Home page logo

pen-test logo Penetration Testing mailing list archives

Re: New article on SecurityFocus: Two attacks against VOIP
From: Tobias Glemser <tglemser () tele-consulting com>
Date: Thu, 06 Apr 2006 11:08:48 +0200

Oh my ..

1. Hijack a user's VoIP Subscription
As to be seen on beginning of page 2 the author describes an attack on a SIP Proxy without user authentication! "This attack can be successful even if the remote SIP proxy server requires authentication of user registration, because the SIP messages are transmitted in the clear and can be captured, modified and replayed."

This is also false if we discuss an actual SIP-Proxy implementation.
E. g. a standard asterisk SIP-Proxy will always reply with a "SIP/2.0 401 Unauthorized", also submitting a digest and a realm value. The client then has to authenticate using a response value which is normally a MD5 Hash consisting of Username, Password, nonce, HTTP Request Method and Request URI.

This prevents the describend attacks.

2. Eavesdropping
Right, in a switched network environment the attack is easy as described.

BUT: Any other service using IP is also "vulnerable"! This is NOT a VoIP-Problem in the first row if ARP-Poisoning is possible. This is a problem of your LAN-implementation.

If I would have a choice between sniffing IP Traffic between CIO and File-Server using SMB or CEO and his/her secretary using RTP, I definitely would choose SMB-Traffic.

Use a "state of the art" SIP-Proxy implementation using authentication (of course you already have one), secure your LAN-environment e.g. using VLANs to seperate, 802.1x to authenticate and so on. This is sth. we're preaching since years.



Tobias Glemser

##### ###  tglemser () tele-consulting com         +49 (0)7032/97580  (fon)
  #  #     www.tele-consulting.com              +49 (0)7032/74750  (fax)
  #  #
  #   ###  Tele-Consulting   security  |  networking  |  training  GmbH
                 Siedlerstrasse 22-24, 71126 Gaeufelden, Germany

Erin Carroll wrote on 06.04.2006 07:47:
The following Infocus article was published on SecurityFocus recently:

Two attacks against VoIP
By Peter Thermos

This purpose of this article is to discuss two of the most well known
attacks that can be carried out in current VoIP deployments. The first
attack demonstrates the ability to hijack a user's VoIP Subscription and
subsequent communications. The second attack looks at the ability to
eavesdrop in to VoIP communications.


Also note: We enjoy publishing article submissions from the community. For submission guidelines and contact information please see

Erin Carroll
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"

This List Sponsored by: Cenzic

Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]