Thursday, August 30, 2007

VoIP security related blogs

Was checking out VOIPSA's blog and noticed that they mention a few blogs of interest which reminds me...

I've been asked to name VoIP security related material that one should check out, so here goes my list:
Will be adding more later on

Friday, August 24, 2007

How to turn a Grandstream SIP phone into a remote bug

The "Institut National de Recherche en Informatique" has done it again. They released details of their research regarding the Grandstream GXV-3000 SIP phone - specially on a bug that allows one to crash the phone, and set it off the hook without ringing. This last exploit effectively turns such phones into a spying device, allowing crooks and other evil entities to discretely listen on conversations in a room where the phone is installed.

Apparently, it is not just these Grandstream devices that are vulnerable to the same attack, but it affects "some SIP stack engines". The trick is to send a "183 Session Progress" SIP message to the phone following an INVITE request, which in turn makes it go all fuzzy and start sending RTP packets to the attacker. The full-disclosure post further illustrates this with a example code in perl.

Meanwhile, all this wouldn't have been possible for the Institute without using their SIP stateful fuzzer. The paper presenting this project can be found here. Least that I can say is that this is very cool stuff.

Updates to SIPVicious tools

In the past two days I've been busy working on updates for SIPVicious tools:
  • Scanning a large number of hosts does not take long for to start anymore
  • Fixed a few bugs / unhandled exceptions
  • we're doing 160 hosts per second now :)
  • updated user documentation for svmap
  • added some switches to svmap:
    • Verbose. The mode you add of these, the more debug information you get. -vvv for ub3r super debug info.
    • Binding ip -b. This allows you to specify an IP address to bind to. By default it binds to all IP addresses.
    • External IP -x. Allows you to specify your external IP address. Use this when you're behind NAT and / or have multiple network interfaces on the host.
Currently SIPVicious tools only support UDP. I hope to integrate TCP and TLS later on though not too soon. Any feedback is welcome. If you want to take a look .. look no further than the svn repository ;-)

Wednesday, August 22, 2007

Cisco IP Phone 7940 exploits

Is it just me, or is public exploit code for SIP devices and SIP software appearing more often? Published on milw0rm - two perl scripts which launch a DoS attack [1][2] on Cisco IP Phone 7940. The advisories[1][2] can be found on full disclosure.

These vulnerabilities seem to be related to sequence of certain SIP requests being sent to the IP phone. So how were these vulnerabilities found? The researchers were making use of their own fuzzer called Madynes VoIP fuzzer KIPH, which supports "state tracking".

Wednesday, August 8, 2007

SIP softphone buffer overflow demo

Someone was showing off a 0day exploit at Black Hat. The article is a bit sketchy and feels sensational, but it does show that various parties are concerned. Just like most other pieces of software, softphones will (and do) have security vulnerabilities lead to remote access.

Article can be found here.

Hardphones, on the other hand, are secure.. right? :-p

Friday, August 3, 2007

Interview with a VoIP hacker

Telecom Junkies published an interview with Robert Moore, who has been convicted of VoIP hacking / fraud. In the interview, Moore explains that they used easily guessable passwords as well as default ones to get free VoIP service. The VoIP-based attacks targeted H.323 not SIP. Similar attacks to ones described in the interview can be launched on SIP based PBXs by making use of svmap, svwar and svcrack.

Moral of the story: audit your PBX now before someone else does ;-)

References: