi ng ext er nal I P addr ess at t he SI P

f i r ewal l / edge devi ce when t hey ar e made aware of .

"On a l ar ger l evel , t hough, i t ’ s j ust a power f ul r emi ndert hat t he bot net t hr eat i s ver y r eal out t her e. And t he

quest i on i s… coul d your I P t el ephony i nf r ast r uct ur e

wi t hst and a bot net at t ack? I s your l ar ger I T i nf r ast r uct ur e

up t o wi t hst andi ng some degr ee of an at t ack? Do you have

mul t i pl e VoI P gateways? Coul d you r out e ar ound poi nt s on

your i nf r ast r uct ur e t hat wer e bei ng at t acked? Do you (gasp)

have TDM t r unks t hat coul d work as backups? I don’ t know i f 

anyone i n Est oni a has had t hei r I P tel ephony di sr upt ed by

bot net s, but odds are i f t he at t acks ar e as bad as bei ng

r epor t ed, some compani es pr obabl y di d. What wi l l you do t o

ensure your company’ s I P communi cat i on i sn’ t di sr upt ed

shoul d bot net s come cal l i ng?" ( Yor k, 2007) .

A SI P bot net coul d be order ed t o per f orm DDoS at t acks agai nst any

or gani zat i on’ s SI P i nf r ast r uct ur e vi a I NVI TE and REGI STER, and

BYE request s subsequent l y over whel mi ng t he SI P i nf r ast r uct ur ei ncl udi ng SI P f i r ewal l s and VI PSs.

Unr el at ed t o VoI P bot net s, an i nt er est i ng vul ner abi l i t y was

f ound det ai l ed i n US- CERT/ NI ST CVE- 2007- 3047 not i ng t hat “The

Vonage VoI P Tel ephone Adapt er has a def aul t admi ni st r at or

user name "user " and password "user , " whi ch al l ows r emot e

Page 42: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 42/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 41

at t acker s t o obt ai n admi ni st r at i ve access”. Fur t her r esear ch

l ead me t o t he Secur i t yFocus websi t e det ai l i ng t hi s vul ner abi l i t y

f ur t her :

“The Vonage VoI P Tel ephone Adapt er devi ce i s, by def aul t ,

accessi bl e f r om t he WLAN/ i nt er net . The pr oduct shi ps wi t h

t he def aul t username of ' user ' and def aul t password of 

' user ' t o access the admi ni st r at i ve backend. User s ar e

suggest ed t o updat e t hei r passwords i mmedi at el y. An

at t acker coul d cause a deni al - of - ser vi ce by upl oadi ng br oken

f i r mwar e to t he devi ce, or by const ant l y reboot i ng t he

devi ce” ( Mar t i nel l i , 2007) .

Gi ven t he pr eval ence of Vonage ( not r esear ched i n t hi sr epor t ) i nt o t he SOHO mar ket , t her e ar e l i kel y st i l l t housands of 

t hese adapt er s i n t hei r def aul t ‘ out of box’ conf i gur at i on, t hus

al l owi ng at t acker s t he abi l i t y t o cal l har vest and eavesdr op on

conver sat i ons. Thi s i s si mi l ar t o t he l ax ef f or t of t he aver age

per son t o secur e t hei r Wi - Fi r out er ‘ out of box’ .

Page 43: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 43/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 42

III.  Real Time Protocol (RTP)

Real - Ti me Pr ot ocol or RTP, i s used f or audi o pur poses, and

i s document ed i n RFC 3550 as an I ETF st andar d. “RTP provi des

end- t o- end net wor k t r anspor t f unct i ons sui t abl e f or appl i cat i ons

t r ansmi t t i ng r eal - t i me dat a, such as audi o, vi deo or si mul at i on

dat a, over mul t i cast or uni cast net wor k servi ces. However bef or e

t he RTP voi ce cal l can be exchanged, each cal l er must know how t o

r each t he cal l ee( s) and ot her i mpor t ant cal l i nf or mat i on, such as

what codecs wi l l be used/ suppor t ed. The sessi on t o i dent i f y t hi s

i nf or mat i on can be est abl i shed usi ng SI P, wher eby a SI P pr oxy

ser ver wi l l pr ovi de l ocat i on i nf or mat i on of / t o bot h cal l er s.Dur i ng t he SI P sessi on, Sessi on Descr i pt i on Pr ot ocol ( SDP)

messages wi l l be exchanged t o t el l al l cal l er s what dest i nat i on

I P addr ess t o send packet s t o, what port s t o open f or RTP and

RTCP, and what codec to use ( SDP wi l l be di scussed i n gr eat er

det ai l l at er on) . However t he act ual RTP voi ce cal l wi l l not

t r aver se or be pr oxi ed t hr ough t he SI P pr oxy server . The RTP

voi ce sessi on wi l l be di r ect l y bet ween t he t wo VoI P phones. I t

i s i mpor t ant t o i dent i f y t hese separ at i ons i n f unct i onal i t y si nce

a pot ent i al at t acker knows t hat he can t ar get hi s r econnai ssance

and expl oi t s agai nst vul ner abi l i t i es i n any of t he above ( SI P,

SDP, RTP, and RTCP) i n t he ef f or t s of modi f yi ng, degr adi ng, or

per f or mi ng deni al of ser vi ce at t acks agai nst VoI P cal l s. The

f ol l owi ng i s a si mpl e di agr am t o i l l ust r at e t he expl ai ned

f unct i onal i t y:

Page 44: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 44/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 43

Figure 15

(ht t p: / / bl og. l i t hi umbl ue. com/ 2007/ 07/ under st andi ng- r el at i onshi p-

between- si p. ht ml )

 There i s some consi derat i on t hat must be t aken when def i ni ng

t he I P addr ess t o cont act i n t he SDP message i n t erms of NATt r aver sal , but t hat wi l l be di scussed l at er on i n t he SI P

sect i on. RTP does not addr ess r esour ce r eservat i on and does not

guar ant ee qual i t y- of - ser vi ce f or r eal - t i me ser vi ces”

( Schul zr i nne, Casner , Freder i ck, J acobson, 2003) . Whi l e RTP i s

used f or t he actual data/ voi ce audi o exchange, RTCP i s used t o

moni t or t he QOS of t he audi o, and t o exchange cont r ol i nf ormat i on

t o cal l er s i n a sessi on. Accor di ng t o I ANA, por t 5004/ udp has

been seen used f or RTP, and port 5005/ udp used f or RTCP t r af f i c

( di scussed l at er ) . However accor di ng t o RFC 3550, RTP and RTCP

t r af f i c i s not bound t o t hese por t s, al t hough t hey may be

conf i gur ed by def aul t on some VoI P phones.

“For UDP and si mi l ar prot ocol s, RTP SHOULD use an even

dest i nat i on por t number and t he cor r espondi ng RTCP st r eam

SHOULD use t he next hi gher ( odd) dest i nat i on por t number .For appl i cat i ons t hat t ake a si ngl e por t number as a

parameter and der i ve t he RTP and RTCP por t pai r f r om t hat

number , i f an odd number i s suppl i ed then t he appl i cat i on

SHOULD r epl ace t hat number wi t h t he next l ower ( even) number

Page 45: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 45/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 44

t o use as t he base of t he por t pai r . ” ( Schul zr i nne, Casner ,

Freder i ck, J acobson, 2003)

Si nce the 1- 1024 por t r ange i s used f or wel l known ser vi ces, and

many Li nux di st r i but i on oper at i ng syst ems aut omat i cal l y assi gn

por t s i n the 1024- 5000 r ange f or var i ous ser vi ces, r esear ch shows

t he br oad range of dynami cal l y sel ect ed RTP and RTCP por t s

begi nni ng at 5000/ udp, wi t h no di st i nct end r ange. Thi s

knowl edge i s usef ul t o an at t acker si nce a mor e t ar get ed/ smal l er

r ange of port s can be scanned agai nst a t arget VoI P phone t o

i dent i f y act i ve/ open RTP and RTCP port s. Si nce RTP uses UDP f or

f ast er audi o del i ver y due t o l ess over head when compared t o TCP,t here must be some method of keepi ng t r ack of packet s. The f i r st

12 byt es of every RTP header are present i n RTP st r eam. However

l i ke TCP, RTP al so uses t i me st amps, and sequence number s t o

uni quel y i dent i f y each RTP packet and r econst r uct t he voi ce

conver sat i on on t he r ecei vi ng end( s) . The r el at i onshi p of RTP

and RTCP usi ng one por t f or dat a/ audi o exchange, and a second

por t f or dat a/ audi o cont r ol , i s si mi l ar t o FTP ( Fi l e Tr ansf er

Pr ot ocol ) wher e t he i ni t i al connect i on i s est abl i shed t o t he por t

FTP: 21/ t cp, and t hen a second connect i on i s est abl i shed on

FTP: 20/ t cp f or t he data t o be exchanged.

“The audi o conf er enci ng appl i cat i on used by each conf er ence

par t i ci pant sends audi o dat a i n smal l chunks of , say, 20 ms

dur at i on. Each chunk of audi o dat a i s pr eceded by an RTP

header ; RTP header and dat a ar e i n tur n contai ned i n a UDPpacket . The RTP header i ndi cates what t ype of audi o

encodi ng ( such as PCM, ADPCM or LPC) i s cont ai ned i n each

packet so t hat senders can change t he encodi ng dur i ng a

conf erence, f or exampl e, t o accommodat e a new par t i ci pant

t hat i s connect ed t hr ough a l ow- bandwi dt h l i nk or r eact t o

Page 46: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 46/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 45

i ndi cat i ons of net work congest i on… RTCP moni t ors t he QOS t o

convey i nf or mat i on cal l i ni t i at or s and r ecei ver s. ”

( Schul zr i nne, Casner , Freder i ck, J acobson, 2003)

Whi l e SI P and H. 323 can be used t o bui l d sessi ons f r om end

poi nt t o end poi nt , both use RTP t o send t he actual medi a. VoI P

and speci f i cal l y RTP ar e suscept i bl e to Man I n The Mi ddl e (MI TM)

at t acks. Wi t h r egards t o RTP, “t he pr esence of t he sequence

number , t i mest amp, and synchr oni zat i on sour ce i dent i f i er ( SSRC)

makes i t di f f i cul t f or an at t acker t o i nj ect mal i ci ous RTP

packet s i nt o a st r eam. The at t acker needs t o be per f ormi ng a

MI TM at t ack or be abl e t o moni t or t he packet s so t hat t hemal i ci ous packet s i ncl ude t he necessary SSRC, sequence number ,

and t i mest amp” ( Endl er , 2007) . Gener al l y speaki ng, when

i nj ect i ng mal i ci ous packet s i nt o a TCP connect i on, i f t he I P

addr esses, sequence number s, pr ot ocol s, f l ags, por t s, et c. do not

mat ch, t hen t he out of sequence packet s wi l l be dropped. However

wi t h RTP, t he MI TM woul d have t o be abl e t o sni f f t he sequence

numbers, synchr oni zat i on sour ce numbers, and t i mest amps. Wi t hout

t hi s encr ypt i on, a voi ce cal l coul d be ‘ Fuzzed’ or degr aded i f i t

f al l s vi ct i m t o a MI TM at t ack, wher e t he at t acker woul d i nj ect

packet s wi t h al t er ed sequence number s, synchr oni zat i on sour ce

numbers, and t i me st amps t hereby degr adi ng t he voi ce qual i t y.

ARP cache poi soni ng seems t o be t he met hod of choi ce f or

execut i ng a MI TM at t ack. Assumi ng t he mal i ci ous user has

acqui r ed access t o a PC on t he same net wor k as t he VoI P phone and

VoI P pr oxy, t hi s can be per f ormed by t he at t acker usi ng an ARPcache poi soni ng t ool such as Cai n and Abel t o send out gr atui t ous

ARP packet s t o al l t he VoI P phones and t he VoI P pr oxy t o change

t he MAC/ I P addr ess mappi ngs. Thi s i s a l ayer 2 at t ack whi ch

means t hat even i f t he VoI P t r af f i c bet ween the phone and VoI P

pr oxy i s encrypt ed, i t can st i l l be r edi r ect ed t hr ough t he

Page 47: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 47/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 46

mal i ci ous PC, and t hen f orwarded t o t he VoI P pr oxy as l ong. How

t he sni f f ed t r af f i c woul d be al l cypher t ext . Thi s wi l l cont i nue

t o work as l ong as t he VoI P phone and pr oxy cont i nue t o t hi nk

t hat t hat dest i nat i on MAC addr ess i n t he Et her net f r ames i s t he

ot her . The l i kel i hood of t hi s happeni ng i s r emot e seei ng as how

t he ‘ man i n t he mi ddl e’ woul d have t o sni f f i ng t he cal l set up

f r om t he sour ce phone/ cal l er , or sour ce dat a cent er ( r out er

upl i nk por t or I DS SPAN por t , et c) , or I nt er net / I SP l eased

net wor k l i ne, or dest i nat i on dat a cent er ( r out er upl i nk por t or

I DS SPAN por t , et c) , or dest i nat i on phone/ cal l er , not t o ment i on

t he f act t hat i f t he voi ce cal l becomes over whel med wi t h st at i c,

t he cal l ers coul d si mpl y hang up and cal l agai n. As you can see,t he l i kel i hood of t hi s happeni ng i s ver y smal l . When compar ed

wi t h dat a, especi al l y aut omat ed t r af f i c, t her e i s no human

l i st eni ng t o i dent i f y i f somet hi ng i s goi ng wr ong. One coul d

onl y i magi ne t he surpr i se when a VoI P cal l usi ng RTP woul d be i n

pr ogr ess, and dur i ng mi dsent ence, t he dest i nat i on cal l er woul d

al l of a sudden hear somebody el se’ s voi ce… The f ol l owi ng i s a

di agr am depi ct i ng t he exampl e:

Page 48: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 48/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 47

Figure 16  

 The RTP i nj ect i on of / r epl aci ng audi o coul d al so occur vi a a

SI P r ogue pr oxy at t ack ( di scussed l at er ) . Whi l e an I PSec VPN

woul d encr ypt al l of t he RTP packet s ( onl y t he new l ayer 3 I P

header woul d r emai n vi si bl e wi t h ESP conf i gur ed) , ef f ect i vel y

causi ng somebody sni f f i ng/ l i st eni ng t o voi ce t o recei ve

cypher t ext , t he sol ut i on does not scal e wel l si nce i t i s not

dynami c enough due t o t he many connect i ons and NAT t r aver sal s

t hat wi l l be necessar y al ong wi t h a PKI i nf r ast r uct ur e. Secur e

Real - Ti me Pr ot ocol ( SRTP) , as def i ned i n RFC 3711, pr ovi des a

f r amework f or secur i ng RTP packet s by pr ovi di ng encr ypt i on,

aut hent i cat i on, and pr ot ect i on agai nst r epl ay at t acks:

“SRTP can achi eve hi gh t hroughput and l ow packet expansi on.

SRTP pr oves t o be a sui t abl e pr otect i on f or het er ogeneous

envi r onment s ( mi x of wi r ed and wi r el ess net works) . To get

Page 49: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 49/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 48

such f eat ur es, def aul t t r ansf or ms are descr i bed, based on an

addi t i ve st r eam ci pher f or encr ypt i on, a keyed- hash based

f unct i on f or message aut hent i cat i on, and an " i mpl i ci t " i ndex

f or sequenci ng/ synchr oni zat i on based on t he RTP sequence

number f or SRTP and an i ndex number f or Secure RTCP ( SRTCP) .

( Baugher , McGr ew, Ci sco Syst ems, Nasl und, Car r ara, Nor r man,

2004)

 Thi s i s si mi l ar t o I PSec VPN f unct i onal i t y, and can be

combi ned wi t h i t f or added encr ypt i on and aut hent i cat i on when

t r aver si ng bet ween mul t i pl e or gani zat i on si t es ( al t hough not

necessary) . J ust as RTP and RTCP use t wo separat e por t s t o sendt r af f i c, SRTP and SRTCP woul d be used t o encr ypt bot h

r espect i vel y. Thi s becomes i mpor t ant due aut hent i cat i on needs i n

t erms of ensur i ng t he i nt egr i t y of sequence numbers and QOS

communi cat i ons.

“SRTP and SRTCP use t wo t ypes of keys: sessi on keys and

mast er keys. By a "sessi on key" , we mean a key whi ch i s

used di r ect l y i n a crypt ogr aphi c tr ansf or m ( e. g. , encrypt i on

or message authent i cat i on) , and by a "mast er key" , we mean a

r andom bi t st r i ng (gi ven by t he key management pr otocol )

f r om whi ch sessi on keys ar e der i ved i n a cr ypt ogr aphi cal l y

secure way. The mast er key( s) and ot her par ameters i n t he

cr ypt ogr aphi c cont ext ar e provi ded by key management

mechani sms ext ernal t o SRTP such as MI KEY, KEYMGT, and

SDMS; " however t he key management por t i on i s beyond t hescope of t hi s report . ( Baugher , McGr ew, Ci sco Syst ems,

Nasl und, Car r ara, Nor r man, 2004)

I n t he ef f or t t o secur e RTP and RTCP, one woul d al so want

t o def end agai nst ‘ r epl ay’ at t acks whi ch coul d be per f or med by a

Page 50: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 50/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 49

hacker sni f f i ng t he t r af f i c st r eam and t hen i nj ect i ng ol d or

‘ r epl ayi ng’ packet s. Al l SRTP and SRTCP sender s and r ecei ver s,

whi l e usi ng i nt egr i t y pr ot ect i on/ aut hent i cat i on keep a r epl ay

l i st , whi ch can be used t o compar e i ncomi ng sequence number s of 

RTP and RTCP packet s, t o t he sequence numbers of RTP and RTCP

packet s al r eady recei ved wi t hi n a sl i di ng wi ndow si ze of at l east

64 byt es.

Page 51: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 51/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 50

IV.   Asterisk and Inter-Asterisk Exchange (IAX)

I nt er - Ast er i sk Exchange ( From now on cal l ed ‘ I AX’ ) i s a cal l

cont r ol pr ot ocol t hat was desi gned f or use wi t h Ast er i sk.

“Ast er i sk i f a f ul l - f eat ur ed I P PBX i n sof t war e. I t was

pr i mar i l y devel oped on t he GNU/ Li nux f or x86, but i t al so runs on

ot her OSs, i ncl udi ng BSD, and MAC… Ast er i sk provi des voi cemai l ,

di r ect or y ser vi ces, conf er enci ng, i nt er act i ve Voi ce Response

( I VR) , and ot her f eat ur es” ( Endl er , 2007) . A good anal ogy when

r ef er r i ng t o Ast er i sk i s t hat j ust as t he open- sour ced, Li nux

based sof t war e f i r ewal l I Pt abl es i s an al t er nat i ve t o Ci sco’ s

pr opr i et ar y PI X, ASA, and FWSM f i r ewal l s, Ast er i sk i s t he open-sour ced, Li nux based sof t war e I P PBX as an al t er nat i ve t o Ci sco’ s

pr opr i et ar y Uni f i ed Cal l Manager . Ast er i sk gener al l y uses SI P as

i t s cal l sessi on set up pr ot ocol . Ast er i sk, unl i ke Ci sco’ s

Uni f i ed Cal l Manager or Avaya’ s Communi cat i on Manager , does not

have to run on a pr opr i et ary medi a ser ver and i t can be

conf i gur ed wi t h speci f i c l i ne car ds t o suppor t l egacy equi pment

and phones. As such, t he al l ows or gani zat i ons t o gr adual l y

i nt r oduce VoI P depl oyment s i nt o thei r i nf r ast r uct ur e whi l e

r et ai ni ng wel l t est ed and guarant eed QOS abi l i t i es of POTS and

PBXs. Ast er i sk support s SI P, H. 323, I AX, SCCP, and MGCP ( Medi a

Gat eway Cont r ol Prot ocol , al t hough research i n many web f orums

i ndi cat es gr eat di f f i cul t i es i n get t i ng Ast er i sk t o wor k wi t h

MGCP) . Ast er i sk support s SI P by i mpl ement i ng bot h t he SI P

r egi st r ar and t he SI P pr oxy ser ver , whi ch wi l l bot h be di scussed

i n t he SI P secti on of t hi s r epor t . Essent i al l y speaki ng, I nt erAst er i sk Exchange i s used f or communi cat i ons bet ween mul t i pl e

Ast er i sk I P PBXs. From t he I AX2: I nt er - Ast er i sk eXchange Ver si on

2 dr af t - guy- i ax- 03, whi ch i s a ‘ wor k i n pr ogr ess’ , “I AX2 i s an

"al l i n one" pr ot ocol f or handl i ng mul t i medi a i n I P net wor ks. I t

combi nes bot h cont r ol and medi a ser vi ces i n t he same pr ot ocol .

Page 52: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 52/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 51

I n addi t i on, I AX2 uses a si ngl e UDP dat a st r eam on a st at i c por t

gr eat l y si mpl i f yi ng Net wor k Addr ess Tr ansl at i on ( NAT) gat eway

t r aver sal , el i mi nat i ng t he need f or ot her pr ot ocol s t o wor k

around NAT, and si mpl i f yi ng network and f i r ewal l management ”

( Unknown, 2007) .

I AX2 usi ng por t 4569/ udp f or bot h medi a and si gnal i ng i s i n

cont r ast , t o FTP usi ng por t 21/ t cp f or cont r ol / set t i ng up

connect i ons, and usi ng por t 20/ t cp f or dat a exchange. Ast er i sk

was or i gi nal l y desi gned f or smal l er VoI P depl oyment s, wi t hout t he

ent erpr i se market i n mi nd. However t he I AX ver si on 1 has been

depr ecat ed and r epl aced wi t h I AX2 ( st i l l r ef er r ed t o as I AX) .

 The r eason f or t hi s was due t o wast ed bandwi dt h by havi ngmul t i pl e connect i ons f or medi a and si gnal i ng when an Ast er i sk

VoI P PBX woul d handl e many cal l s. An exampl e showi ng how

Ast er i sk wi t h I AX2 scal es wel l i s t hat I AX2 suppor t s t he t r unki ng

or mul t i pl exi ng of mul t i pl e phone cal l s t o t he same dest i nat i on

over a si ngl e I P dat agr am. Whi l e t hi s f unct i onal i t y i s

benef i ci al i n ter ms of l ower i ng bandwi dt h consumpt i on, i f not

encrypt ed and aut hent i cat ed, an at t acker sni f f i ng t hi s t r af f i c

bef ore and af t er t he VPN woul d be abl e t o see r equest s i n cl ear

t ext . The f ol l owi ng di agr am i l l ust r at es t he bandwi dt h savi ngs by

t hi s i mpl ement at i on:

Page 53: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 53/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 52

Figure 17  

I n t he exampl e above, t her e i s an or gani zat i on wi t h of f i ces

i n New Yor k and Chi cago. Each of f i ce uses and Ast er i sk VoI P PBX

f or voi ce t r af f i c i n separ at e Ast er i sk domai ns. An I PSec VPNconnect i on i s set up bet ween both si t es so t hat dat a and voi ce can

be exchanged i n bot h di r ect i ons. I n t hi s exampl e, t her e ar e

mul t i pl e cal l s, at bot h si t es, t hat ar e si mul t aneousl y sendi ng

and r ecei vi ng voi ce t r af f i c. When a cal l er i n Chi cago pi cks up

hi s SI P VoI P phone and r ecei ves a di al t one, t he cal l er i s

al r eady r egi st er ed as a user agent t o t he SI P Pr oxy, whi ch i s

r unni ng on t he Ast er i sk VoI P PBX. When t he Chi cago cal l er di al s

a NY cal l er ’ s number / ext ensi on, t he r equest i s sent f i r st t o t he

Chi Ast er i sk SI P pr oxy ser ver . The Chi Ast er i sk SI P pr oxy ser ver

r ecei ves t he r equest and l ooks i n t he ext ensi ons. conf f i l e t o

i dent i f y how and wher e t o f or war d t he VoI P t r af f i c. I f t he

Ast er i sk VoI P PBX sees i n t he ext ensi ons. conf f i l e t hat t he

Page 54: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 54/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 53

dest i nat i on number / extensi on i s not a Chi cago ext ensi on, but a NY

ext ensi on, t he Di al ( ) appl i cat i on’ s par amet er s i nst r uct t he

Ast er i sk ser ver t o connect t he cal l t hr ough an I AX2 channel t o

t he Ast er i sk VoI P PBX i n t he NY of f i ce/ domai n. The di al scr i pt s

i n t he ext ensi ons. conf f i l e poi nt t o t he i ax. conf f i l e f or

connect i ng t o t he NY Ast er i sk PBX ( Endl er , 2007) . Taki ng i nt o

consi der at i on t hat on any busi ness day, mul t i pl e user s f r om one

of f i ce woul d be cal l i ng user s i n t he ot her of f i ce, you can see

how bui l di ng and t ear i ng down al l of t hese cal l s can become

r esour ce and bandwi dt h i nt ensi ve. So i nst ead of t he Chi ast er i sk

bui l di ng separ at e connect i ons f or each Chi sour ced cal l dest i ned

t o an NY cal l er , usi ng I AX2 t r unki ng, t he same I P dat agr am i sused cont ai ni ng SRTP ( secur e audi o) and SRTCP ( secure or

cont r ol / QOS) . Thi s savi ngs of over head t r af f i c, i f done so

secur el y usi ng SI P- TLS, SRTP, and SRTCP, woul d be benef i ci al

si nce t he I P header s of al l t he dat agr ams wi l l have the same

sour ce and dest i nat i on I P addr esses. Bandwi dt h i s saved t hi s way

by ut i l i zi ng I AX2’ s t r unki ng mode bet ween mul t i pl e Ast er i sk VoI P

PBXs.

As ment i oned ear l i er , t he ext ensi ons. conf f i l e i s t he f i l e

mai nt ai ned by t he Ast er i sk VoI P PBX t o know how t o f orward VoI P

t r af f i c. However care must be t aken t o conf i gur e t he scr i pt s i n

t hi s conf i gur at i on f i l e secur el y so t hat somebody coul d not

expl oi t t he weakness of t he conf i gur at i on f i l e and make cal l s f or

f r ee. I n t he ext ensi ons. conf f i l e, t her e ar e di f f er ent

‘ cont ext s’ or sect i ons of scri pt s t hat ar e used t o def i ne

Ast er i sk handl es i nt er nal , l ocal , out bound cal l s, and i nboundcal l s f r om ot her Ast er i sk VoI P PBX domai ns l i ke an or gani zat i on

wi t h mul t i pl e si t es. Ther e ar e cer t ai n cont ext s t hat have

speci al meani ng t o Ast er i sk such as [ def aul t ] and [ i nt er nal ] .

However ot hers can be def i ned by a user such as [ l ocal ]

( ext ensi ons t o l ocal phones at an Ast er i sk si t e) , [ out bound]

Page 55: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 55/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 54

( poi nt i ng t o 2nd or 3r d Ast er i sk domai n, or PSTN) , and [ i nbound

from1. 1. 1. 1] ( f r om anot her Ast er i sk domai n) . I n an

ext ensi ons. conf f i l e, t he [ i nt er nal ] cont ext i s pr ovi ded out bound

cal l i ng pr i vi l eges. So i f one wer e t o mer ge t he [ l ocal ] cont ext

wi t h t he [ i nt er nal ] cont ext , an i nbound cal l er f r om t he PSTN

coul d t hen be abl e t o get a di al t one, and pl ace cal l s f or f r ee

( Endl er , 2007) . A ‘ phr eaker ’ i s a t er m used t o descr i be a per son

t hat t est s t el ecommuni cat i ons equi pment t o i dent i f y ‘ hol es’ of 

vul ner abi l i t i es, i n an ef f or t t o make f r ee out bound cal l s,

sour ced f r om and char ged t o t he t ar get organi zat i on. Thi s i s

si mi l ar t o t he modern day hacker who pr obes t arget s on t he

I nt er net f or vul ner abi l i t i es f or f ut ur e expl oi t at i on. Ther e i sal so an Ast er i sk VoI P manager t hat can be enabl ed on an Ast er i sk

VoI P PBX.

“The Ast er i sk Manager al l ows a cl i ent pr ogr am t o connect t o

an Ast er i sk i nst ance and i ssue commands or r ead PBX event s

over a TCP/ I P st r eam. I nt egr at or s wi l l f i nd t hi s

par t i cul ar l y usef ul when t r yi ng t o t r ack t he st at e of a

t el ephony cl i ent i nsi de Ast er i sk, and di r ect i ng t hat cl i ent

based on cust om ( and possi bl y dynami c) r ul es. I n or der t o

access t he Ast er i sk Manager f unct i onal i t y a user needs t o

est abl i sh a sessi on by openi ng a TCP/ I P connect i on t o t he

l i st eni ng por t ( usual l y 5038/ t cp) of t he Ast er i sk i nst ance

and l oggi ng i nt o the manager usi ng t he ' Logi n' act i on. Thi s

r equi r es a pr evi ousl y est abl i shed user account on t he

Ast er i sk ser ver . User account s ar e conf i gur ed i n

/ et c/ ast er i sk/ manager . conf . A user account consi st s of aset of per mi t t ed I P host s, an aut hent i cat i on secr et

( passwor d) , and a l i st of gr ant ed per mi ssi ons” ( J ouani n,

2007) .

Page 56: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 56/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 55

 Thi s Ast er i sk manager pr ovi des a ‘ mi l e hi gh’ vi ew i nt o voi ce

communi cat i ons i nsi de an or gani zat i on ( or at l east t he cal l

pr ocessi ng by t hat par t i cul ar Ast er i sk VoI P PBX) . I n Ast er i sk

ver si ons pr i or t o1. 4, t he l ogon aut hent i cat i on, command packet s

sent t o t he Ast er i sk Management I nt er f ace ( AMI ) , and t el ephone

st ate packet s wer e sent unencr ypt ed over por t 5038/ t cp. Thi s

means t hat a mal i ci ous user sni f f i ng f or t hi s t r af f i c coul d see

l ogon cr edent i al s f or t he pur poses of f ut ur e l ogon and mi schi ef .

He coul d al so gl ean mor e i nf ormat i on about t r af f i c f l ows t o and

f r om t hat Ast er i sk VoI P PBX. To secur e t hi s t ype of management

t r af f i c Ast ManProxy has been devel oped. Ast ManProxy i s a pr oxy

management server t hat i s used t o connect t o mul t i pl e Ast er i skVoI P PBX management i nt er f aces.

“I t i s desi gned t o handl e communi cat i on wi t h mul t i pl e

Ast er i sk ser ver s and t o act as a si ngl e poi nt of cont act f or

appl i cat i ons. Ast ManPr oxy suppor t s mul t i pl e i nput / out put

f ormat s, i ncl udi ng St andard, XML, CSV, and HTTP, HTTPS and

SSL… Many ot her f eat ur es have been added, i ncl udi ng a new

aut hent i cat i on l ayer and suppor t f or t he Act i on: Chal l enge

MD5 aut hent i cat i on met hod. SSL i s now suppor t ed, so you can

encrypt f r om cl i ent pr oxy ast er i sk, end- t o- end.

 Tal ki ng t o Ast er i sk vi a SSL r equi r es t hat you ar e r unni ng an

SSL- capabl e ver si on of Ast er i sk”. Accor di ng t o Ast er i sk bug

f or ums, t her e has al so been secur e socket l ayer / t r anspor t

l ayer secur i t y ( SSL/ TLS) suppor t bui l t i nt o Ast er i sk 1. 6.

Usi ng St unnel and openSSL l i br ar i es i n combi nat i on wi t h t he

Ast ManProxy, t hi s al l ows a user HTTPS: 443/ t cp access t o each

Ast er i sk VoI P PBX ( Tr oy, 2007) .

Page 57: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 57/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 56

One of t he r ecent vul ner abi l i t i es i dent i f i ed t o Ast er i sk

i mpl ement at i ons was noted i n US- CERT/ NI ST CVE- 2007- 1594. “The

handl e_r esponse f unct i on i n chan_si p. c i n Ast er i sk bef or e 1. 2. 17

and 1. 4. x bef or e 1. 4. 2 al l ows r emot e at t acker s t o cause a deni al

of servi ce ( cr ash) vi a a SI P Response code 0 i n a SI P packet . ”

Fur t her r esear chi ng t hi s vul ner abi l i t y l ead me t o t he

Ast er i sk/ Di gi um bug f or um t hat i ncl uded not es f r om t he per son

r epor t i ng t he bug. The scenar i o whi ch l eads to t hi s

vul ner abi l i t y was a user pl aci ng a cal l f r om t hei r SI P phone,

t hr ough t hei r Ast er i sk SI P pr oxy, t hr ough t he PSTN, t o t hei r

mobi l e phone. When t he mobi l e phone r ang, t he cal l was rej ected,

and a SI P r esponse code 0 was sent causi ng the Ast er i sk ser ver t osegf aul t ( qwert y1979, 2007) . Thi s seemed st r ange t o me si nce per

RFC 2543, SI P responses ar e t hr ee- di gi t codes r angi ng f r om 1xx t o

appr oxi matel y 6xx. Thus t hi s was an i nval i d r esponse code

causi ng t he cr ash. Thi s can be cat egor i zed as vul ner abi l i t y due

t o l ack of i nput val i dat i on. I nput val i dat i on l ogi c woul d have

onl y accept ed t hr ee di gi t s r esponse codes r angi ng f r om 100- 600,

and droppi ng a response code of 0.

Anot her Ast er i sk vul ner abi l i t y f ound was not ed i n US-

CERT/ NI ST CVE- 2007- 1561. “The channel dr i ver i n Ast er i sk bef or e

1. 2. 17 and 1. 4. x bef or e 1. 4. 2 al l ows r emot e at t acker s t o cause a

deni al of servi ce ( cr ash) vi a a SI P I NVI TE message wi t h an SDP

cont ai ni ng one val i d and one i nval i d I P addr ess. ” Fur t her

r esear ch l ead me t o ht t p: / / www. secur i t yf ocus. com/ bi d/ 23031/ i nf o,

al so det ai l ed t hat Ast er i sk i s pr one to thi s r emot e DOS at t ack,

whi ch pr event s l egi t i mat e user s f r om bei ng abl e t o pl ace cal l s.

Or gani zat i ons usi ng Ast er i sk wer e ur ged t o r epl ace vul ner abl e

ver si ons wi t h Ast er i sk 1. 2. 17 and/ or 1. 4. 2 ( Abdel nur , 2007) .

Page 58: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 58/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 57

Fi nal l y a t hi r d r ecent vul ner abi l i t y r epor t ed f or t he

Ast er i sk VoI P PBX i s det ai l ed i n US- CERT/ NI ST 2007- 4455 not i ng

t hat “The SI P channel dr i ver ( chan_si p) i n Ast er i sk Open Sour ce

1. 4. x bef or e 1. 4. 11, Ast er i skNOW bef or e bet a7, Ast er i sk Appl i ance

Devel oper Ki t 0. x bef or e 0. 8. 0, and s800i ( Ast er i sk Appl i ance)

1. x bef or e 1. 0. 3 al l ows r emot e at t acker s t o cause a deni al of 

servi ce ( memor y exhaust i on) vi a a SI P di al og t hat causes a l ar ge

number of hi st or y ent r i es t o be cr eat ed. ”

“The handl i ng of SI P di al og hi st or y was broken dur i ng t he

devel opment of Ast er i sk 1. 4. Regar dl ess of whet her

r ecor di ng SI P di al og hi st or y i s t ur ned on or of f , t he

hi st or y i s st i l l r ecor ded i n memor y. Fur t her mor e, t her e i s

no upper l i mi t on how many hi st or y i t ems wi l l be st or ed f or

a gi ven SI P di al og. I t i s possi bl e f or an at t acker t o use

up al l of t he syst em' s memor y by creat i ng a SI P di al og t hat

r ecor ds many ent r i es i n t he hi st or y and never ends. I t i s

al so wor t h not i ng f or t he sake of doi ng t he mat h t o

cal cul at e what i t woul d t ake t o expl oi t t hi s t hat each SI P

hi st or y ent r y wi l l t ake up a maxi mum of 88 bytes.

 The f i x t hat has been added t o chan_si p i s t o r est or e t he

f unct i onal i t y wher e SI P di al og hi st or y i s not r ecor ded i n

memory i f i t i s not enabl ed. Fur t hermore, a maxi mum of 50

ent r i es i n t he hi st or y wi l l be st or ed f or each di al og when

r ecor di ng hi st or y i s tur ned on. The onl y way t o avoi d t hi s

pr obl em i n af f ected ver si ons of Ast er i sk i s t o di sabl e

chan_si p. I f chan_si p i s bei ng used, t he syst em must be

upgr aded t o a ver si on t hat has t hi s i ssue r esol ved”

( Mol denauer , 2007) .

Page 59: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 59/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 58

 V.  Session Initiation Protocol (SIP)

SI P i s an appl i cat i on l ayer pr ot ocol used f or est abl i shi ng,

mani pul at i ng, and t ear i ng down cal l sessi ons bet ween one or more

cal l ers .   SI P does not car r y t he voi ce audi o i t sel f f r om t he

sour ce cal l er t o t he dest i nat i on. Si mi l ar t o how a websi t e i s

i dent i f i ed by i t s URL ( Uni f or med Resour ce Locat or ) , a user or

cal l er i s i dent i f i ed by hi s URI ( Uni f or m Resour ce I dent i f i er ) .

 Ther e i s a gener al f or mat of a URI :

Si p: user : passwor d@host : por t ; ur i - par amet er s?header s 

 The SI P URI i s i mpor t ant t o know and underst and si nce t hemodi f i cat i on and i nser t i on of URI s i nt o t he SI P ‘ From: ’ header

wi l l be br ought up l ater on. Some exampl es of URI s t hat one

woul d f i nd r egi st er ed t o a SI P pr oxy ser ver ar e t he f ol l owi ng:

•  SI P: r ober t @l ondon. com

•  SI P: 8411234567@whoami . com

•  SI P: r ober t : secr et wor d@l ondon. com; t r anspor t =t cp 

•  SI P: +1- 841- 123- 4567”1234@gat eway. com; user =phone •  SI P: r ober t @147. 16. 15. 7: 5060 

•  SI P: l ondoncom; met hod=REGI STER?t o=r ober t %40l ondon. com

•  SI P: r ober t ; day=f r i day@l ondon. com  

( Endl er , 2007)

Bef or e di scussi ng how SI P i s used, t he devi ces necessar y,

and a t ypi cal cal l f l ow, t he var i ous el ement s of SI P ar chi t ect ur e

must be i dent i f i ed:

•  User Agents (UA ) – Any cl i ent appl i cat i on or devi ce t hat

i ni t i at es a SI P connect i on, such as an I P phone, PC sof t phone,

PC i nst ant messagi ng cl i ent , or mobi l e devi ce. The user agent

can al so be a gat eway t hat i nt er act s wi t h t he PSTN.

Page 60: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 60/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 59

•  Proxy Server – A pr oxy ser ver i s a ser ver t hat r ecei ves SI P

r equest s f r om var i ous user agent s and r out es t hem t o the

appr opr i at e next hop. A t ypi cal cal l t r aver ses at l east t wo

pr oxi es bef or e reachi ng t he i ndeed cal l ee

•  Redirect Server – Somet i mes i t i s bet t er t o of f l oad t he

pr ocessi ng l oad on pr oxy server s by i nt r oduci ng a r edi r ect

ser ver . A r edi r ect ser ver di r ect s i ncomi ng r equest f r om ot her

cl i ent s t o cont act an al t er nat e set of URI s.

•  Registrar Server – A ser ver t hat pr ocesses t he REGI STER

r equest s. The r egi st r ar pr ocesses REGI STER r equest s f r om users

and maps t hei r SI P URI t o t hei r cur r ent l ocat i on ( I P addr ess,

user name, por t , et c) . For i nst ance, si p: bi l l @abchacksus. commi ght be mapped to somet hi ng l i ke si p: bi l l @192. 168. 1. 100: 5060.

•  Location server – The l ocat i on ser ver i s used by a r edi r ect

ser ver or a pr oxy ser ver t o f i nd t he dest i nat i on cal l er ’ s

possi bl e l ocat i on. Thi s f unct i on i s most of t en per f or med by

t he r egi st r ar ser ver . ( Endl er , 2007)  

I t i s i mpor t ant t o i dent i f y al l t he var i ous el ement s i n a

SI P i nf r ast r uct ur e and under st and t hei r desi gned f unct i onal i t y. That way an at t acker coul d pot ent i al l y expl oi t vul nerabi l i t i es i n

one el ement t o f ur t her at t ack el ement s. Pl ease vi ew t he

f ol l owi ng di agr am f or a vi sual r epr esent at i on of al l possi bl e SI P

VoI P r esour ces t hat can be depl oyed i n an envi r onment . Thi s

di agr am al so shows a hi gh avai l abi l i t y ( HA) f i r ewal l sol ut i on

t hat i s not necessar y f or successf ul use of SI P, but i s a best

pr act i ce f or gr eat er avai l abi l i t y f or dat a and VoI P r esour ces:

 Visual Example:

Page 61: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 61/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 60

Figure 18 

Some of t he most popul ar used VoI P PBXs t hat i mpl ement SI P

ar e Ast er i sk and SI P Expr ess Rout er ( SER) . Si nce SI P r esponses

( RFC 2543) are ver y si mi l ar t o HTTP response codes, i t makes i t

easi er t o send st i mul us t r af f i c and i dent i f y the r esponse when

enumer at i ng a SI P VoI P net work. J ust as t her e are var i ous TCP

f l ags t hat ar e used i n bui l di ng a connect i on an exchangi ng dat a,

SI P i mpl ement s var i ous r equest t ypes t o bui l d a sessi on:

SIP Requests – RFC 3261

•  I NVI TE – I ni t i at es a conver sat i on.

•  BYE – Termi nat es an exi st i ng connect i on between 2 user s i n a

sessi on.

•  OPTI ONS – Det ermi nes t he SI P messages and codecs t hat t he UA or

server under st ands.

•  REGI STER – Regi st er s a l ocat i on f r om a SI P user .

Page 62: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 62/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 61

•  ACK – Acknowl edges a r esponse f r om an i nvi t e request .

•  CANCEL – Cancel s a pendi ng I NVI TE r equest , but does not st op

compl et ed connect i ons ( ex: St ops cal l set up i f phone i s st i l l

r i ngi ng) .

•  REFER – Transf er s cal l s and cont act s t o exter nal r esour ces.

•  SUBSCRI BE – I ndi cat es t he desi r e f or f ut ur e NOTI FY r equest s.

•  NOTI FY – Provi des i nf o about a st at e change t hat i s not r el at ed

t o a speci f i c sessi on.

Now t hat al l t he types of SI P request s have been not ed, some of 

t he above SI P r equest s can be modi f i ed and t est ed t o enumerat e

SI P resour ces f or t he pur pose of gai ni ng a worki ng knowl edge of 

val i d tar get usernames or ext ensi ons.

Somethi ng t o keep i n mi nd when enumerat i ng val i d and i nval i d

ext ensi ons i n a VoI P i nf r ast r uct ur e i s t hat some SI P pr oxy

ser ver s may r espond sl i ght l y di f f er ent l y t o ot her s, t o st i mul us

t est messages. For exampl e, t he SI P Expr ess Rout er or ‘ SER’ , may

r espond t o st i mul us wi t h a di f f er ent SI P er r or code t han an

Ast er i sk VoI P PBX r unni ng as a SI P pr oxy woul d. When a SI P UA

connect s t o a net wor k, t he f i r st t hi ng i t does i s send REGI STER

messages t o r egi st er wi t h t he SI P pr oxy or r egi st r ar ser ver so

t hat t he SI P pr oxy can be quer i ed by ot her SI P UAs t r yi ng t o f i nd

t he new UA, and pr ovi de l ocat i on i nf or mat i on t o r out e t he cal l s.

I ncl uded i n t hi s r egi st er message i s t he VoI P phone’ s I P addr ess

as pr ovi ded by DHCP. Thi s r egi st r at i on pr ocess i s wor t h

pr obi ng/ enumer at i ng so as t o i dent i f y what ext ensi ons/ usernames

ar e avai l abl e. The r i sk her e i s that a mal i ci ous user coul dconnect an unaut hor i zed SI P phone/ UA t o t he net work, i dent i f y an

aut hor i zed ext ensi on/ username by usi ng an aut omat ed REGI STER

scanni ng t ool , and r egi st er as one of t he val i d ext ensi ons t o

gai n f ul l cal l i ng pr i vi l eges. Not onl y woul d t her e be an

unaut hor i zed UA r egi st er ed wi t h t he SI P pr oxy, but t he at t acker

Page 63: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 63/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 62

woul d be i mpersonat i ng an organi zat i on’ s empl oyee/ UA phone whi l e

at t acki ng ot her r esour ces. Thi s i s ref er r ed t o as REGI STER

hi j acki ng, and wi l l be di scussed i n gr eat er det ai l shor t l y.

Another met hod of i dent i f yi ng usernames/ ext ensi ons i s t operf orm I NVI TE user name enumerat i on. However bef ore di scussi ng

t hat , t he SI P I NVI TE cal l f l ow must be under st ood. The f ol l owi ng

i s a si mpl e di agr am t hat depi ct s I NVI TE cal l f l ow. The di agr am

i s s i mpl e because r eal wor l d depl oyment s woul d have the SI P

messages l i kel y t r aver si ng mul t i pl e SI P pr oxi es:

Figure 19

( ht t p: / / www. packet i zer . com/ voi p/ si p/ paper s/ under st andi ng_si p_voi p

/ s i p_cal l _f l ow. png)

" I NVI TE scanni ng i s t he noi si est and l east st eal t hy met hodf or SI P username enumer at i on because i t i nvol ves actual l y

r i ngi ng t he t ar get ' s phones. Even af t er nor mal busi ness

hour s, mi ssed cal l s ar e usual l y l ogged on the phones and on

t he tar get SI P pr oxy, so t her e' s a f ai r amount of t r ace back

evi dence l ef t behi nd" ( Endl er , 2007) .  

Page 64: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 64/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 63

As such, t he I NVI TE user name enumerat i ng quer i es t he SI P

pr oxy t o i dent i f y user name/ extensi on f or mat t i ng, and t o i dent i f y

whi ch l egi t i mat e user s ar e al r eady r egi st er ed. I f t he URI of t he

UA you ar e sendi ng I NVI TE messages t o doesn’ t exi st , or i sn’ t

r egi st er ed, t hen t he SI P pr oxy woul d r espond t o your r equest wi t h

a ‘ SI P/ 2. 0 404 Not Found’ r esponse ( si mi l ar t o br owsi ng t o a web

page t hat no l onger exi st s) .

Anot her t ype of enumerat i on scan avai l abl e i s an OPTI ONS

scan. SI P OPTI ONS messages ar e used t o det ermi ne t he SI P

messages and codecs that t he UA or server underst ands. So i f an

at t acker cr af t s t hese OPTI ONS message packet s t argeted t o a gi ven

UA, and t he UA i s r egi st er ed, t he at t acker woul d r ecei ve a SI P

‘ 200’ code response as wel l as t he i nf or mat i on as t o what SI P

messages and codecs t he t arget suppor t s. SI PSCAN, whi ch i s one

of t he SI P user name enumerat i ng f r eeware tool s f ound on t he

VoI PSA websi t e, i s a gr eat t ool f or per f or mi ng t he above

enumerat i ons.

Goi ng back t o t he REGI STER

user name enumerat i on sect i on above,

REGI STER hi j acki ng woul d al l ow an

unaut hor i zed UA t o i mpersonat e an

aut hor i zed UA, and woul d cause

i nbound cal l s t o t he aut hor i zed UA t o

be rout ed t o t he unaut hor i zed UA, as

wel l as pr ovi di ng f ul l cal l i ng

pr i vi l eges. Now t hat theunaut hor i zed UA i s r egi st er ed, i t

t hen coul d be used f or VoI P vi shi ng

or SPI T at t acks. The di agr am bel ow

depi ct s t he REGI STER hi j acki ng

scenar i o.

Page 65: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 65/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 64

Figure 20 ( Col l i er , 2005)

 These REGI STER hi j acki ng at t acks can be mi t i gat ed by onl y

i mpl ement i ng SI P pr oxi es or Regi st r ar s t hat chal l enge REGI STER

r equest s f or passwords and use at l east MD5, but pr ef er abl y SHA1

aut hent i cat i on. The aut hent i cat i on measur es out l i ned i n RFC 4474

as wel l as t he f ol l owi ng st eps shoul d be t aken t o pr event

REGI STER hi j acki ng:

•  Det ect and al er t upon di r ect ory scanni ng at t empt s.

•  Det ect and al er t upon any f ai l ed aut hent i cat i on at t empt s;

speci f i cal l y upon any at t empt s t o use di ct i onar i es t o guess

passwor ds. To t hr eshol d f ai l ed l ogons t o 5x, 10x, 20x, and 50x

i s suggest ed t o pr event f al se posi t i ves.

•  Log al l REGI STER r equest s.

•  Al ert upon any unusual pat t ern of REGI STER r equest s.•  I f t he UAs bei ng used do not ever use a REGI STER r equest t o

r emove val i d cont act s, det ect and bl ock any use of t hi s

r equest .

•  Li mi t REGI STER r equest s t o an est abl i shed user ‘ whi t e l i st ’ .

Page 66: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 66/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 65

•  Act as a pr oxy and pr ovi de st r ong aut hent i cat i on f or r egi st r ar s

t hat l ack t he abi l i t y t o do so t hemsel ves. ( Col l i er , 2005)

 J ust l i ke dat a networ k i nt r usi on detect i on/ prevent i on

syst ems have been br oadl y i mpl ement ed to gai n ‘ vi si on’ i nt o andsecur e an organi zat i on’ s net works, so t o have VoI P net work

i nt r usi on det ect i on/ pr event i on syst ems been depl oyed. VoI P

I DS/ I PS al so cont ai n VoI P si gnat ur es can coul d det ect t he br oad

and noi sy REGI STER, I NVI TE, and OPTI ON scanni ng. These VoI P I DSs

can have al l VoI P packet s copi ed t o the I DS sni f f i ng i nt er f ace

vi a a SPAN sessi on. Or t he VoI P I DS coul d be pl aced i nl i ne wi t h

t he VoI P packet s comi ng i nt o a SI P pr oxy server and on a SI P

t r unk l i ne goi ng t o I TSP. Ther e are a number of vendors and VoI P

managed secur i t y ser vi ce pr ovi der s compet i ng wi t h var i ous

sol ut i ons:

•  Secur eLogi x – www. secur el ogi x. com

•  Si per a – www. si pera. com

•  I ngat e – www. i ngat e. com

•  Bor der war e – www. bor der war e. com

 Thi s t hen l eads i nt o how an or gani zat i on’ s VoI P

i nf r ast r uct ur e secur el y connect s t o the r est of t he wor l d so that

an or gani zat i on can cal l out bound, and t he wor l d can cal l

i nbound, i nst ead of j ust havi ng cal l s pl aced i nt er nal l y. An

or gani zat i on can connect t hei r SI P VoI P i nf r ast r uct ur e t o an I TSP

vi a a SI P t r unk, and have t hat SI P t r unk t er mi nat e i nt o some sor t

of SI P capabl e f i r ewal l or edge devi ce.

“SI P t r unk secur i t y i s essent i al f or t he pr ot ect i on of VoI P

net works. Many ent erpr i ses depl oy SI P t r unks t o save money

by peer i ng t he ent er pr i se VoI P net wor k wi t h t he car r i er

net work. Rather t han usi ng t he PSTN, t hese ent er pr i ses use

Page 67: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 67/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 66

t he same connect i on f or al l t hei r communi cat i on. Ent er pr i ses

may al so use SI P t r unks t o create f eder at i ons bet ween

t hemsel ves and peer t hei r VoI P net works wi t h each other t o

bypass t he car r i er al t oget her . These SI P t r unks ar e

vul ner abl e t o st andar d si gnal i ng and medi a secur i t y i ssues,

but are suscept i bl e t o demarcat i on and peer i ng i ssues as

wel l . Mor e pot ent i al t hr eat s can exi st as ent er pr i ses

f eder at e and t r ust ot her s t o pr ovi de aut hent i cat i on”

( Si per a, 2006)

Pl ease r evi ew t he f ol l owi ng di agr am:  

Figure 21 ( Si per a, 2006)   The di agram above i s a ‘ mi l e hi gh’ l ook i nt o t he SI P t r unk

connect i vi t y bet ween an or gani zat i on t o t he I TSP, as wel l as

Si per a’ s SI P t r unk secur i t y sol ut i on. I s i s mor e secur e f or an

I TSP that an or gani zat i on woul d buy VoI P SI P t r unk ser vi ce f r om,

Page 68: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 68/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 67

t o r out er t he t r af f i c f r om SI P t r unks t hr ough t he pr ovi der ’ s

backbone net wor ks and not t he publ i c I nt er net . I t i s at t he VoI P

I DS/ I PS where medi a and si gnal i ng mani pul at i on can be detect ed

wi t h pr oper VoI P I DS si gnat ur es, and a mal i ci ous i nt er nal or

exter nal host coul d be ‘ shunned’ or t empor ar i l y bl ocked. As an

added bonus t he Si pera I PCS sol ut i on pr ovi des a VoI P VPN where

r eal i st i cal l y speaki ng, a tel ewor ker wor ki ng f r om home wi t h a

VoI P phone coul d di al an or gani zat i on’ s i nt er nal ext ensi ons, have

t he SI P sessi on est abl i shed bet ween cal l er s wi t h t he SRTP voi ce

st r eam and SRTCP cont r ol t o f ol l ow. I t s i mpor t ant t o r emember

t hat even t hough t he VoI P cal l bet ween t he t el eworker ’ s VoI P

phone, and t he or gani zat i on’ s SI P f i r ewal l / VPN/ edge devi ce i sencr ypt ed and aut hent i cat ed, wi t hout SI P- TLS and SRTP bei ng used,

once t he VoI P packet s are decr ypt ed and r out ed i nt er nal l y i n t he

or gani zat i on, t hey woul d be sent i n cl ear t ext and coul d st i l l

f al l t o i nt er nal at t acks. Thus t he need f or end- t o- end

encrypt i on and aut hent i cat i on st i l l r emai ns.

I f an or gani zat i on deci des not t o use a SI P t r unk t o connect

t o an I TSP al ong wi t h ot her organi zat i ons, t o connect andt r ansl at e i t s i nt er nal VoI P i nf r ast r uct ur e t o t he PSTN, i t must

use a Medi a Gat eway Cont r ol l er ( MGC) . Conver sel y, i t i s al so at

t hat poi nt wher e ext er nal cal l er s voi ce/ si gnal i ng get s t r ansl at ed

and f orwarded t o t he SI P pr oxy. Medi a gateway cont r ol l er s most l y

use t he Medi a Gat eway Cont r ol Prot ocol , whi ch compl ement s SI P

( Techf aq, 2006) . A medi a gat eway coul d be a Ci sco I OS r out er

wi t h anal og or di gi t al voi ce por t s. Medi a gat eway cont r ol l er s

can be cl assi f i ed dependi ng on t he connect i vi t y t hey pr ovi de.

For exampl e, a medi a gateway cont r ol l er t hat t er mi nates t r unks

connect i ng t o t he tel ephone net work can be ref er r ed t o as a

t r unki ng gat eway. However f ur t her di scussi on of t he i ssues

Page 69: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 69/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 68

i nvol ved i n si gnal i ng t r ansl at i on wi t h medi a gat eway cont r ol l er s

and MGCP can be f ound by readi ng RFC 3435.

A SI P sessi on must be est abl i shed bef or e t he cal l i ng par t i es

begi n exchangi ng RTP medi a ( audi o voi ce) , and RTCP ( cont r ol )packet s. I nf ormat i on on how t o i ni t i ate RTP st r eams ( exchange

voi ce) bet ween cal l er s i s pr ovi ded i n SDP ( Sessi on Descr i pt i on

Prot ocol ) messages, whi ch i s exchanged among SI P UA’ s i n t he cal l

sessi on est abl i shment .

As an exampl e of i dent i f yi ng VoI P servi ces r unni ng by usi ng

NMAP t o t ar get a VoI P SI P pr oxy ser ver , I i nst al l ed a f r eewar e I P

PBX VoI P sof t ware on a t est wi ndows host . The f r eeware pr ogr amused f or t est i ng was 3CX VoI P, whi ch can be f ound at

ht t p: / / www. 3cx. com/ VOI P/ voi p- phone. ht ml . The f ol l owi ng i s a

scr eenshot of a shor t NMAP scan per f ormed f r om one host agai nst

t he dummy Wi ndows XP x64 host r unni ng t he 3CX SI P proxy ser ver :

Figure 22 

For t he t est t o ver i f y i f t he SI P VoI P por t s 5060/ t cp and

5061/ t cp were open, I per f or med a si mpl e NMAP SYN scan, whi ch

onl y sends TCP packet s t o por t s 5060 and 5061 wi t h t he SYN f l ag

Page 70: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 70/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 69

set . For t hi s test , on t he SI P pr oxy ser ver ’ s host based

f i r ewal l , I have expl i ci t l y per mi t t ed i nbound TCP packet s t o por t

5060, but bl ocked por t SI P- TLS: 5061/ t cp. As you can see f r om t he

scan, por t 5060/ t cp i s open and 5061/ t cp i s not . To del ve deeper

i nt o NMAP scanni ng of VoI P devi ces, an at t acker can per f or m an

NMAP scan by ‘ st ack f i nger pr i nt i ng’ , or at t empt i ng t o i dent i f y

t he OS r unni ng on t he t arget I P. For exampl e, t her e may be a

case wher e an at t acker woul d NMAP scan a SI P pr oxy ser ver r unni ng

SI P expr ess r out er t o i dent i f y t he under l yi ng OS. Fol l owi ng t he

exampl e, l et us say that t he at t acker was abl e t o det er mi ne t he

SI P expr ess r out er ver si on, and saw t hat i t was pat ched wi t h t he

l at est updat es. However t he at t acker al so f ound SSH por t 22/ t cpopen dur i ng hi s r econnai ssance, and ther e may have been a recent

vul ner abi l i t y made publ i c about t he way Li nux di st r i but i on ‘ x’

handl es SSH connect i on at t empt s. I f t he at t acker coul d

successf ul l y expl oi t t he SSH vul ner abi l i t y on t he SI P ser ver and

gai n cont r ol of i t , t hen he j ust bypassed havi ng t o expl oi t any

vul ner abi l i t i es t o t he VoI P SI P appl i cat i on i t sel f .

 The spoof i ng of cal l er I D numbers as di scussed ear l i er , hasbeen occur r i ng f or some t i me now wi t h POTS phones, PBXs, t hrough

t he PSTN. However as VoI P depl oyment s have i ncreased bot h i n

homes and or gani zat i ons, so t oo has VoI P cal l er I D spoof i ng

become mor e pr eval ent . Spoof i ng one’ s cal l er I D i s si mi l ar t o

spoof i ng one’ s sour ce I P addr ess i n t hat t he act i on i s not

act ual l y an at t ack. However i t i s meant t o obf uscat e t he t r ue

sour ce of what i s t o come. As ment i oned above, t here are SI P

i nvi t e messages, and i n t hose messages exi st s a Fr om: URI header .

 The f ol l owi ng i s an exampl e of made up Fr om header :

Fr om: I RS Government <si p: 18773879134@i r s. gov>; t ag=2398576017

Page 71: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 71/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 70

I t i s t he “I RS Gover nment ” por t i on t hat woul d be seen on t he

dest i nat i on cal l er ’ s cal l er I D screen. Some f r eewar e t ool s on

t he I nt er net t hat woul d al l ow you t o modi f y the ‘ From: ’ header t o

spoof your cal l er I D ar e ‘ I nvi t ef l ood’ , ‘ Spi t t er ’ , and ‘ Si Vus’ .

“RFC 3261 r equi r es suppor t f or di gest aut hent i cat i on. When

coupl ed wi t h t he use of TLS bet ween each SI P user agent and

SI P pr oxy, di gest aut hent i cat i on can be used t o secur el y

aut hent i cate t he user agent . Next , when t hi s user agent

sends a cal l t o anot her domai n, i t s i dent i t y can be

asser t ed. Thi s appr oach enhances aut hent i cat i on, but onl y

pr ovi des hop- by- hop secur i t y, and i t br eaks down i f any

par t i ci pat i ng pr oxy does not suppor t TLS and/ or i s not

t r ust ed. ” ( Endl er , 2007) .

SI P- TLS: 5061/ t cp i s used t o encr ypt ed SI P messages between

SI P el ement s i n a VoI P i nf r ast r uct ur e. RFC 4474 al so di scusses

t he end- t o- end encr ypt i on and aut hent i cat i on i n gr eat er det ai l .

I t det ai l s est abl i shi ng an aut hent i cat i on ser vi ce t hat woul d

assur e t he dest i nat i on cal l er s t hat t he per son cal l i ng t hem was

aut hor i zed t o popul at e t he ‘ From: ’ header wi t h t he ‘ r et ur n

addr ess’ URI . Thi s aut hent i cat i on woul d t ake pl ace f r om t he

i ni t i al I NVI TE r equest by a possi bl e aut hent i cat i on pr oxy ser ver

or SI P pr oxy ser ver al so per f or mi ng t hi s r ol e. A hash f unct i on

woul d be per f ormed on t he ‘ Fr om: ’ header f i el d and ot her headers.

 The hash woul d be si gned wi t h t he di gi t al cer t i f i cat e, and t he

i nf or mat i on woul d be st or ed i n a new SI P header f i el d cal l ed

‘ I dent i t y’ header . Al ong wi t h t hat , an addi t i onal header cal l ed‘ I dent i t y- I nf o’ t o i nf or m t he dest i nat i on cal l er on how t o

acqui r e t he si gni ng cer t i f i cat e used ( Pet er son, J enni ngs, 2006) .

Pl ease vi ew appendi x one i n t he appendi x sect i on at t he end of 

t hi s r epor t f or a det ai l ed exampl e. Whi l e these pr oposal s woul d

be ef f ect i ve pr ovi di ng much gr eat aut hent i cat i on, t hi s woul d have

Page 72: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 72/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 71

t o be i mpl ement ed acr oss al l or gani zat i ons, ser vi ce pr ovi der s,

gover nment s, et c. , t o be ef f ect i ve. Thi s i s si mi l ar t o DNS SEC

wher eby secur i t y pr oposal s and f unct i onal i t y exi st s, however i t

i s not i mpl ement ed on t he l ar ge scal e necessar y t o be ef f ect i ve.

 There have been many i ssues r egar di ng t he NAT t r aversal of 

VoI P t r af f i c. Thi s has been par t i cul ar l y t r oubl esome f or SI P

i mpl ement at i ons as NAT has been known to ‘ br eak’ i t , peer - t o- peer

appl i cat i ons, and ot her s.    Thi s i s i n par t due t o VoI P prot ocol s

handl i ng cal l si gnal i ng suf f i ci ent l y, but t hen r andomi zi ng t he

port used t o send the audi o.

“At f i r st , f or bot h t he cal l i ng and t he cal l ed par t yever yt hi ng wi l l appear j ust f i ne. The cal l ed par t y wi l l see

t he cal l i ng par t y' s Cal l er I D and t he t el ephone wi l l r i ng

whi l e t he cal l i ng par t y wi l l hear a ri ngi ng f eedback tone at

t he ot her end. When t he cal l ed part y pi cks up t he tel ephone,

bot h t he r i ngi ng and t he associ at ed r i ngi ng f eedback t one at

t he ot her end wi l l st op as one woul d expect . However , t he

cal l i ng par t y wi l l not hear t he cal l ed par t y ( one way audi o)

and t he cal l ed par t y may not hear t he cal l i ng par t y ei t her

( no audi o) . ( j ht 2, 2007)

 Thi s i s al so due t o a VoI P phone user i n one of f i ce want i ng

t o cal l a VoI P phone user i n a di f f er ent of f i ce, wi t h t he packet s

t r aver si ng t he I nt er net whi l e NAT i s bei ng per f or med, and t he

sour ce VoI P phone not knowi ng t he publ i cal l y r out abl e dest i nat i on

I P addr ess/ por t t o send packet s t o. Bot h VoI P phones ar e behi nd

a NAT pol i cy on t he or gani zat i on’ s f i r ewal l . A f easi bl e, yet

i mpr act i cal sol ut i on woul d be t o conf i gur e uni que st at i c one- t o-

one NAT t r ansl at i ons f or each of an or gani zat i on’ s i nt er nal l y

addr essed VoI P phones. Whi l e t hi s i s possi bl e, i t i s not

pr act i cal f or an or gani zat i on t hat has mul t i pl e si t es, wi t h

Page 73: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 73/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 72

hundr eds of empl oyees at each si t e, wi t h each of t hem havi ng

t hei r own VoI P phone. To per f or m such an i mpr act i cal sol ut i on on

such a l arge scal e woul d r equi r e an or gani zat i on t o secur e

mul t i pl e cl ass B si zed publ i c addr essed net wor ks ( or at l east

mul t i pl e cont i guous cl ass C net wor ks super net t ed t oget her ) . As

such, wor kar ounds such as STUN, TURN, and B2BUA wer e desi gned.

However i t t ur ns out t hat STUN ( Si mpl e Tr aver sal of User Datagr am

Protocol t hr ough NAT) , TURN ( Traver sal usi ng Rel ay NAT) , and

ot her such pr ot ocol s used i ndi vi dual l y do not sol ve t he UDP NAT

t r aver sal pr obl em.

“I nt er act i ve Connect i vi t y Est abl i shment ( I CE) i s a t echni que

f or NAT t r aversal f or UDP- based medi a st r eams ( t hough I CE

can be extended to handl e ot her t r anspor t pr ot ocol s, such as

 TCP [ I - Di et - mmusi c- i ce- t cp] ) est abl i shed by t he of f er / answer

model . I CE i s an extensi on t o t he of f er / answer model , and

wor ks by i ncl udi ng a mul t i pl i ci t y of I P addr esses and por t s

i n SDP of f er s and answers, whi ch are t hen t est ed f or

connect i vi t y by peer - t o- peer connect i vi t y checks. The I P

addr esses and port s i ncl uded i n t he SDP and t he connect i vi t ychecks ar e per f or med usi ng STUN and TURN” ( Rosenberg, 2007)

– Work i n pr ogr ess.

I CE, STUN, and or TURN server s si t i n an organi zat i on’ s DMZ

and t r y i dent i f y t he publ i cal l y NAT’ d I P/ por t i s f or an i nt er nal

VoI P phone sendi ng out bound t r af f i c. A st r ong backi ng f or t he

uni ver sal use of I CE was pr ovi ded when Mi cr osof t and Ci sco

announced t hei r suppor t f or i t ( Unknown, 2005) . Essent i al l y I CE

t r i es t o f i nd as many socket s or ‘ candi dat es’ ( I P/ por t )

combi nat i ons t hat can be used t o r out e t r af f i c between t he t wo

VoI P phones. I t does thi s by per f ormi ng STUN connect i vi t y checks

of t he ‘ candi dat es’ . Thankf ul l y each STUN connect i vi t y check i s

Page 74: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 74/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 73

aut hent i cat ed wi t h a message aut hent i cat i on code (hash) comput ed

usi ng a key exchanged i n t he si gnal i ng channel . I f not f or t hat ,

t hen t hi s pr ocess opens i t sel f up t o mul t i pl e vul ner abi l i t i es

t hat can be expl oi t ed by a var i et y of ways, by an at t acker

f ool i ng user agent s about t he candi dat es, essent i al l y hi j acki ng

t he pr ocess:

•  Fal se I nval i d

An at t acker can f ool a pai r of agent s i nt o t hi nki ng a candi dat e

pai r i s i nval i d, when i t i sn' t . Thi s can be used t o cause an

agent t o pr ef er a di f f er ent candi dat e ( such as one i nj ect ed by

t he at t acker ) , or t o di sr upt a cal l by f or ci ng al l candi dat es

t o f ai l .

•  Fal se Val i d

An at t acker can f ool a pai r of agent s i nt o t hi nki ng a

candi dat e pai r i s val i d, when i t i sn' t . Thi s can cause an

agent t o pr oceed wi t h a sessi on, but t hen not be abl e to

r ecei ve any medi a.

•  Fal se Peer - Ref l exi ve Candi dat e

An at t acker can cause an agent t o di scover a new peer r ef l exi ve

candi dat e, when i t shoul dn' t have.

 Thi s can be used t o r edi r ect medi a st r eams t o a DoS t ar get or

t o t he at t acker , f or eavesdr oppi ng or ot her pur poses.

( Rosenberg, 2007) – Work i n pr ogr ess.

A cheaper and easi er met hod of ci r cumvent i ng t he VoI P UDP

NAT t r aver sal pr obl em i s t o conf i gur e an or gani zat i on’ s SI P pr oxy

t o B2BUA ( Back t o Back User Agent ) mode. Basi cal l y i nst ead of 

t he SI P pr oxy, t hat si t s i n t he DMZ wi t h a publ i cal l y r out abl e I P

addr ess, onl y bui l di ng sessi ons f or UAs and t hen backi ng of f , t he

Page 75: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 75/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 74

SI P pr oxy wi l l t ur n i nt o a UA i t sel f . To t he sour ce UA t he SI P

pr oxy wi l l st i l l pr ovi de the same ser vi ces of accept i ng REGI STER,

I NVI TE, and OPTI ON messages. However t he SI P pr oxy wi l l actual l y

pr oxy t he RTP and RTCP sessi ons t o t he dest i nat i on SI P pr oxy. I n

t hat pr ocess, t he ext er nal i nt er f ace of t he SI P pr oxy act s as a

UA, essent i al l y pr et endi ng t o be t he VoI P phone cal l i ng i t sel f .

 The dest i nat i on B2BUA conf i gured SI P proxy, t hat al so si t s i n t he

DMZ wi t h a publ i cal l y r out abl e I P addr ess, accept s t he pr oxi ed

RTP and RTCP sessi ons f r om t he sour ce, si nce t hey wer e def i ned

pr i or i n t he SDP messages of t he SI P sessi on. Af t er t he

dest i nat i on B2BUA SI P pr oxy recei ves t he RTP and RTCP st r eams, i t

t hen act s as j ust a SI P pr oxy agai n and f orwards t he voi ce andcont r ol t r af f i c t o t he dest i nat i on VoI P phone. The f ol l owi ng i s

a di agr am depi ct i ng t he expl ai ned f unct i onal i t y:

Figure 23

( ht t p: / / bl og. l i t hi umbl ue. com/ 2007/ 07/ under st andi ng- r el at i onshi p-

between- si p. ht ml )

 Thi s l eads t o SI P r ogue appl i cat i on at t acks . “By t r i cki ng SI P

pr oxi es and SI P phones i nt o t al ki ng t o r ogue appl i cat i ons i t i s

possi bl e t o vi ew and modi f y both si gnal i ng and medi a… 

•  Rogue SI P B2BUA

A r ogue appl i cat i on t hat per f or med l i ke a UA. Thi s appl i cat i on

can get bet ween a SI P pr oxy and a SI P phone or t wo SI P phones.

•  Rogue SI P pr oxy

Page 76: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 76/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 75

A r ogue appl i cat i on t hat per f or ms l i ke a SI P pr oxy. Thi s

appl i cat i on can get between a SI P pr oxy and a SI P phone or t wo

SI P pr oxi es. ” ( Endl er , 2007) .

As expl ai ned ear l i er , si nce a SI P B2BUA handl es bot h

si gnal i ng and medi a (SI P, RTP, RTCP) , t he devi ce i s i nl i ne wi t h

t he dat a, al l owi ng i t t o sni f f and modi f y t r af f i c. Thi s i s of 

cour se i f SI P- TLS f or encrypt i on and aut hent i cat i on i sn’ t used

f or al l SI P r esour ces. Whi l e t hi s i s a t hr eat i f an at t acker

coul d si l ence ( vi a DOS, et c. ) t he l egi t i mat e SI P pr oxy t o handl e

sessi ons bet ween t wo UAs i n a net wor k, t hi s t hr eat i s especi al l y

more danger ous i f t he SI P r ogue pr oxy i s pl aced i nl i ne bet weent wo ot her SI P pr oxi es provi ded they don’ t encr ypt and

aut hent i cat e t r af f i c. Thi s woul d t hen al l ow t he at t acker

cont r ol l i ng t he r ogue SI P pr oxy t o t r ack, l i st en t o, t ear down,

or even r edi r ect cal l s t o vi shi ng voi cemai l syst ems. The

f ol l owi ng i s a di agr am of onl y the r ogue SI P pr oxy wi t hi n a VoI P

net work scenar i o:

Page 77: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 77/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 76

Figure 24 

 To r esear ch VoI P SI P hard phone vul nerabi l i t i es associ at ed

wi t h speci f i c hard phones, I pur chased t wo Gr andst r eam Budget one

102 ( BT- 102) VoI P phones t hat support SI P wi t h f i r mware ver si on

1. 0. 8. 33. These VoI P phones pr ovi de t he f ol l owi ng:

•  SI P 2. 0 (RFC 3261) , TCP/ UDP/ I P, RTP/ RTCP, HTTP, I CMP, ARP/ RARP,

DNS, DHCP, NTP, PPPoE, STUN, TFTP, et c.

•  Support st andard encr ypt i on and aut hent i cat i on ( DI GEST usi ng

MD5, MD5- sess)

•  Suppor t f or Layer 2 ( 802. 1Q VLAN, 802. 1p) and Layer 3 QoS ( ToS,

Di f f Ser v, MPLS)•  Suppor t aut omat ed NAT t r aversal wi t hout manual mani pul at i on of 

f i r ewal l / NAT

•  Provi de easy conf i gur at i on t hr ough manual oper at i on ( phone

keypad) , Web i nt er f ace or

aut omat ed cent r al i zed conf i gur at i on f i l e vi a TFTP or HTTP.

Page 78: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 78/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 77

•  Suppor t f i r mware upgrade vi a TFTP or HTTP. ( Gr andst r eam, 2005)

Bot h phones come wi t h t wo RJ - 45 Et her net i nt er f aces. I

connect ed t he t wo phones t o my Bel ki n SOHO Wi - Fi r out er / swi t ch.

Upon boot up, as expect ed t he phones were br oadcast i ng DHCP

Di scover packet s t o r equest an I P addr ess, however I had t o

expl i ci t l y per mi t t he phones’ MAC addr esses on t he r out er whi l e

mai nt ai n MAC addr ess f i l t er i ng. Navi gat i ng t hr ough t he LCD menu

I was abl e t o ver i f y t hat t he VoI P phones had been assi gned an I P

addr ess as wel l as see t he subnet mask, DNS ser ver , and def aul t

gat eway conf i gur ed. Upon i dent i f yi ng t he I P addr esses of t he

phones, I i mmedi at el y t est ed net wor k connect i vi t y vi a I CMP pi ng

f r om a test PC on t he LAN:

Figure 25 

I al so t hen r an var i ous NMAP scans t o ver i f y

servi ces/ por t s/ ver si ons t hat wer e open and r unni ng out of t he

box. I per f ormed NMAP SYN scan f or al l por t number s:

Page 79: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 79/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 78

Figure 26  

As you can see, a si mpl e NMAP scan was abl e t o i dent i f y t he

VoI P manuf act urer Gr andst r eam. Accor di ng t o t he GS- 102 pdf 

manual , t he t wo RJ - 45 port s of BT102 i s act ual l y a 10Base- T mi ni -

Hub t hat al l ows t he user t o shar e or sni f f t he net wor k usi ng

anot her dat a devi ce l i ke PC. So t he net wor k cabl e f r om t he PC

connect s i nt o t he ‘ PC’ l abel ed i nt er f ace on t he phone, and t he

phone’ s net wor k cabl e pl ugs i nt o the ‘ LAN’ l abel ed i nt er f ace, and

t o t he SOHO r out er / swi t ch. Test i ng t he hub f unct i onal i t y wor ked

 j ust f i ne. I pl ugged my t est l apt op i nt o t he VoI P phone, and t heVoI P phone cabl e i nt o my SOHO r out er / swi t ch. I was abl e t o

i mmedi at el y r ecei ve and I P addr ess vi a DHCP, and t hen br owse t he

web. To f ur t her t est hub f unct i onal i t y, I st ar t ed a Wi r eshar k

packet capt ur e on t he t est l apt op ( 192. 168. 2. 2) , t hat was pl ugged

i nt o t he BS- 102 VoI P phone ( 192. 168. 2. 6) hub. I appl i ed a packet

capt ur e f i l t er f or I P 192. 168. 2. 6. Fr om a di f f er ent PC

( 192. 168. 2. 5) , I r an an NMAP X- mas scan ( nmap –sX 192. 168. 1. 6)

agai nst t he BS- 102 VoI P phone.

Page 80: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 80/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 79

Figure 27  

As you can see, t he packet capt ur e on l apt op 192. 168. 2. 2

i nter f ace saw t he NMAP X- mas scan agai nst t he BS- 102:

Page 81: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 81/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 80

Figure 28 

Si nce the NMAP scan showed t he VoI P phone’ s HTTP servi ce

open wi t h a web ser ver r unni ng, I opened up my br owser , ent ered

t he VoI P phone’ s I P addr ess of 192. 168. 2. 6 as t he URL, and

arr i ved at t he HTTP l ogon pr ompt . A qui ck Googl e sear ch f or

‘ gr andst r eam budgetone 102 password’ showed t he def aul t

Admi ni st r ator password f or t he HTTP l ogon t o be ‘ admi n’ :

Figure 29 

 Thi s page al l ows whoever has access t o i t t o change t he

Admi ni st r at or passwor d, t he SI P pr oxy server I P addr ess t o

potent i al l y i mpl ement a r ogue SI P pr oxy server , t he out bound

pr oxy I P addr ess, et c. Ther e i s however a ‘ l ock keypad’ updat e

f eat ur e t hat di sabl es a user f r om updat i ng t he phone

conf i gur at i on vi a keypad. Ther e was al so a def aul t user account

t hat was created wi t h t he password ‘ user ’ :

Page 82: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 82/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 81

Figure 30 

 The user account had dr amat i cal l y l ess conf i gur at i on opt i ons

as one woul d expect . I f t he user ’ s PC were t o become i nf ect ed by

some sor t of wor m or ot her mal war e, an at t acker coul d per f or m a

Wi r eshar k packet capt ur e on t he PC’ s i nt er f ace and see al l SI P

and RTP t r af f i c comi ng to t he phone, si nce t he phone’ s hub woul d

si mpl y send a copy of t he Et her net f r ame t o t he PC. Thi s woul d

al l ow t he at t acker t o per f or m cal l pat t er n t r acki ng, number

har vest i ng, and conver sat i on eavesdr oppi ng and/ or anal ysi s.

 To set up an i nt er nal VoI P net wor k I i nst al l ed t he 3CX VoI P SI P

pr oxy ser ver ( ht t p: / / www. 3cx. com/ phone- syst em/ ) on a t est ser ver .

 The f ol l owi ng i s a scr eenshot of t he management GUI :

Page 83: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 83/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 82

Figure 31 

I al so opened por t s SI P: 5060/ t cp and udp, and SI P-

 TLS: 5061/ t cp and udp on t he ser ver ’ s f i r ewal l t o permi t t he SI P

sessi on bui l di ng. I def i ned ext ensi ons 106 and 107 f or t he l ef t

and r i ght phone r espect i vel y. Af t er def i ni ng t he SI P pr oxy I P

addr ess, and SI P user I P, I was abl e t o cal l f r om one VoI P

ext ensi on t o t he ot her . Whi l e doi ng so, I al so per f or med a

packet capt ur e so as t o vi ew t he SI P messages as wel l as t he RTP

sessi on bet ween t he t wo cal l s usi ng t he G. 711 codec:

Figure 32

As you can see f r om t he bi di r ect i onal RTP st r eams, por t s 5004

wer e used f or t he RTP st r eams per I ANA port speci f i cat i ons.

Page 84: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 84/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 83

Figure 33 

As you can see f r om f i gur es 25 and 26, al l sequence and SSRC

( synchr oni zat i on sour ce i dent i f i er ) number s wer e sent i n cl ear

text.

Figure 34 

Page 85: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 85/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 84

 To act ual l y hear t he RTP sess i on,

i nst al l ed and used Or eka ( di scussed above) .

Or eka al so cont ai ned l ogs of t he RTP

sessi on, and I was abl e t o pl ay t he GSM

audi o f ormat t ed f i l e and hear my voi ce as

wel l as DTMF t ones f r om phone number s

pressed t hrough my Wi namp medi a pl ayer :

Or eka i s a power f ul t ool . I f an

at t acker were t o compromi se a PC wi t h the

same set up I t est ed, he coul d then upl oad

Or eka t o t he i nf ect ed host t o capt ur e cal l

and audi o l ogs. He coul d al so t hen wr i t e ascr i pt t o send t he RTP st r eam and audi o

l ogs t o hi s PC f or l i st eni ng and r evi ew.

I want ed t o st r ess t est t he audi o QOS

of t he VoI P phones whi l e bei ng heavi l y scanned. As such, I setup

t wo t est PCs t o si mul t aneousl y per f or m i nvi t ef l oods and Nessus

scans agai nst bot h BS- 102 phones, NMAP –sX scans agai nst bot h

phones, and cont i nual I CMP pi ngs agai nst both phones. The cal l

was al r eady set up bef ore I began scanni ng both phones. I not i ced

a ver y smal l amount of st at i c on t he l i ne dur i ng t he scans,

however i t by no means made t he voi ce cl ar i t y i ndi scerni bl e.

Unf or t unatel y my l i mi t ed resour ces ( not enough PCs, smal l swi t ch)

l i mi t ed t he number of packet s I coul d t hr ow agai nst t hese phones.

 To t r ul y DOS or DDOS t hem, one woul d need a swi t ch wi t h at l east

24 port s, wi t h 22 of t he host s scanni ng t he 2 BS- 102 VoI P SI P

phones.

Page 86: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 86/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 85

 VI.  Skype

Skype i s a sof t phone, whi ch means i t s a sof t ware VoI P

appl i cat i on phone t hat r uns on a PC. Skype, al ong wi t h other

sof t phones, r equi r e ei t her a headset or a mi cr ophone wi t h speaks

t o have a successf ul conver sat i on. However t her e are al so many

USB hard phones ( corded and cor dl ess) t hat can be pl ugged i nt o a

PC t hat wi l l use t he Skype appl i cat i on. Skype i s not a good

candi dat e f or ent er pr i se use si nce i t communi cat es i n a P2P

f ashi on, si mi l ar l y t o the P2P KaZaA sof t war e ( same f ounder s) .

Whi l e some ent er pr i se or gani zat i ons may desi r e a sof t phone

sol ut i on i n a VoI P i mpl ement at i on, t her e are sof t phones made by

l arge vendors such as Ci sco' s I P Communi cator , Avaya' s I P

sof t phone, and 3Com' s NBX sof t phone, t hat are bet t er choi ces i n

t er ms of cost cut t i ng and i nt egr at i on wi t h ot her VoI P resour ces.

A l ar ge benef i t t o opt i ng f or a separ at e VoI P har d phone as

opposed t o a sof t phone l i ke Skype i s t he di f f er ence i n secur i t y

vul ner abi l i t i es. However Skype VoI P, as ot her f or ms of VoI P, has

had t he pr obl em of UDP NAT t r aver sal t hr ough f i r ewal l s.

As such, "Skype uses var i ant s of STUN and TURN, whi ch bot h

f aci l i t at e communi cat i ons bet ween f i r ewal l ed net wor k addr ess

spaces ( STUN and TURN di scussed ear l i er ) . As st ated

ear l i er , i f an at t acker can compr omi se a user ' s PC wi t h t he

pl et hor a of at t ack t ool s f r eel y avai l abl e on t he I nt er net ,

t hen anythi ng r unni ng on t hat PC vi r t ual l y be consi der ed

compr omi sed. I n f act , some r oot ki t s al l ow an at t acker t o

t urn on t he vi ct i m' s mi cr ophone on t he compromi sed comput er

and r ecord ever yt hi ng ( even backgr ound noi se) ( Endl er ,

2007) .

Page 87: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 87/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 86

What i s of even gr eater concer n i s t hat wi t h Skype or any

sof t phone f or t hat mat t er , t her e i s no l onger a l ogi cal VLAN

separat i on of VoI P and data r esour ces ( phones and PCs) . Wi t h

t hat bei ng t he case, an at t acker coul d compr omi se a PC, t o t hen

f ur t her compr omi se ot her t he PCs of other empl oyees and l i st en i n

on t hei r VoI P conver sat i ons. Skype' s met hod of connect i ng cal l s

al so poses a t r emendous secur i t y ri sk f or al l user s such as

consumers, home user s, and t he empl oyees i n t he ent erpr i se.

"I f di r ect communi cat i on f r om t he cal l er f ai l s, t hen t he

i nt ended Skype r eci pi ent t r i es i nst ead t o connect back t o

t he cal l er . I f bot h at t empt s at di r ect connecti on f ai l ,

t hen ot her i nt ermedi at e Skype user s who ar e reachabl e by

bot h host s at t empt t o r out e t he cal l . These r el ay host s ar e

cal l ed super nodes, and any Skype user may at any t i me be

el evat ed t o super node st at us, accor di ng t o t he l at est

ver si on of t he Skype pr i vacy agr eement " ( Endl er , 2007) .

Get t i ng t o t he act ual secur i t y of t he cal l s bei ng made,

t here have been concerns about pr i vacy of Skype- t o- Skype and

Skype- t o- pot s cal l s. Dr . Tom Ber son f r om Anagr am Labor at or i es,

per f ormed a revi ew of Skype encr ypt i on.

"The cr ypt ogr aphi c pr i mi t i ves used i n Skype ar e: t he AES

bl ock ci pher , t he RSA publ i c- key cr ypt osyst em, t he I SO 9796-

2 si gnat ur e paddi ng scheme, t he SHA- 1 hash f unct i on, and t he

RC4 st r eam ci pher . Skype oper at es a cer t i f i cat e aut hor i t y

f or user names and aut hor i zat i ons. Di gi t al si gnat ur es

creat ed by t hi s aut hor i t y ar e t he basi s of i dent i t y i n

Skype. Skype nodes ent er i ng i nt o a sessi on cor r ect l y ver i f y

t he i dent i t y of t hei r peer . I t i s i nf easi bl e f or an

at t acker t o spoof a Skype i dent i t y at or bel ow t he sessi on

l ayer . " ( Ber son, 2005) .

Page 88: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 88/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 87

Whi l e Skype' s cr ypt osyst em may be suf f i ci ent l y secur e t o

af f ord pr i vacy f or t he masses, r esear cher s f r om EADS at t he RECON

( Reverse Engi neer i ng Conf erence) i n 2006 were abl e to ci r cumvent

some of t he ant i - debuggi ng t echni ques of Skype and al so di scover

a vul ner abi l i t y i n t he Skype appl i cat i on i t sel f " ( Endl er , 2007) .

Cl osed sour ce/ pr opr i et ar y pr ot ocol s have rarel y, i f ever been

i mper vi ous t o vul ner abi l i t i es ( I E Ci sco' s CDP, SCCP, Mi crosof t ' s

Net BI OS, Net BEUI , et c) .

 The f ol l owi ng i s a packet capt ure I per f or med whi l e pl aci ng a

cal l f r om t he Skype VoI P ver si on 3. 5. 0. 229 to my home POTS phone:

Figure35 

As you can see i n t hat packet capt ur e, i n t hi s par t i cul ar cal l ,

t he sour ce port r emai ned 13590/ udp, and the dest i nat i on port

r emai ned 12340/ udp. As st ated ear l i er , Skype r andomi zes port s

Page 89: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 89/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 88

and i s ver y aggr essi ve about connect i ng cal l s by t r yi ng any

possi bl e por t / pr ot ocol combi nat i on.

For an organi zat i on or a home user want i ng t o i dent i f y whi ch

PCs have t he Skype VoI P appl i cat i on i nst al l ed, t her e i s af r eewar e t ool cal l ed ' SkypeKi l l er ' , whi ch can be downl oaded at

ht t p: / / www. skypeki l l er . com/ . To t est t he f uncti onal i t y of 

SkypeKi l l er , I downl oaded i t ont o the Wi ndows XP t est PC used t o

per f or m t he Skype cal l s ear l i er . Ther e wer e a f ew smal l

conf i gur at i ons t o set , however once I sel ect ed ' execut e' ,

Skypeki l l er i mmedi at el y f ound Skype di r ect or i es, f i l es, and keys:

Figure 36  

Figure 37  

Page 90: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 90/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 89

I t woul d t hen be t he mi ssi on of t he net wor k secur i t y

admi ni st r ator t o l ocat e t he machi nes and have t he Skype VoI P

appl i cat i on r emoved.

Accor di ng t o t he Skype websi t e' s f i r ewal l page, i f not est hat i deal condi t i ons f or Skype t o wor k ar e t o open al l out bound

por t s 1- 65535 TCP and UDP; and i t al so ment i ons t hat Skype can

r un on por t s HTTP: 80/ t cp and HTTPS: 443/ t cp ( Skype, 2006) . As

such, Skype i s di f f i cul t t o f i l t er at a l ayer s 3 and 4 on a

st at ef ul f i r ewal l or r out er si nce out bound HTTP and HTTPS access

must be per mi t t ed f or web t r af f i c. As such at t empt s t o i dent i f y

Skype t r af f i c have f ocused at t he appl i cat i on l ayer . Ther e have

been var i ous Snor t si gnat ur es wr i t t en t o hel p i dent i f y Skype at

t he appl i cat i on l ayer , gi ven t hat si gnat ur es cannot be wr i t t en

f or dest i nat i on I P/ por t / pr ot ocol si nce i t s l i kel y that Skype uses

r ound r obi n DNS/ I P f or i t s cal l ser ver s.

"Soni cWal l and Checkpoi nt have both added f eatur es t o t hei r

f i r ewal l set t hat supposedl y al l ow Skype f i l t er i ng. . . Akoni x

al so market s a devi ce cal l ed L7 Skype Manager , whi ch

pur port s t o be abl e t o l og and enf orce Skype usage i n t he

net wor k. Al l of t hese pr oduct cl ai ms however , ar e f ol l owi ng

a movi ng target , as each new maj or ver si on of Skype t ends t o

i ncr ease t he amount of payl oad obf uscat i on i n order t o evade

t hese types of t echnol ogi es" ( Endl er , 2007) .

However r ather t han spend t housands of dol l ars f or a

pr opr i et ary devi ce and depend on a thi r d part y vendor t o depl oy

new si gnFat ur e to at t empt t o detect new Skype versi ons, I n my

opi ni on I woul d r at her use Snor t wi t h open- sour ce si gnat ur es.

Accor di ng to Sour cef i r e, t hey have bui l t a new Snor t Skype

pr epr ocessor t hat was r el eased under t he VRT l i cense on 8/ 13/ 2007

i n ver si on 2. 7. 0. 1, whi ch shoul d be ef f ect i ve at det ect i ng Skype

Page 91: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 91/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 90

t r af f i c. Si nce Skype aut omat i cal l y checks back wi t h i t ' s Skype

home ser ver s t o get t he l at est ver si on, i t i s at t hi s unencr ypt ed

ver si on check where Skype can be detected host host s pur el y f r om

net wor k t r af f i c.

Figure 38

ht t p: / / www. snor t . or g/ pub- bi n/ si gs- sear ch. cgi ?si d=skype 

As you can see, Snort SI DS 5692- 6001 are var i ous s i gnatur e

i ncl uded t o hel p det ect Skype at var i ous poi nt s of Skype

oper at i ons such as get t i ng t he l at est ver si on, cl i ent l ogi n,

cl i ent st ar t up, et c. The f ol l owi ng ar e some of t he Snor t I DS

Skype si gnat ur es f ound i n t he publ i c r eal m:

"

al er t t cp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS

( msg: "BLEEDI NG- EDGE Pol i cy Skype VOI P Checki ng Versi on

( St ar t up) "; ur i cont ent : "/ ui / "; nocase;ur i cont ent : "/ en/ get l at est ver si on?ver ="; nocase; cl asst ype: pol i cy-

vi ol at i on; r ef er ence: ur l , ht t p: / / www1. cs. col umbi a. edu/ ~l i br ar y/ TR-

r eposi t or y/ r epor t s/ r epor t s- 2004/ cucs- 039- 04. pdf ; si d: 2001595;

r ev: 1; )

Page 92: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 92/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 91

al er t t cp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS

( msg: "BLEEDI NG- EDGE Pol i cy Skype VOI P Report i ng I nst al l " ;

ur i cont ent : "/ ui / "; nocase; u r i cont ent : "/ en/ i nst al l ed"; nocase;

cl asst ype: pol i cy- vi ol at i on;

r ef er ence: ur l , ht t p: / / www1. cs. col umbi a. edu/ ~l i br ar y/ TR-

r eposi t or y/ r epor t s/ r epor t s- 2004/ cucs- 039- 04. pdf ; si d: 2001596;r ev: 1; )  

" ( J onkman, 2005) .

 These si gnat ures shoul d be somewhat successf ul ant

i dent i f yi ng Skype usage on a sour ce host when Skype i s bei ng

i nst al l ed or a ver si on check. Concur r ent l y t her e have al so been

some poor l y wr i t t en Snor t I DS si gnat ur e t hat ar e out on t he

publ i c r eal m t hat shoul d be avoi ded:

"al er t i p $HOME_NET any - > 195. 215. 8. 141 any ( msg: "BLEEDI NG- EDGE

P2P VOI P Skype VoI P Logi n" ; cl asst ype: pol i cy- vi ol at i on;

si d: 9999988; r ev: 1; )

al er t t cp $HOME_NET any - > any 33033 ( msg: "BLEEDI NG- EDGE P2P VOI P

Skype VoI P Logi n"; cl asst ype: pol i cy- vi ol at i on; si d: 9999989;

r ev: 1; )

al er t udp $HOME_NET any - > any 33033 ( msg: "BLEEDI NG- EDGE P2P VOI P

Skype VoI P Logi n"; cl asst ype: pol i cy- vi ol at i on; si d: 9999990;

r ev: 1; )

al er t i p $HOME_NET any - > 80. 160. 91. 28 any ( msg: "BLEEDI NG- EDGE

P2P VOI P Skype VoI P Event " ; cl asst ype: pol i cy- vi ol at i on;

si d: 9999991; r ev: 1; )

al er t i p $HOME_NET any - > 212. 72. 49. 142 any (msg: "BLEEDI NG- EDGE

P2P VOI P Skype VoI P Event " ; cl asst ype: pol i cy- vi ol at i on;si d: 9999992; r ev: 1; )

" ( Net wor k Secur i t y Ar chi ve, 2005) .

Unf ort unatel y t hese are poor l y si gnatur es because on some of t hem

t her e ar e st at i c I P addr ess and por t s. Whi l e a Skype server may

Page 93: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 93/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 92

have at some poi nt used I P addr ess 80. 160. 91. 28, t he l i kel i hood

of t hat I P bei ng used agai n i s sl i m t o none. The same goes f or

t he si gnat ur es al er t i ng t o dest i nat i on por t 33033/ udp. I t s

l i kel y that one of t he Skype ver si on i n t he past used t hat por t

more f r equent l y and t hat ' s why t her e wer e more hi t s and l ogs f or

t hat si gnat ur e. Upon r esear chi ng Skype vul ner abi l i t i es, I came

across t he Secuni a page f or Secuni a Advi sor y SA27934, whi ch not ed

a newl y f ound Skype vul ner abi l i t y.

"The vul ner abi l i t y i s caused due t o a boundar y er r or i n

Skype4COM. dl l wi t hi n t he "skype4com" URI handl er when

pr ocessi ng shor t st r i ngs. Thi s can be expl oi t ed t o cause a

l i mi t ed heap- based buf f er over f l ow as a l onger st r i ng may be

copi ed i nt o a heap- based buf f er pr evi ousl y al l ocat ed based

on t he l engt h of t he suppl i ed URI . Successf ul expl oi t at i on

al l ows execut i on of ar bi t r ar y code when a user e. g. vi si t s a

mal i ci ous websi t e. The vul ner abi l i t y i s conf i r med i n Skype

3. 5. 0. 239. Ot her ver si ons pri or t o 3. 6. 0. 216 may al so be

af f ect ed" ( Secuni a, 2007) .

 Thi s heap- based buf f er over f l ow expl oi t coul d be used t o

compr omi se a host r unni ng Skype and use i t as a st eppi ng st one t o

at t ack ot her net wor k resour ces as wel l as l i st en i n t o VoI P

conver sat i ons. A newl y r epor t ed vul ner abi l i t y f or Skype Wi ndows

user s i s al so spr eadi ng.

"Skype has l ear ned that a comput er vi r us cal l ed

“w32/ Ramex. A” i s af f ect i ng user s of Skype f or Wi ndows.

Users whose comput er s are i nf ect ed wi t h t hi s vi r us wi l l send

a chat message t o other Skype users aski ng t hem t o cl i ck on

a web l i nk t hat can i nf ect t he comput er of t he per son who

r ecei ves t he message. User s r ecei ve a message whi ch appears

Page 94: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 94/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 93

t o be f r om someone on t hei r cont act l i st , aski ng t hem t o

cl i ck a l i nk. The messages are "cl ever l y wr i t t en" t o appear

l i ke t ypi cal chat messages, and appear t o cont ai n a l i nk t o

a J PEG i mage. The l i nk act ual l y poi nt s to an execut abl e

f i l e; i f Wi ndows- based user s cl i ck t he l i nk ( and gi ve

per mi ssi on t o save or r un a . scr f i l e) t he user ' s comput er  

wi l l be i nf ect ed wi t h t he w32/ Ramex. A worm. The worm uses

Skype' s publ i c API t o access t he user ' s comput er " ( Skype,

2007)

I per sonal l y have not yet encount er ed t hi s worm because I

am not user of Skype i n my f r ee t i me. However wi t h t hi s

vul ner abi l i t y out i n t he wi l d, t he best pr act i ce f or al l Skype

users woul d be t r eat downl oad l i nks i n Skype messages t he same

as t hose i n e- mai l ; even f r om t r ust ed sour ces, i nst al l i ng

pr ogr ams f r om l i nks i n messages i s danger ous and shoul d be

avoi ded. Fur t her r esear ch l ead me t o f i nd var i ant s of t hi s wor m

wi t h t he names ' Pykspa. d' , ' Pyks- 5' , ' Pykse. A' , and ' Ski pi ' .

 The f ol l owi ng i s Symant ec' s summar y of t hi s vul nerabi l i t y:

"W32. Pykspa. D i s a worm t hat spreads t hr ough Skype I nst ant

Messenger and r emovabl e dr i ves. I t al so di sabl es access t o

secur i t y- r el at ed Web si t es by modi f yi ng t he host s f i l e and

ends processes whi ch may be secur i t y- r el ated. . . When

W32. Pykspa. D i s execut ed, i t di spl ays t he %Wi ndi r %\ Soap

Bubbl es. bmp gr aphi c f i l e, i f i t al r eady exi st s on t he

compromi sed comput er . The worm cr eat es t he f ol l owi ng mutex

so t hat onl y one i nst ance of t he wor m r uns at a t i me:

pyksp2. 0. 0. 3gM- 2oo8&- 825190¬

Next , t he wor m opens and di spl ays t he f ol l owi ng f i l e:

%Wi ndi r %\ Soap Bubbl es. bmp

Page 95: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 95/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 94

 The wor m changes t he st at us of t he Skype user t o DND ( DoNot Di st ur b) .

I t t hen copi es i t sel f t o t he f ol l owi ng f i l es:

•  %Syst em%\ msht ml dat 32. exe•  %Syst em%\ sdr i vew32. exe•  %Syst em%\ wi nl gcvers. exe•  %Syst em%\ wndr i vs32. exe

" ( Ki er nan, Symant ec, 2007) .

As you can see, t he pr eval ence of Skype use has subsequent l y

ampl i f i ed t he quant i t y and i nsi di ousness of wor ms spr eadi ng

t hr ough Skype cal l s and chats.

"Whi l e sof t phone- based servi ces have yet t o r eal l y penet r at e

t he ent er pr i se mar ket , many I M/ VoI P cl i ent s are used act i vel y by

i ndi vi dual s wi t hi n t he ent er pr i se i t sel f . Thi s causes an

i nt er est i ng di l emma f or I T admi ni st r at or s who need t o pr event

t hose appl i cat i on f r om openi ng up addi t i onal r i sks wi t hi n t he

envi r onment , whi l e t r yi ng t o mai nt ai n cont r ol over net wor k

bandwi dt h" ( Endl er , 2007) .

Page 96: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 96/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 95

 VII.  Cisco VoIP

Ci sco pr ovi des a wi de var i et y of VoI P resour ces r angi ng f r om

Li nksys SOHO VoI P rout er s t o l ar ge ent er pr i se, mul t i - si t e,

cl ust er i ng of cal l manager s. Ci sco’ s Uni f i ed Cal l Manager i s

sof t war e based j ust l i ke SER and Ast er i sk. However unl i ke SER

and Ast er i sk, t he Cal l Manager sof t war e i s depl oyed on Ci sco

pr opr i et ary har dwar e appl i ances.

“The 5. x br anch i s a maj or depar t ur e f r om t he t r adi t i onal

Wi ndows- based 3. x and 4. x i nst al l at i ons i n t hat t he Cal l Manager

sof t war e act ual l y r uns on a Li nux appl i ance i nst ead of a MCS.

Whi l e users of t he 3. x and 4. x Cal l Manager had f ai r l y open

access t o t he under l yi ng Wi ndows Server 2003 or Mi cr osof t

Wi ndows 2000 Server , t he 5. x Li nux appl i ances ar e l ocked down

wi t h onl y a management i nt er f ace f or more admi ni st r at i ve

f unct i ons” ( Endl er , 2007) .

Ski nny Cl i ent Cont r ol Prot ocol or SCCP, as ment i oned

ear l i er , i s Ci sco’ s pr opr i et ar y si gnal i ng pr ot ocol bet ween t he

Cal l Manager ( s) and VoI P phones ( si mi l ar t o H. 323) . A Ci sco VoI P

phone i s al so of t en cal l ed a ‘ Ski nny cl i ent ’ . SCCP uses por t

2000/ t cp f or unencr ypt ed communi cat i ons and Ski nny Cl i ent Cont r ol

Protocol Secur e ( SCCPS) uses port 2443/ t cp f or encr ypt i on bet ween

t he VoI P phone and cal l manager ( Lewi s, 2004) . Si mi l ar t o SI P,

SCCP i s used t o handl e cal l sessi ons, whi l e Ci sco VoI P uses RTP

f or t he audi o st r eam. A SI P UA phone i s mor e i nt el l i gent and

l ess of a dummy t er mi nal compared t o Ci sco Ski nny cl i ent s i n

t er ms of bei ng abl e to pr ovi de a di al t one when t he phone i s

r emoved f r om t he cradl e, bei ng abl e to l i ght up t he LCD menu

scr een, et c. To expl ai n cal l set up vul ner abi l i t i es l at er on, I

Page 97: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 97/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 96

must f i r st br i ef l y expl ai n t he Ci sco Uni f i ed Cal l Manager met hod

of bui l di ng cal l s t hr ough SCCP message exchanges:

Figure 39 

Sadl y, my f i nanci al r esour ces are l i mi t ed and I coul d not

pur chase t wo Ci sco VoI P phones and a Uni f i ed Cal l Manager ser ver

t o bui l d a cal l bet ween t wo Ski nny cl i ent s. However by

r esear chi ng t hi s f ur t her I was abl e t o l ocat e a Wi r eshar k pcap

t r ace of SCCP messages bei ng exchange i n the above scenar i o.

 Thi s pcap f i l e i s made avai l abl e f or f r ee f or al l t o vi ew at :

Page 98: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 98/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 97

Figure 40 

( ht t p: / / www. hacki ngvoi p. com/ t r aces/ ski nny. pcap)

As you saw above i n f i gur es 10 and 11, i t i s f ai r l y easy t o f i nd

Ci sco VoI P phones l ef t hangi ng on t he I nt er net wi t h a publ i cal l y

r out abl e I P addr ess. The best pr act i ce f or al l or gani zat i ons

wi t h a Ci sco VoI P depl oyment i s t o di sabl e al l web server s on

VoI P phones. That conf i gur at i on change can be made i n t he Ci sco

Uni f i ed Cal l Manager Admi ni st r at i on page f or al l phones. Anot her

Googl e hacki ng sear ch ef f ect i ve i n f i ndi ng Ci sco Uni f i ed Cal l

Manager s wi t h a publ i cal l y rout abl e I P addr ess i s t o ent er

“i nt i t l e: ”Ci sco Cal l Manager User Opt i ons Log On”. That sear ch

r et ur ned a l i nk t o a Cal l Manager , whi ch woul d al l ow an at t acker

t o f ur t her pr obe t he ser ver :

Page 99: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 99/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 98

Figure 41 

A qui ck NMAP versi on scan of por t s 0- 2100 showed onl y por t s

HTTP: 80/ t cp and HTTPS: 443/ t cp t o be open, and t he ser ver al so

r esponded t o I CMP pi ngs. Al l Ci sco devi ces come wi t h t he

pr opr i et ar y Ci sco Di scover y Pr ot ocol ( CDP) , whi ch i s a l ayer 2

net wor k management prot ocol . Whi l e hi ghl y benef i ci al f r om amanagement / conf i gur at i on perspect i ve f or VoI P phones and any

ot her devi ces, t he CDP t r af f i c i s sent unencr ypt ed and

br oadcast ed. As such, a per son wi t h i nsi de physi cal access t o an

or gani zat i on and an Et her net por t coul d sni f f t he cl ear t ext

br oadcast t r af f i c. CDP shoul d ei t her be di sabl ed or mi ni mal l y

used when needed.

“I t ’ s a good i dea to di sabl e as many def aul t ser vi ces aspossi bl e on your VoI P devi ces t o avoi d gi vi ng away too much

i nf or mat i on about your i nf r ast r uct ur e; however , t hi s i s not

r eal l y an opt i on on Cal l Manager 5. x ser ver s as Ci sco has l ocked

t hem down much mor e t han t he 4. x predecessor s r unni ng on Wi ndows”

( Endl er , 2007) .

Page 100: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 100/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 99

 Thi s appl i es t o di sabl i ng unnecessar y ser vi ce on Ci sco VoI P

phones as wel l . Thi s i s r ef er ence t o t he PC por t on t he VoI P

phone.

"The phone has t he abi l i t y to t ur n on or t ur n of f t he por t

on t he back of t he phone, t o whi ch a PC woul d nor mal l y be

connect ed. Thi s f eat ur e can be used as a cont r ol poi nt t o

access t he net wor k i f t hat t ype of cont r ol i s necessary.

Dependi ng on the secur i t y pol i cy and pl acement of t he

phones, t he PC por t on t he back of any gi ven phone mi ght

have t o be di sabl ed. Di sabl i ng t hi s por t woul d pr event a

devi ce f r om pl uggi ng i nt o t he back of t he phone and get t i ng

net work access t hr ough t he phone i t sel f . A phone i n a

common area such as a l obby woul d t ypi cal l y have i t s por t

di sabl ed. Most compani es woul d not want someone t o get i nto

t he net work on a non- cont r ol l ed port because physi cal

secur i t y i s ver y weak i n a l obby" ( Ci sco, 2005) .

A secur i t y pol i cy must be def i ned t o i dent i f y whi ch PC VoI P

Phone por t s ar e per mi t t ed t o be open ( I E of f i ce wher e necessaryf or empl oyee access) . Whi l e t hi s makes t hi s make sense i n t he

l obby scenar i o, an at t acker coul d st i l l unpl ug t he cabl e f r om t he

et her net por t on t he wal l and connect a PC t o t hat por t . I f t he

cor r espondi ng swi t ch permi t s onl y t he VoI P phones MAC addr ess t o

send et her net f r ames f r om t hat swi t ch por t , t hen the at t acker

woul d have t o spoof t he VoI P phone' s MAC address as t he source

MAC i n t he f r ame t o bypass t hat def ense. Fur t her count ermeasur es

t o t hat i ncl ude Dynami c ARP I nspect i on ( DAI ) i n conj unct i on wi t h

DHCP Snoopi ng, I P Sour ce Guard ( I PSG) whi ch dynami cal l y cr eat es

an ACL based on t he cont ent s of t he DHCP Snoopi ng t abl e t o

pr event sour ce I P spoof i ng, as wel l as t he al ways necessary VLAN

VoI P/ dat a separ at i on. Fur t her i nf or mat i on on t hose f eat ur e set s

Page 101: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 101/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 100

as beyond t he scope of t hi s r epor t , but coul d be f ound at

ht t p: / / www. ci sco. com/ en/ US/ pr oduct s/ sw/ voi cesw/ ps556/ pr oduct s_i mp

l ement at i on_desi gn_gui de_chapt er09186a008063742b. html #wp1046685.

I n an ent er pr i se wi t h mul t i pl e si t es nat i onal l y andgl obal l y, wi t h hundr eds of empl oyees at each si t e, r unni ng t wo

separate cabl es t o each empl oyee' s desk f or separate VoI P phone

and PC data access por t s may be i mpr act i cal f r om a f i nanci al

st andpoi nt ( cost of mor e swi t ches, pat ch panel s, cabl es, condui t ,

UPS power , cool i ng, et c. ) . Most i f not al l VoI P phones come wi t h

a PC dat a por t , as expl ai ned above. Wi t h t hat bei ng t he case,

t her e i s no l onger a physi cal net wor k separ at i on, but t her e must

be a l ogi cal VoI P and PC VLAN separ at i on. Essent i al l y, bot h t he

PC data and VoI P VLAN access must be al l owed f r om t he si ngl e

physi cal swi t ch port used by both t he VoI P phone and PC

Figure 42

ht t p: / / st at i c. f l i ckr . com/ 75/ 202787091_8a25a60e7e_b. j pg 

"Bef or e t he phone has i t s I P addr ess, t he phone det er mi nes

whi ch VLAN i t shoul d be i n by means of t he Ci sco Di scover y

Pr ot ocol ( CDP) negot i at i on ( i f CDP enabl ed) t hat t akes pl ace

Page 102: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 102/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 101

bet ween t he phone and t he swi t ch. Thi s negot i at i on al l ows

t he phone to send packets wi t h 802. 1q t ags t o t he swi t ch i n

a "voi ce VLAN" so t hat t he voi ce dat a and al l ot her dat a

comi ng f r om t he PC behi nd t he phone are separat ed f r om each

ot her at Layer 2. . . Because t her e ar e t wo VLANs f r om t he

swi t ch t o the phone, t he phone needs t o pr ot ect t he voi ce

VLAN f r om any unwant ed access. The phones can prevent

unwant ed access i nt o t he voi ce VLAN f r om t he back of t he

phone. A f eat ur e cal l PC Voi ce VLAN Access pr event s any

access t o the voi ce VLAN f r om t he PC port on t he back of t he

phone. When di sabl ed, t hi s f eat ur e does not al l ow t he

devi ces pl ugged i nt o t he PC por t on t he phone to "j ump"VLANs and get ont o t he voi ce VLAN by sendi ng 802. 1q t agged

i nf or mat i on dest i ned f or t he voi ce VLAN t o t he PC por t on

t he back of t he phone. The f eatur e oper ates one of t wo

ways, dependi ng on t he phone t hat i s bei ng conf i gur ed. On

t he more advanced phones, t he phone wi l l bl ock any t r af f i c

dest i ned f or t he voi ce VLAN t hat i s sent i nt o t he PC por t on

t he back of t he phone" ( Ci sco, 2005)

Figure 43

( Ci sco, 2005) .

Page 103: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 103/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 102

( See f i gur e 5 above al so) These i ssues appl y t o al l VoI P phones

usi ng any VoI P pr ot ocol ( SI P, H. 323, SCCP, et c. ) , not j ust Ci sco

because t hi s i s a l ower l ayer secur i t y i ssue.

As wi t h most other VoI P phones, t he Ci sco VoI Pi nf r ast r uct ur e al so pr ovi des SNMP f or management pur poses, whi ch

shoul d be st r i ct l y cont r ol l ed vi a SNMPv3 wi t h encr ypt i on. I f v1

or v2 must be used, t hen st r ong communi t y st r i ng passwords shoul d

be used. Si mi l ar l y f or management pur poses, Vi r t ual Net work

Comput i ng or VNC ( Real VNC) comes bundl ed i n t he Cal l Manager 4. x

( Wi ndows) , and al l ows f or r emote upgr ades, patches, et c. VNC i s

si mi l ar i n f unct i onal i t y t o r emot e deskt op ( RDP) ser vi ces and

PCAnywhere. However t here have been vul nerabi l i t i es f ound f or

aut hent i cat i on bypassi ng.

As document ed i n US- CERT VU#117929, "The Real VNC Server

f ai l s t o pr oper l y aut hent i cat e cl i ent s. When a Real VNC cl i ent

connect s t o a Real VNC server , t he server pr ovi des a l i st of 

suppor t ed aut hent i cat i on met hods. By desi gn, t he cl i ent t hen

sel ect s a met hod f r om t he l i st . Due t o an i mpl ement at i on f l aw, i f 

t he cl i ent speci f i es t hat no ( nul l ) aut hent i cat i on shoul d be

used, t he server accept s t hi s met hod and aut hent i cates t he

cl i ent , whet her or not nul l aut hent i cat i on was of f er ed by t he

server " ( Gennar i , 2006) .

Any VNC ser ver / cl i ent admi ni st r at i on used f or ei t her Ci sco

Uni f i ed Cal l Manager 4. x (wi ndows) or 5. x ( Li nux) f al l s under

gr eat er t hr eat due t o VNC br ut e f or ce t ool s such as ' VNCr ack' ,

whi ch i s f r ee t o downl oad at ht t p: / / www. phenoel i t -

us. or g/ f r / t ool s. ht ml . The best pr act i ces however are t o r emove

or di sabl e VNC ser vi ces especi al l y si nce 99% of t he l i nux

admi ni st r at i on can be done vi a t he shel l t o connect ed t o t he

Cal l Manager . Pat ch management as wi t h any ot her devi ce i s

Page 104: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 104/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 103

necessary and must be per f ormed i n a t i mel y manner . Whet her t he

pat ches ar e f or vul ner abi l i t y updat es or f unct i onal i t y updat es,

Ci sco has pr ovi ded a ni ce t ool ( t o pai d subscr i ber s onl y) t hat i s

avai l abl e at ht t p: / / www. ci sco. com/ cgi -

bi n/ Sof t war e/ Newsbui l der / Bui l der / VOI CE. cgi . From t her e an

admi ni st r at or can def i ne whi ch el ement s of a Ci sco VoI P

i nf r ast r uct ur e ar e bei ng used, and t o be not i f i ed when t her e ar e

pat ches f or t hem.

"Ci sco t ook t he Mi cr osof t Wi ndows 2000- based Cal l Manager ,

cur r ent l y r el ease 4. 1( 3) , and—over t he l ast t wo year s—por t ed

ever y bi t of t he code over t o r un on Li nux. Then i t bui l t - i n SI P

cal l cont r ol , i n t he f or m of a back- t o- back SI P user agent , and

mapped as many Ski nny f eat ur es t o SI P st andards and dr af t s as i t

r easonabl y coul d. . . Ci sco del i ver s Cal l Manager 5. 0 al r eady

i nst al l ed on Li nux, on t he vendor ’ s MCS ser i es of ser ver s. Li nux

i s wi del y r egar ded as gener al l y mor e secur e, and of t en bet t er

per f or mi ng, t han Wi ndows as an I P- PBX cal l cont r ol pl at f or m"

( Mi er , 2006) .

I f an organi zat i on deci des t o cont i nue usi ng t he Wi ndows OS

based Cal l Managers ( 4. x) even i n the f ace of never endi ng Wi ndows

vul ner abi l i t i es i n t he wi l d, t hen Ci sco al so pr ovi des t he

i nst al l at i on of t hei r host based I DS/ I PS ( HI PS) .

"Ci sco Secur i t y Agent pr ovi des i nt r usi on det ect i on and

pr event i on f or t he Ci sco Uni f i ed Cal l Manager cl ust er . Ci sco

Syst ems pr ovi des i t f r ee of char ge as a st andal one secur i t y

agent f or use wi t h server s i n t he Ci sco Uni f i ed Cal l Manager

voi ce cl ust er . The agent pr ovi des Wi ndows pl at f or m secur i t y

t hat i s based on a t est ed secur i t y r ul es set ( pol i cy) , whi ch has

r i gor ous l evel s of host i nt r usi on det ect i on and pr event i on. The

agent cont r ol s syst em oper at i ons by usi ng a pol i cy t hat al l ows

Page 105: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 105/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 104

or deni es speci f i c syst em act i ons bef or e syst em r esour ces ar e

accessed. Thi s pr ocess occur s t r anspar ent l y and does not hi nder

over al l syst em per f or mance. ( Ci sco, 2005) "

However any CSA depl oyment shoul d be i n conj unct i on wi t h

net wor k f i r ewal l s and I PSs t o st r i ct l y per mi t onl y t he ser vi ces

necessary f or VoI P f unct i onal i t y on t he Cal l Manager . Wi t h

Ci sco' s i mpl ement at i on of SI P and ot her ' Pr esence' f eat ur es on

t he Ci sco Uni f i ed Communi cat i ons Manager ( CUCM) , f ormer l y

Cal l Manager , and Ci sco Uni f i ed Pr esence Ser ver ( CUPS) , as wel l as

t he i mpl ement at i on of SI P on new VoI P phones, t hese ser ver s can

al so f al l vi cti m t o SI P based at t acks and vul ner abi l i t i es

i ncl udi ng I NVI TE and REGI STER f l oods. However t her e are i mmense

benef i t s such as usi ng SI P- TLS bet ween SI P resour ces al ong wi t h

SRTP and STRCP, not t o ment i on t hat open sour ce benef i t s of an

or gani zat i on bei ng abl e to use non- Ci sco SI P suppor t i ng phones.

For al l SI P based at t acks t ar get i ng Ci sco Uni f i ed Cal l Manager s

and Ci sco VoI P SI P user agent s, pl ease vi ew t he SI P sect i on of 

t hi s r epor t .

 There have been mul t i pl e vul nerabi l i t i es r eport ed t ar get i ng

Ci sco' s VoI P r esour ces i n var i ous ways. Whi l e I woul d pr ef er t o

onl y st i ck t o vul ner abi l i t i es t o t he l at est l i nux based Ci sco

Uni f i ed Cal l Manager s, I am cer t ai n t hat t her e ar e many

or gani zat i ons st i l l r unni ng t he 3. x and 4. x Wi ndows based

Cal l Manager s t hat ar e suscept i bl e t o mul t i pl e vul ner abi l i t i es.

US- CERT/ NI ST CVE- 206- 5277 det ai l s a Cer t i f i cat e Tr ust Li st ( CTL)

vul ner abi l i t y t o t he Ci sco Uni f i ed Communi cat i ons Manager ( CUCM,

f or mer l y Cal l Manager ) .

Fur t her r esear ch l ead me I BM' s I SS t hr eat page nothi ng t hat

t he "Ci sco Cal l Manager i s vul ner abl e t o an of f - by- one er r or ,

whi ch al l ows f or a one- byt e heap- buf f er over f l ow wi t hi n t he

Page 106: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 106/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 105

CTLPr ovi der . exe component of Cal l Manager . By sendi ng speci al l y-

craf t ed packet s, an at t acker i s abl e t o t r i gger t he heap

over f l ow, whi ch causes bot h a deni al of servi ce condi t i on and

enabl es t he at t acker t o compr omi se t he Cal l Manager server . Some

of t he af f ect ed pl at f or ms ar e:

•  Ci sco Uni f i ed Cal l Manager 3. 3 ver si ons pr i or t o 3. 3( 5) SR3

•  Ci sco Uni f i ed Cal l Manager 4. 1 ver si ons pr i or t o 4. 1( 3) SR5

•  Ci sco Uni f i ed Cal l Manager 4. 2 ver si ons pr i or t o 4. 2( 3) SR2

•  Ci sco Uni f i ed Communi cat i ons Manager 4. 3 ver si ons pr i or t o

4. 3( 1) SR1

•  Ci sco Uni f i ed Cal l Manager 5. 0 and Communi cat i ons Manager 5. 1

ver si ons pr i or t o 5. 1( 2) " ( I BM I SS, 2007) .

Al so, a common cr oss si t e scr i pt i ng ( XSS) vul ner abi l i t y was

f ound af f ect i ng t he Ci sco Cal l Manager 4. 1.

"The web i nt er f ace of t he appl i cat i on f ai l s t o pr oper l y

sani t i ze dat a suppl i ed by t he sear ch- f or m bef or e di spl ayi ng

i t back t o t he user . Though sever al f i l t er s ar e i n pl ace

t o pr event t he i nj ect i on of <scr i pt > Tags or act i onhandl er s such as "oncl i ck" or " onmouseover " , i t i s possi bl e

t o i nj ect ht ml - code i ncl udi ng common at t r i but es. Thi s

al l ows t he embeddi ng of exter nal r ef er ences, e. g. i mages or

f l ash r esour ces. . . Thi s vul ner abi l i t y may be expl oi t ed by

t r i cki ng aut hent i cat ed user s i nt o cl i cki ng a craf t ed l i nk

i n or der t o conduct ar bi t r ar y web- based at t acks. . . The

vul ner abi l i t y al so al l ows an at t acker t o use t he "st yl e"-

at t r i but e on any tag t o conduct ar bi t r ar y web- based

at t acks. . . Ser ver - si de i nput val i dat i on shoul d be i mpr oved

t o pr event t he i nj ect i on of unaut hor i zed code" ( Ruef ,

Fr i edl i , 2006) .

Page 107: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 107/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 106

Ci sco has upgr aded the af f ect ed Cal l Manager ver si ons and

wi t h pat ches t hat ar e i ncor por at ed i n 4. 2( 3) sr 2, 3. 3( 5) sr 3,

4. 1( 3) sr 5 and 4. 3( 1) sr 1. Whi l e any or gani zat i on usi ng t he

af f ect ed Cal l Manager s shoul d absol ut el y per f or m t he upgr ades

pr ovi ded, I DS si gnat ur es can be wr i t t en f or an I DS sni f f i ng or

an I PS i nl i ne wi t h t he Cal l Manager t o dr op any packet s wi t h t he

<scr i pt > t ag f ound.

 There i s another i nt er est i ng vul nerabi l i t y t hat I f ound

r egardi ng the Ci sco I P Phones 7940 and 7960, t hat was det ai l ed i n

US- CERT/ NI ST CVE- 2007- 4459. " The Ci sco I P Phone 7940 wi t h P0S3-

08- 6- 00 f i r mware al l ows r emot e at t acker s t o cause a deni al of 

ser vi ce ( devi ce r eboot ) vi a ( 1) a cer t ai n sequence of 10 i nval i dSI P I NVI TE and OPTI ONS messages; or ( 2) a cer t ai n i nval i d SI P

I NVI TE message t hat cont ai ns a remote t ag, f ol l owed by a cer t ai n

set of t wo r el at ed SI P OPTI ONS messages" ( US- CERT/ NI ST, 2007) .

Fur t her r esear ch l ead me t o t he rel ated Secur i t yFocus web page

det ai l i ng t he same vul ner abi l i t y, and pr ovi di ng a pr oof of 

concept pear l scr i pt f or t he expl oi t per f or med:

" #! / usr/ bi n/ per l

use I O: : Socket : : I NET;

di e "Usage $0 <dst > <por t > <user name>" unl ess ( $ARGV[ 2] ) ;

$socket =new I O: : Socket : : I NET- >new( PeerPor t =>$ARGV[ 1] ,

Prot o=>' udp' ,

Peer Addr=>$ARGV[ 0] ) ;

$msg = " I NVI TE si p: $ARGV[ 2] \ @$ARGV[ 0] SI P/ 2. 0\ r \ nVi a:SI P/ 2. 0/ UDP\ t 192. 168. 1. 2; r por t ; br anch=00\ r \ nFrom:<si p: gaspar i n\ @192. 168. 1. 2>; t ag=00\ r \ nTo:

Page 108: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 108/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 107

<si p: $ARGV[ 2] \ @$ARGV[ 0] >; t ag=00\ r \ nCal l - I D:et \ @192. 168. 1. 2\ r \ nCSeq: 10I NVI TE\ r \ nCont ent - Lengt h: 0\ r \ n\ r \ n"; ;

$socket - >send($msg) ;

sl eep( 1) ;

$msg ="OPTI ONS si p: $ARGV[ 2] \ @$ARGV[ 0] SI P/ 2. 0\ r \ nVi a:SI P/ 2. 0/ UDP192. 168. 1. 2; r por t ; br anch=01\ r \ nFr om:<si p: gaspar i n\ @192. 168. 1. 2>; t ag=01\ r \ nTo:<si p: $ARGV[ 2] \ @$ARGV[ 0] >\ r \ nCal l - I D: et \ @192. 168. 1. 2\ r \ nCSeq: 11OPTI ONS\ r \ nCont ent - Lengt h: 0\ r \ n\ r \ n" ;

$socket - >send($msg) ;

sl eep( 1) ;

$msg ="OPTI ONS si p: $ARGV[ 2] \ @$ARGV[ 0] SI P/ 2. 0\ r \ nVi a:SI P/ 2. 0/ UDP192. 168. 1. 2; r por t ; br anch=02\ r \ nFr om:<si p: gaspar i n\ @192. 168. 1. 2>; t ag=02\ r \ nTo:<si p: $ARGV[ 2] \ @$ARGV[ 0] >\ r \ nCal l - I D: et \ @192. 168. 1. 2\ r \ nCSeq: 12OPTI ONS\ r \ nCont ent - Lengt h: 0\ r \ n\ r \ n" ;

$socket - >send($msg) ;" ( Secur i t yFocus, Madynes r esear ch t eam, 2007)

As you can see, t here are argument s i ncl uded i n t he SI P

I NVI TE and OPTI ON messages t hat were sent . Thi s was due t o a

l ack of i nput val i dat i on on t he accept ance of t he messages f or

t he i ncomi ng SI P header of t he packet , and as such, can cause a

deni al of servi ce t o t he phones i n quest i on. The second pr oof of 

concept scr i pt made avai l abl e by Secur i t yFocus can by f ound by

navi gat i ng t o

ht t p: / / downl oads. secur i t yf ocus. com/ vul ner abi l i t i es/ expl oi t s/ ci sco

 _7940_dos1. pl . Ci sco has not ed t hat upgr ades t o t he f i r mwar e on

both t he CP- 7960 and 7940 phones t o 8. 7( 0) pat ches t hi s

vul ner abi l i t y.

Page 109: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 109/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 108

I al so f ound t wo ot her i nt er est i ng vul ner abi l i t i es r epor t ed

f or t he Ci sco Uni f i ed Cal l Manager .

"Ci sco Uni f i ed Cal l Manager ( CUCM) 5. 0. has Command Li ne

I nt er f ace ( CLI ) and Sessi on I ni t i at i on Pr ot ocol ( SI P)r el at ed vul ner abi l i t i es. . . The Cal l Manager CLI pr ovi des a

backup management i nt er f ace t o t he syst em i n or der t o

di agnose and t r oubl eshoot t he pr i mar y HTTPS- based management

i nt er f aces. The CLI , whi ch r uns as t he r oot user , cont ai ns

t wo vul ner abi l i t i es i n t he par si ng of commands. The f i r st

vul ner abi l i t y may al l ow an aut hent i cat ed CUCM admi ni st r at or

t o execut e ar bi t r ar y oper at i ng syst em pr ogr ams as t he r oot

user . The second vul ner abi l i t y may al l ow out put r edi r ect i on

of a command to a f i l e or a f ol der speci f i ed on t he command

l i ne.

 There i s al so a buf f er over f l ow vul nerabi l i t y i n t he

pr ocessi ng of l ong host names cont ai ned i n a SI P request

whi ch may resul t i n ar bi t r ar y code execut i on or cause a

deni al of ser vi ce. These vul ner abi l i t i es onl y af f ect Ci sco

Uni f i ed Cal l Manager 5. 0" ( Ci sco, 2006)

Ci sco has patched t hese vul ner abi l i t i es and recommends users

t o upgr ade t o CUCM ver si on 5. 0( 4) or a l at er r el ease. A si mpl e

Googl e sear ch f or ' Ci sco VoI P vul ner abi l i t i es' wi l l a mul t i t ude

of var i ous vul ner abi l i t i es f ound. I t i s a near cer t ai nt y t hat

mor e vul ner abi l i t i es wi l l be f ound t o f ut ur e r el eases of CUCM and

CUPS. Wi t h t hat bei ng t he case, t he best pr act i ce f or an

organi zat i on woul d be t o i mmedi atel y upgr ade ol der ver si on of 

Ci sco Cal l Manager i f Wi ndows i s st i l l t he base OS, and depl oy

Snor t i nl i ne I PS i n f r ont of t he Cal l Manager . I woul d veer away

f r om Ci sco I DS/ I PS f or t he si mpl e r eason t hat i f a zer o- day

at t ack expl oi t i s made publ i c, an or gani zat i on must wai t f or

Page 110: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 110/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 109

Ci sco t o pr ovi de si gnat ur e pack updat es cont ai ni ng t he si gnat ur es

Vs. si mpl y t est i ng and wr i t i ng your own Snor t si gnat ur e

i mmedi at el y.

Page 111: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 111/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 110

 VIII.  Conclusion

As you can see, t her e i s a wi de var i et y of var i ous VoI P

t echnol ogi es t hat ar e vul ner abl e t o a mul t i t ude of di f f er ent

at t acks. The I nt er net was not or i gi nal l y desi gned wi t h secur i t y

i n mi nd and nor was t he PSTN. They wer e bot h or i gi nal l y bui l t t o

si mpl y work. The secur i t y aspect was an af t er t hought and as

such, t her e has been t hi s seemi ngl y endl ess game of cat and mouse

bet ween net work secur i t y engi neer s and vendors f i xi ng

vul ner abi l i t i es, bl ocki ng mal i ci ous host s, Vs. hacker s f i ndi ng

and expl oi t i ng more. Wi t h t hat i n mi nd, one wonder s why al l t he

var i ous VoI P t echnol ogi es avai l abl e wer e not at bi r t h desi gnedwi t h gr eat er secur i t y i n mi nd. Had t he engi neer s who desi gned

VoI P pr ot ocol s sat down wi t h secur i t y engi neer s at t he dr awi ng

boar ds, i t ' s l i kel y ther e woul d be consi der abl y l ess VoI P

vul ner abi l i t i es now, and l ess t o come i n t he f ut ur e. VoI P

vul ner abi l i t i es wi l l i ncrease due t o t he si mpl e i ncreased use of 

VoI P, mor e poor l y wr i t t en, buggy, and i nsecur e code, user er r or ,

and t he decr eased use of POTS and t he PSTN. They ar e bei ng

expl oi t ed now and wi l l cont i nue t o be expl oi t ed i n t he f ut ur e f or

var i ous pur poses, and by di f f er ent peopl e such as scr i pt ki ddi es

t hat mer el y want s t o have f un, t he el i t e hacker s t hat do i t f or

pr i de or f i nanci al benef i t , or an enemy count r y' s mi l i t ar y f or

st r at egi c advancement . For t he home user i mpl ement i ng VoI P,

t her e wi l l be f i nanci al savi ngs at t he cost of a l ower qual i t y of 

servi ce, l ess voi ce and dat a secur i t y, and t he need t o power your

modem and r out er t o make a cal l speci f i cal l y dur i ng a powerout age. For t he ent er pr i se, t her e wi l l be f i nanci al savi ngs i n

t er ms of phone bi l l cost s, t he i ncreased abi l i t y t o have

empl oyees t el ewor k, and i ncr ease i n pr oduct i vi t y, al so at t he

cost of l ess dat a and voi ce secur i t y, compl i ance wi t h st at e and

f eder al r egul at i ons f or t he pr i vacy of voi ce i n t he f i nanci al and

Page 112: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 112/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 111

medi cal f i el ds, and hi gher secur i t y t r ai ni ng budget ar y cost s t o

t r ai n empl oyees t o be l ess t r ust f ul of t hei r VoI P phones.

Page 113: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 113/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 112

IX.  References

APA St yl e:

1)  Endl er , Davi d (2007) . Hacking exposed voIP:Voice over IP

security secrets & solutions. New Yor k, NY: McGr aw- Hi l l .

2)  Ramt eke, T ( 2001) . Networks: Second edition. New J er sey:

Prent i ce- Hal l , I nc. .

3)  Unknown, ( 2003) . VoI P Ser vi ces - Br oadband Phone Company

Pr ovi der s - VoI P Pr ovi der s. Ret r i eved Oct ober 05, 2007, f r om

VoI P 101 Web si t e: ht t p: / / www. voi pr evi ew. or g/ 101. aspx 

4)  Gi t t l en, S ( 2006, Febr uar y 13) . How do t he f eds t ap phone l i nes

- Network wor l d. Ret r i eved Sept ember 10, 2007, f r omHow do t he

f eds t ap phone l i nes? Web si t e:

ht t p: / / www. networkwor l d. com/ news/ 2006/ 021306-

wi r etap. ht ml ?page=1 

5)  Per f or mance Technol ogi es, ( 2004) . Si gnal i ng i n Swi t ched Ci r cui t

Net wor ks. Ret r i eved November 1, 2007, f r om SS7/ I P I nt er wor ki ng

 Tut or i al - Si gnal i ng Web si t e:

ht t p: / / www. pt . com/ t ut or i al s/ i pt el ephony/ t ut or i al _voi p_si gnal i ng

. html  

6)  Poul sen, K ( 2004 J ul y 7) . VoI P Hacks gut cal l er I D. Ret r i eved

Sept ember 13, 2007, f r omSecur i t y Focus Web si t e:

ht t p: / / www. secur i t yf ocus. com/ news/ 9061 

7)  Sour cef or ge, ( 2005) . Or eka. Ret r i eved November 10, 2007, f r om

Or eka: Audi o st r eams r ecor di ng and r et r i eval Web si t e:

ht t p: / / or eka. sour cef or ge. net /  

8)  Bal aban, M ( 2004) . What i s VoI Pong. Ret r i eved November 2, 2007,

f r om VoI Pong - Voi ce over I P ( VOI P) Sni f f er and cal l det ect or

Web si t e:

ht t p: / / www. ender uni x. or g/ voi pong/ i ndex. php?sect=mai n =en 

9)  Unknown, ( 2007, J une) . I ANA Regi st r at i on f or I AX Enumser vi ce.

Ret r i eved Oct ober 21, 2007, f r om I ETF Web si t e:

Page 114: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 114/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 113

ht t p: / / www. i et f . or g/ i nt er net - dr af t s/ dr af t - guy- i ax- 03. t xt - Wor k

i n pr ogr ess.

10)    J ouani n, Y ( 2007, November 10) . Ast er i sk manager API .

Ret r i eved Oct ober 24, 2007, f r om Ast er i sk manager API - voi p-

i nf o. or g Web si t e: ht t p: / / www. voi p- i nf o. or g/ wi ki -

Ast er i sk+manager+API  

11)    Tr oy, D ( 2007, Oct ober 1) . Ast ManProxy. Ret r i eved Oct ober

24, 2007, f r om voi p- i nf o. or g Web si t e: ht t p: / / www. voi p-

i nf o. or g/ wi ki / vi ew/ Ast ManPr oxy 

12)    Thermos, Pet er ( 2007, August 13) . Threat s i n VoI P. Ret r i eved

November 1, 2007, f r om Thr eat s i n VoI P Web si t e:

ht t p: / / www. ent er pr i sei t pl anet . com/ secur i t y/ f eat ur es/ ar t i cl e. php/ 3694056 

13)   Schul zr i nne, H ( 2003, J ul y) . RTP: A Tr anspor t Pr ot ocol f or

Real - Ti me Appl i cat i ons. Ret r i eved November 1, 2007, f r om RTP: A

 Tr anspor t Pr ot ocol f or Real - Ti me Appl i cat i ons Web si t e:

ht t p: / / www. r f c- edi t or . or g/ r f c/ r f c3550. t xt  

14)   Baugher , M ( 2004, March) . The Secur e Real - t i me Transpor t

Protocol ( SRTP) . Ret r i eved November 2, 2007, f r om The Secur e

Real - t i me Tr anspor t Pr ot ocol ( SRTP) Web si t e:

ht t p: / / www. i et f . or g/ r f c/ r f c3711. t xt  

15)   Unknown, ( 2007) . H. R. 251: Tr ut h i n Cal l er I D Act of 2007.

Ret r i eved November 4, 2007, f r om Govt r ack. us Web si t e:

ht t p: / / www. govt r ack. us/ congr ess/ bi l l . xpd?t ab=mai n&bi l l =h110- 251 

16)   Unknown, ( 2006, Febr uary 19) . Uni den UI P1868P ( VoI P

Phone/ Gat eway) Def aul t Password. Ret r i eved November 7, 2007,

f r om Secur i Team™ - Uni den UI P1868P ( VoI P Phone/ Gat eway) Def aul tPasswor d Web si t e:

ht t p: / / www. secur i t eam. com/ secur i t ynews/ 5HP0E2KHPE. ht ml  

17)   Unknown, ( 2005) . AOH : : Def aul t Passwords. Ret r i eved

November 6, 2007, f r om AOH : : Def aul t Passwords f or Avaya Web

si te: ht t p: / / ar t of hacki ng. com/ et c/ passwd- avaya. ht m

Page 115: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 115/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 114

18)    j ht 2, ( 2007, November ) . NAT and VOI P. Ret r i eved November 7,

2007, f r om voi p- i nf o. or g Web si t e: ht t p: / / www. voi p-

i nf o. org/ wi ki - NAT+and+VOI P 

19)   Rosenber g, J ( 2003, Mar ch) . STUN - Si mpl e Tr aver sal of 

User Datagr am Pr otocol ( UDP) Thr ough Network Addr ess

 Tr ansl at or s ( NATs) . Ret r i eved November 7, 2007, f r om STUN -

Si mpl e Tr aver sal of User Dat agr am Prot ocol ( UDP) Thr ough

Net wor k Addr ess Tr ansl at or s ( NATs) . Web si t e:

ht t p: / / www. i et f . or g/ r f c/ r f c3489. t xt  

20)   Rosenber g, J ( 2007, Oct ober ) . I nt er act i ve Connect i vi t y

Est abl i shment ( I CE) : A Prot ocol f or Net wor k. Ret r i eved November

15, 2007, f r om I nt er act i ve Connect i vi t y Est abl i shment ( I CE) : AProt ocol f or Net wor k Web si t e:

ht t p: / / t ool s. i et f . or g/ ht ml / dr af t - i et f - mmusi c- i ce- 19 - Wor k i n

pr ogr ess.

21)   Unknown, ( 2005, November 9) . Mi cr osof t and Ci sco Syst ems

Announce Support f or I CE Methodol ogy t o Del i ver End- t o- End

Medi a Connect i ons Acr oss NATs. Ret r i eved November 16, 2007,

f r om Mi crosof t Web si t e:

ht t p: / / www. mi cr osof t . com/ pr esspass/ pr ess/ 2005/ nov05/ 11-

09I CENATPR. mspx 

22)   Messmer , E ( 2007) . Bl ack Hat pr obes hacker expl oi t s. VoI P

secur i t y hol es, vi r t ual i zat i on r oot ki t s, and bot net s ar e hot

t opi cs . . Network World . 24, 12- 13.

23)   Col l i er , M ( 2005, J une 1) . VoI P Vul ner abi l i t i es –

Regi st r at i on Hi j acki ng. Ret r i eved November 15, 2007, f r om VoI P

Vul ner abi l i t i es – Regi st r at i on Hi j acki ng Web si t e:ht t p: / / downl oad. secur el ogi x. com/ l i br ar y/ Regi st r at i on_hi j acki ng_ 

060105. pdf  

24)    Techf aq, ( 2006) . What i s MGCP?. Ret r i eved November 28, 2007,

f r om What i s MGCP? Web si t e: ht t p: / / www. t ech- f aq. com/ mgcp. sht ml  

Page 116: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 116/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 115

25)   Si per a, ( 2006) . SI P Tr unk Secur i t y. Ret r i eved November 17,

2007, f r om Si per a - SI P Tr unk Secur i t y Sol ut i ons Web si t e:

ht t p: / / www. si per a. com/ i ndex. php?act i on=sol ut i ons, apps_si pt r unk 

26)   Unknown/ Ci sco, ( 2006, Sept ember 21) . Conver t i ng a Ci sco

7940/ 7960 SCCP Phone t o a SI P Phone and t he Reverse Process.

Ret r i eved November 11, 2007, f r omConver t i ng a Ci sco 7940/ 7960

SCCP Phone t o a SI P Phone and the Rever se Process Web si t e:

ht t p: / / www. ci sco. com/ war p/ publ i c/ 788/ voi p/ handset _t o_si p. ht ml  

27)   Merdi nger , S ( 2005, November 17) . Vul nerabi l i t y Summary CVE-

2005- 3722. Ret r i eved November 18, 2007, f r omHi t achi

Wi r el essI P5000 I P Phone Mul t i pl e Vul ner abi l i t i es Web si t e:

ht t p: / / secuni a. com/ advi sor i es/ 17628 28)   Unknown/ qwert y1979, ( 2007, March 18) . 0009313: Ast er i sk

segf aul t s upon r ecei pt of a cer t ai n SI P packet ( SI P Response

code 0) . Ret r i eved December 1, 2007, f r om 0009313: Ast er i sk

segf aul t s upon r ecei pt of a cer t ai n SI P packet ( SI P Response

code 0) Web si t e: ht t p: / / bugs. di gi um. com/ vi ew. php?i d=9313 

29)   Abdel nur , H ( 2007, Mar ch 19) . Ast er i sk SI P I nvi t e Message

Remot e Deni al of Ser vi ce Vul ner abi l i t y. Ret r i eved November 21,

2007, f r om Ast er i sk SI P I nvi t e Message Remot e Deni al of Ser vi ce

Vul ner abi l i t y Web si t e:

ht t p: / / www. secur i t yf ocus. com/ bi d/ 23031/ i nf o 

30)   Gr andst r eam, ( 2005) . Budgetone- 100 ser i es User Manual .

Ret r i eved November 28, 2007, f r omBudgetone- 100 ser i es User

Manual Web si t e:

www. grandst r eam. com/ user _manual s/ budget one100. pdf  

31)   Par i zo, E ( 2005, Sept ember 12) . VoI P t ur ns up t he heat onf i r ewal l s. Ret r i eved December 1, 2007, f r om VoI P t ur ns up t he

heat on f i r ewal l s Web si t e:

ht t p: / / sear chvoi p. t echt ar get . com/ or i gi nal Cont ent / 0, 289142, si d66

 _gci 1123877, 00. ht ml  

Page 117: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 117/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 116

32)   Hoover , J ( 2006, J une 8) . VoI P Secur i t y Al er t : Hacker s

St ar t At t acki ng For Cash. Ret r i eved December 2, 2007, f r om VoI P

Secur i t y Al er t : Hacker s St ar t At t acki ng For Cash Web si t e:

ht t p: / / www. i nf or mat i onweek. com/ showAr t i cl e. j ht ml ?ar t i cl eI D=1887

02963 

33)   Mat er na, B ( 2007, Oct ober 23) . A pr act i cal gui de t o l ocki ng

down VoI P. RSA Conference Europe, Ret r i eved December 3, 2007,

f rom ht t p: / / www. voi pshi el d. com/ news/ r ecent - pr ess- cover age. ht ml  

34)   Br ooks, M ( 2007, Mar ch 1) . Scam t o st eal per sonal

i nf ormat i on shows bank on cal l er I D. Ret r i eved December 2,

2007, f r omNews Tr i bune Web si t e:

ht t p: / / www. newst r i bune. com/ ar t i cl es/ 2007/ 03/ 01/ news_l ocal / 305l ocal 02cbscam. t xt  

35)    J onkman, M ( 2005, December 16) . secur i t y. i ds. snor t . si gs.

Ret r i eved November 9, 2007, f r om secur i t y. i ds. snor t . si gs Web

si te: ht t p: / / osdi r . com/ ml / secur i t y. i ds. snor t . si gs/ 2004-

12/ msg00099. ht ml  

36)    Tung, L ( 2007, August 20) . Stor m wor m bot net t hreatens

nat i onal secur i t y?. Ret r i eved December 3, 2007, f r om St or m wor m

bot net t hr eat ens nat i onal secur i t y? Web si t e:

ht t p: / / www. zdnet . com. au/ news/ secur i t y/ soa/ St or m- wor m- bot net -

t hr eat ens- nat i onal - secur i t y- / 0, 130061744, 339281305, 00. ht m

37)    York, D ( 2007, May 21) . VoI P/ I P Tel ephony i n Est oni a:

Di sr upt ed by Bot net s?. Ret r i eved December 3, 2007, f r om VoI P/ I P

 Tel ephony i n Est oni a: Di sr upt ed by Bot net s? Web si t e:

ht t p: / / www. ci r cl ei d. com/ post s/ voi p_i p_t el ephony_est oni a_bot net s

/  38)   Mol denauer , J ( 2007, August 21) . Resour ce Exhaust i on

vul ner abi l i t y i n SI P channel dr i ver . Ret r i eved December 3,

2007, f r om Ast er i sk Pr oj ect Secur i t y Advi sor y - AST- 2007- 020

Web si t e: ht t p: / / downl oads. di gi um. com/ pub/ asa/ AST- 2007- 020. ht ml  

Page 118: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 118/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 117

39)   Mar t i nel l i , J ( 2007, J une 5) . Vonage VoI P Tel ephone Adapt er

Def aul t Mi sconf i gur at i on. Ret r i eved December 2, 2007, f r om

Vonage VoI P Tel ephone Adapt er Def aul t Mi sconf i gur at i on Web

si te:

ht t p: / / www. secur i t yf ocus. com/ ar chi ve/ 1/ ar chi ve/ 1/ 470443/ 100/ 0/ t

hreaded 

40)   Ber son, T ( 2005, Oct ober 18) . Skype Secur i t y Eval uat i on.

Ret r i eved November 21, 2007, f r omSkype Secur i t y Eval uat i on Web

si te: ht t p: / / www. skype. com/ secur i t y/ f i l es/ 2005-

031%20secur i t y%20eval uat i on. pdf  

41)   Gennar i , J ( 2006, May 16) . Real VNC Ser ver does not val i dat e

cl i ent aut hent i cat i on met hod. Ret r i eved December 2, 2007, f r omVul nerabi l i t y Not e VU#117929 Web si t e:

ht t p: / / www. kb. cer t . or g/ vul s/ i d/ 117929 

42)   Mi er , E ( 2006, Mar 01) . Ci sco Cal l Manager 5. 0: Sol i dl y SI P.

Ret r i eved December 2, 2007, f r om Ci sco Cal l Manager 5. 0: Sol i dl y

SI P Web si t e:

ht t p: / / www. bcr . com/ equi pment / pr oduct _r evi ews/ ci sco_cal l manager _ 

5. 0: _sol i dl y_si p_20060301987. ht m

43)   Ci sco, ( 2005) . I nst al l i ng Ci sco Secur i t y Agent f or Ci sco

Cal l Manager . Ret r i eved November 22, 2007, f r om I nst al l i ng Ci sco

Secur i t y Agent f or Ci sco Cal l Manager Web si t e:

ht t p: / / www. ci sco. com/ en/ US/ docs/ voi ce_i p_comm/ cucm/ csa_t oken_i d

s/ csa_ccmg. html #wp49143 

44)   Ci sco, ( 2005) . Voi ce Secur i t y. Ret r i eved November 25, 2007,

f r omCi sco Uni f i ed Communi cat i ons SRND Based on Ci sco Uni f i ed

Communi cat i ons Manager 5. x Web si t e:ht t p: / / www. ci sco. com/ en/ US/ pr oduct s/ sw/ voi cesw/ ps556/ pr oduct s_i

mpl ement at i on_desi gn_gui de_chapt er 09186a008063742b. html #wp10466

85 

45)   Lewi s, M ( 2006) . Tel ephony Prot ocol s. Ret r i eved December 8,

2007, f r om CCI E Voi ce Exam Qui ck Ref er ence Sheet s. Web si t e:

Page 119: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 119/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 118

www. ci scopr ess. com/ cont ent / i mages/ 9781587053337/ excer pt s/ 158705

3330_Excer pt . pdf  

46)   I BM I SS, ( 2007, J ul y 11) . Ci sco Cal l Manager CTLPr ovi der . exe

Remote Code Execut i on. Ret r i eved November 26, 2007, f r om Ci sco

Cal l Manager CTLProvi der . exe Remote Code Execut i on Web si t e:

ht t p: / / www. i ss. net / t hr eat s/ 270. ht ml  

47)   US- CERT/ NI ST, ( 2007, August 21) . Vul nerabi l i t y Summary CVE-

2007- 4459. Ret r i eved December 1, 2007, f r om Vul ner abi l i t y

Summar y CVE- 2007- 4459 Web si t e:

ht t p: / / nvd. ni st . gov/ nvd. cf m?cvename=CVE- 2007- 4459 

48)   Ci sco, ( 2006, J ul y 12) . Ci sco Secur i t y Advi sor y: Mul t i pl e

Ci sco Uni f i ed Cal l Manager Vul ner abi l i t i es. Ret r i eved December2, 2007, f r om Ci sco Secur i t y Advi sor y: Mul t i pl e Ci sco Uni f i ed

Cal l Manager Vul ner abi l i t i es Web si t e:

ht t p: / / www. ci sco. com/ war p/ publ i c/ 707/ ci sco- sa- 20060712-

cucm. sht ml  

49)   Skype, ( 2006) . Skype and f i r ewal l s. Ret r i eved December 1,

2007, f r om Skype and f i r ewal l s Web si t e:

ht t p: / / www. skype. com/ hel p/ gui des/ f i r ewal l s/ t echni cal . ht ml  

50)   Secuni a, ( 2007, December 7) . Skype skype4com URI Handl er

Buf f er Over f l ow. Ret r i eved December 7, 2007, f r om Skype

skype4com URI Handl er Buf f er Over f l ow Web si t e:

ht t p: / / secuni a. com/ advi sor i es/ 27934/  

51)   Net wor k Secur i t y Ar chi ve, ( 2005, Apr i l 20) . Net wor k Secur i t y

Ar chi ve. Ret r i eved November 15, 2007, f r om Net wor k Secur i t y

Ar chi ve Web si t e:

ht t p: / / www. net wor ksecur i t yar chi ve. or g/ ht ml / Snor t -Si gnatur es/ 2005- 04/ msg00059. ht ml  

52)   Skype, ( 2007, Sept ember 10) . On t he worm t hat af f ect s Skype

f or Wi ndows user s. Ret r i eved December 1, 2007, f r omOn t he worm

t hat af f ect s Skype f or Wi ndows user s Web si t e:

Page 120: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 120/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 119

ht t p: / / hear t beat . skype. com/ 2007/ 09/ t he_wor m_t hat _af f ect s_skype_ 

f o. ht ml  

53)   Ki ernan, S ( 2007, Sept ember 10) . W32. Pykspa. D. Ret r i eved

December 1, 2007, f r om W32. Pykspa. D Web si t e:

ht t p: / / www. symant ec. com/ secur i t y_r esponse/ wr i t eup. j sp?doci d=200

7- 091011- 2911- 99&t abi d=2 

Page 121: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 121/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 120

X.   Appendix

1)  “Consi der t he f ol l owi ng pr i vat e key and cer t i f i cat e pai r

assi gned t o ' at l ant a. exampl e. com' ( r ender ed i n Opens' f ormat ) .

- - - - - BEGI N RSA PRI VATE KEY- - - - -

MI I CXQI BAAKBgQDPPMBt HVoPkXV+Z6j q1Lsgf TELVWpy2BVUf f J MPH06LL0cJ SQO

aI eVzI oj zWt pauB7I yl ZKl Aj B5f 429t RuoUi edCwMLKbl WAqZt 6eHWpCNZJ 7l ONc

I Ewnmh2nAccKk83Lp/ VH3t gAS/ 43DQoX2sndnYh+g8522Pzwg7EGWspzzwI DAQAB

- - - - - END RSA PRI VATE KEY- - - - -

- - - - - BEGI N CERTI FI CATE- - - - -

MI I C3TCCAkagAwI BAgI BADANBgkqhki G9w0BAQUFADBZMQswCQYDVQQGEwJ VUzEL

MAkGA1UECAwCR0ExEDAOBgNVBAcMB0F0bGFudGExDTALBgNVBAoMBEl FVEYxHDAa

BgNVBAMME2F0bGFudGEuZXhhbXBsZS5j b20wHhcNMDUxMDI 0MDYzNj A2WhcNMDYx

- - - - - END CERTI FI CATE- - - - -

A user of at l ant a. exampl e. com, Al i ce, want s t o send an I NVI TE t obob@bi l oxi . exampl e. or g. She t her ef or e cr eat es t he f ol l owi ngI NVI TE r equest , whi ch she f or war ds t o t he at l ant a. exampl e. or gpr oxy ser ver t hat i nst ant i at es t he aut hent i cat i on ser vi ce r ol e:

I NVI TE si p: bob@bi l oxi . exampl e. or g SI P/ 2. 0

Vi a: SI P/ 2. 0/ TLSpc33. at l ant a. exampl e. com; branch=z9hG4bKnashds8

 To: Bob <si p: bob@bi l oxi . exampl e. or g>

From: Al i ce<si p: al i ce@at l ant a. exampl e. com>; t ag=1928301774

Cal l - I D: a84b4c76e66710

Page 122: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 122/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 121

CSeq: 314159 I NVI TE

Max- Forwards: 70

Dat e: Thu, 21 Feb 2002 13: 02: 03 GMT

Cont act : <si p: al i ce@pc33. at l ant a. exampl e. com>Cont ent - Type: appl i cat i on/ sdp

Cont ent - Lengt h: 147

v=0

o=User A 2890844526 2890844526 I N I P4pc33. at l ant a. exampl e. com

s=Sessi on SDP

c=I N I P4 pc33. at l ant a. exampl e. com

t =0 0

m=audi o 49172 RTP/ AVP 0

a=r t pmap: 0 PCMU/ 8000

When the aut hent i cat i on ser vi ce r ecei ves t he I NVI TE, i t

aut hent i cat es Al i ce by sendi ng a 407 r esponse. As a r esul t ,

Al i ce adds an Aut hor i zat i on header t o her r equest , and r esends t o

t he at l ant a. exampl e. com aut hent i cat i on ser vi ce. Now t hat t he

ser vi ce i s sur e of Al i ce' s i dent i t y, i t cal cul at es an I dent i t y

header f or t he r equest . The canoni cal st r i ng over whi ch t he

i dent i t y si gnat ur e wi l l be gener at ed i s t he f ol l owi ng ( not e t hat

t he f i r st l i ne wr aps because of RFC edi t or i al convent i ons) :

si p: al i ce@at l ant a. exampl e. com| si p: bob@bi l oxi . exampl e. or g|

a84b4c76e66710| 314159 I NVI TE| Thu, 21 Feb 2002 13: 02: 03 GMT|

si p: al i ce@pc33. at l ant a. exampl e. com| v=0

o=User A 2890844526 2890844526 I N I P4 pc33. at l anta. exampl e. com

s=Sessi on SDP

Page 123: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 123/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 122

c=I N I P4 pc33. at l ant a. exampl e. com

t =0 0

m=audi o 49172 RTP/ AVP 0

a=r t pmap: 0 PCMU/ 8000

 The r esul t i ng si gnat ure ( sha1Wi t hRsaEncr ypt i on) usi ng t he pr i vat eRSA key gi ven above, wi t h base64 encodi ng, i s t he f ol l owi ng:

ZYNBbHC00VMZr2kZt 6VmCvPonWJ MGvQTBDqghoWeLxJ f zB2a1pxAr 3VgrB0SsSAa

i f sRdi OPoQZYOy2wr VghuhcsMbHWUSFxI 6p6q5TOQXHMmz6uEo3svJ sSH49t hyGn

FVcnyaZ++yRl BYYQTLqWzJ +KVhPKbf U/ pr yhVn9Yc6U=

Accor di ngl y, t he at l ant a. exampl e. com aut hent i cat i on ser vi ce wi l lcr eat e an I dent i t y header cont ai ni ng t hat base64 si gnat ur e st r i ng( 175 byt es) . I t wi l l al so add an HTTPS URL wher e i t s cer t i f i cat ei s made avai l abl e. Wi t h t hose t wo headers added, t he messagel ooks l i ke t he f ol l owi ng:

I NVI TE si p: bob@bi l oxi . exampl e. or g SI P/ 2. 0

Vi a: SI P/ 2. 0/ TLSpc33. at l ant a. exampl e. com; branch=z9hG4bKnashds8

 To: Bob <si p: bob@bi l oxi . exampl e. or g>

Fr om: Al i ce <si p: al i ce@at l ant a. exampl e. com>; t ag=1928301774

Cal l - I D: a84b4c76e66710

CSeq: 314159 I NVI TE

Max- For wards: 70

Dat e: Thu, 21 Feb 2002 13: 02: 03 GMT

Cont act : <si p: al i ce@pc33. at l ant a. exampl e. com>

I dent i t y:

"ZYNBbHC00VMZr2kZt 6VmCvPonWJ MGvQTBDqghoWeLxJ f zB2a1pxAr 3VgrB0SsSAa

i f sRdi OPoQZYOy2wr VghuhcsMbHWUSFxI 6p6q5TOQXHMmz6uEo3svJ sSH49t hyGn

Page 124: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 124/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 123

FVcnyaZ++yRl BYYQTLqWzJ +KVhPKbf U/ pr yhVn9Yc6U="

I dent i t y- I nf o:<ht t ps: / / at l ant a. exampl e. com/ at l ant a. cer >; al g=r sa- sha1

Cont ent - Type: appl i cat i on/ sdp

Cont ent - Lengt h: 147

v=0

o=User A 2890844526 2890844526 I N I P4 pc33. at l anta. exampl e. com

s=Sessi on SDP

c=I N I P4 pc33. at l ant a. exampl e. com

t =0 0

m=audi o 49172 RTP/ AVP 0

a=r t pmap: 0 PCMU/ 8000

at l ant a. exampl e. com t hen f orwards t he r equest normal l y. When Bob

r ecei ves t he r equest , i f he does not al r eady know t he cer t i f i cat e

of at l ant a. exampl e. com, he der ef er ences t he URL i n t he I dent i t y-

I nf o header t o acqui r e t he cer t i f i cat e. Bob t hen gener at es the

same canoni cal st r i ng gi ven above, f r om t he same header s of t heSI P r equest . Usi ng t hi s canoni cal st r i ng, t he si gned di gest i n

t he I dent i t y header , and t he cer t i f i cat e di scover ed by

der ef er enci ng t he I dent i t y- I nf o header , Bob can ver i f y t hat t he

gi ven set of headers and t he message body have not been modi f i ed.

( Pet er son, J enni ngs, 2006) .

Page 125: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 125/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 124

XI.  Image Figures

1)  Law enf orcement wi r e t appi ng.

2)  Legi t i mat e bank cal l er i d spoof i ng.

3)  Var i ous VoI P SOHO sol ut i ons.4)  RSA VoI P t hr eat cat egor i es.

5)  VoI P and dat a VLAN separ at i on.

6)  Uni cast cal l scenar i o.

7)  Mul t i cast one- t o- f ew cal l scenar i o.

8)  Mul t i cast many- t o- many cal l scenar i o.

9)  Ci sco VoI P i nf or mat i on f ound on speci f i c or gani zat i ons.

10) 

Ci sco VoI P phone web server net work conf i gur at i on I .11)  Ci sco VoI P phone web server net wor k conf i gur at i on I I .

12)  NMAP of VoI P phone wi t h open/ r unni ng web ser ver f ound.

13)  Pol ycom VoI P phone wi t h open/ r unni ng web ser ver f ound.

14)  Netcat scans per f ormed agai nst Ci sco VoI P phone.

15)  Separ at i on of RTP and SI P f unct i onal i t y.

16) Cl ear t ext RTP eavesdr oppi ng/ i nj ect i on/ f uzzi ng.

17) 

I AX bandwi dt h savi ngs/ consol i dat i on.18)  SI P i nf r ast r uct ur e el ement s.

19)  SI P I NVI TE cal l set up.

20)  SI P REGI STER hi j acki ng.

21)  Si per a SI P t r unk secur i t y sol ut i on.

22)  NMAP scan of SI P Proxy.

23)  SI P Pr oxy server i n B2BUA mode pr oxyi ng RTP t r af f i c.

24)  SI P Rogue pr oxy wi t hi n VoI P network.

25)  BS- 102 VoI P phone I CMP pi ngs.

26)  BS- 102 VoI P phone NMAP scans.

27)  VoI P test network di agr am.

28)  BS- 102 VoI P phone NMAP Wi r eshark packet capt ure.

29)  BS- 102 VoI P phone web ser ver GUI ( Admi ni st r at or ) .

Page 126: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 126/127

VoI P Secur i t y Vul ner abi l i t i es

Davi d Per sky 125

30)  BS- 102 VoI P phone web ser ver GUI ( User ) .

31)  3CX SI P Proxy ser ver GUI .

32)  BS- 102 VoI P RTP bi di r ect i onal RTP st r eams.

33)  BS- 102 VoI P RTP st r eam anal ysi s.

34)  BS- 102 VoI P RTP sessi ons cal l packet capt ur e.

35)  Skype cal l packet capt ur e.

36)  SkypeKi l l er GUI .

37)  SkypeKi l l er CLI .

38)  Snor t Skype SI DS.

39)  SCCP Cal l set up messages exchange.

40)  SCCP Wi r eshark sessi on set up packet capt ur e.

41)  Ci sco Cal l manager l ogon scr een.

42)  Ci sco VoI P - Separate VoI P and data port

43)  Ci sco VoI P phone st oppi ng VLAN j umpi ng.

Page 127: Voip Security Vulnerabilities 2036

8/22/2019 Voip Security Vulnerabilities 2036

http://slidepdf.com/reader/full/voip-security-vulnerabilities-2036 127/127

Last Updated: October 23rd, 2012

Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location

SANS Chicago 2012 Chicago, ILUS Oct 27, 2012 - Nov 05, 2012 Live Event

SANS South Africa 2012 Johannesburg, ZA Oct 29, 2012 - Nov 06, 2012 Live Event

SANS Bangalore 2012 Bangalore, IN Oct 29, 2012 - Nov 03, 2012 Live Event

SANS Tokyo Autumn 2012 Tokyo, JP Nov 05, 2012 - Nov 10, 2012 Live Event

SANS Korea 2012 Seoul, KR Nov 05, 2012 - Nov 13, 2012 Live Event

FOR526 Beta Denver, COUS Nov 05, 2012 - Nov 09, 2012 Live Event

SANS San Diego 2012 San Diego, CAUS Nov 12, 2012 - Nov 17, 2012 Live Event

SANS Sydney 2012 Sydney, AU Nov 12, 2012 - Nov 20, 2012 Live Event

SANS London 2012 London, GB Nov 26, 2012 - Dec 03, 2012 Live Event

SANS San Antonio 2012 San Antonio, TXUS Nov 27, 2012 - Dec 02, 2012 Live Event

European SCADA and Process Control System Security Summit2012

Barcelona, ES Dec 05, 2012 - Dec 11, 2012 Live Event

SANS Cyber Defense Initiative 2012 Washington, DCUS Dec 07, 2012 - Dec 16, 2012 Live Event

SANS Egypt 2012 Cairo, EG Dec 08, 2012 - Dec 20, 2012 Live Event

Mobile Device Security Summit 2013 Anaheim, CAUS Jan 07, 2013 - Jan 14, 2013 Live Event

Virtualization and Cloud Computing Summit 2013 Anaheim, CAUS Jan 07, 2013 - Jan 14, 2013 Live Event

SEC528: SANS Training Program for the CompTIA NewAdvanced Security Practitioner Certification

Washington, DCUS Jan 07, 2013 - Jan 11, 2013 Live Event

SANS Security East 2013 New Orleans, LAUS Jan 16, 2013 - Jan 23, 2013 Live Event

SANS South Africa 2012 - Cape Town OnlineZA Oct 26, 2012 - Oct 27, 2012 Live Event

SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced