[VOIPSEC] VoIP vulnerabilities summarization

sukery sukerry at 126.com
Wed Dec 14 21:22:39 CST 2005 

hi Janne,
I recommend several tools for sip test: PROTOS(sip test suite), sipp, sivus

>Hi Sunkey,
>
>Thanks for you comments. 
>
>Please let me know if you can disclose more about your system, we are
>looking for systems like this for our internal testing.
>
>/Janne
>
>> -----Original Message-----
>> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
>On
>> Behalf Of sukery
>> Sent: Wednesday, December 14, 2005 1:41 PM
>> To: Voipsec at voipsa.org
>> Subject: Re: [VOIPSEC] VoIP vulnerabilities summarization
>> 
>> 
>> Hi Janne:
>> 	thank you for your comment, I totally agree with what you said.
>> 	I am a graduate student , our project is focused on VoIP
>> security, we firstly study the vulnerabilities of voip related
>> protocols(especially SIP), then define some attack senarios according
>to
>> these vulnerabilities we discovered and realize all these attacks,
>finally
>> we test our attack system on real voip networks ( supplied by an
>> international famous voip manufacturer). the attacks includes:
>> 	exception-packet attack against server
>> 	dos attack against server
>> 	disturbance call attack against endpoints
>> 	pseudo call attack against endpoints
>> 	call leaflet attack against endpoints
>> 	sip passwork crack
>> 	voice eavesdropping (and maybe voice replacement and voice
>> disturbance)
>> 	voice broadcast & call leaflet attack against pstn
>> terminals(via voip gateway)
>> 	and maybe more
>> 
>> 	I am very very sorry to say that due to the confidentiality of
>> this project , I can not make our attack system public yet. that's the
>> meaning of the sponsor of this project .
>> 	anyway , I like to discuss with you as much as possible  :)
>> 
>> 
>> >Hi Sukery,
>> >
>> >I think you made a good summarization of the vulnerabilities and I
>agree
>> >with what you say.
>> >
>> >But I think several of the problems you mention can be solved by
>using
>> >TLS to protect the signalling and SRTP to protect the media as
>described
>> >in existing standards and drafts. These technologies may not be
>widely
>> >spread among existing implementations but they exist and your list
>> >provides some good reasons that may motivate others to follow.
>> >
>> >I'm also interested in what tool you used.
>> >
>> >Cheers
>> >/Janne
>> >
>> >> 2.SIP reuses  authentication mechanism from HTTP protocol ,in fact
>> >Http
>> >> authentication is totally imperfect when applied to SIP
>protocol,for
>> >that
>> >> it is a single-direction authentication, which means that only the
>> >server
>> >> authenticates the endpoints,the endpoints do not authenticate the
>> >> server,this situation makes it easy to deceive endpoints because
>they
>> >do
>> >> not authenticate any entity in the network. Pseudo call (call
>someone
>> >with
>> >> a false user id) ,server impersontation are dangerous attacks due
>to
>> >this
>> >> vulnerability
>> >>
>> >> 3. SIP communication is based on message transaction, however sip
>> >> transaction mechanism is quite complicated.for example, when  a
>> >stateful
>> >> proxy server receives a sip request message, it firstly computes
>the
>> >> transaction ID for this message,if the transaction ID is not
>existed
>> >> before, this request message is regarded as  a new message, the
>server
>> >> will do a lot things for this new message:  save this message,
>create
>> >a
>> >> finite statemachine for this message, construct a provisional
>response
>> >> message and send it back, save this response message,update the
>finite
>> >> statemachine, decide the next hop of this request message basing on
>> >the
>> >> complex routing rules,transfer the request message, create one or
>more
>> >> client transactions for the request message ...these steps surely
>> >consume
>> >> lots of CPU and memory resources.  as a result,the server is
>> >susceptible
>> >> to DoS Attacks when a hacker continually sends large quantities of
>SIP
>> >> request messages with different Call-ID
>> >>
>> >> 4.Un-encrypted media stream such as RTP data is easy to be
>wiretapped
>> >>
>> >> 5.almost all VoIP software has some code flows, in this case,even a
>> >> malicious packet may bring down the server, we call this packet
>> >exception
>> >> packet, in fact we have found exception packets againtst both sip
>> >servers
>> >> and h.323 servers
>> >>
>> >> 6.voip endpoints are much more intellectualized than traditional
>PSTN
>> >> terminals,however,when this capability is abused,a lot of
>malicious
>> >> network attacks appear:
>> >>      disturbance call
>> >> 	 call leaflet
>> >>      voice broadcast
>> >>      and more...
>> >>
>> >>
>> >> >Chris
>> >> >
>> >> >I'm pretty heavily involved in SIP standards development, and have
>> >been
>> >> for
>> >> >some time.  I talk regularly with the kind of folks that I think
>> >would
>> >> know
>> >> >if their stuff had been "hit".  I know about plenty of attacks on
>the
>> >> >underlying infrastructure, including the platform attacks.  I have
>> >NEVER
>> >> >heard even a whisper of an actual attack on VoIP equipment that
>used
>> >> >exploits specifically related to SIP (which I don't think is
>> >> substantially
>> >> >better or worse than other VoIP protocols).
>> >> >_______________________________________________
>> >> >Voipsec mailing list
>> >> >Voipsec at voipsa.org
>> >> >http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>> >>
>> >>
>> >>
>> 
>> 
>>

More information about the Voipsec mailing list