how (not) to get your ex back

Just uploaded a short story showing how an unsolicited user can phone up a victim by knowing (or finding out) IP and port of the victim's VoIP phone. This story ties in with what we've been discussing in previous blog post.

You may check out the story here.

SIPVicious 0.2 released

After much bug fixing and feature creeping ... we announce SIPVicious tool suite 0.2!

Tarball download
Zip file download

Notable features include:

• Session support which allows you to resume previous scans as well as store the results in database format
• Exporting of previous results to various formats: pdf, xml (html), csv and plain text
• Easy updating by making use of subversion (svn update)
• Better UI, more intuitive help, clean output and more debug info when needed
• And my favorite feature: random scanning techniques

I also uploaded a screencast and tutorial on how to use SIPVicious tools to crack an extension on an Asterisk box here. Enjoy

Microsoft VoIP As You Are

I just saw Microsoft (relavitely) new VoIP ad compaign called "VoIP As You Are". The ads on the MS site are cute, showing two old PBXs having a chat. Apparently you get a different ad every time you click.. so keep clicking ;-)

So what this implies is that Microsoft is taking into account that the bigger companies will find it hard to switch to VoIP if they have to ditch their old system and start a new page. It also means that old vulnerabilities in PBX servers will probably be exposed to the less friendly networks (such as the Internet).

Security Analysis of Voice-over-IP Protocols

This paper talks about the state of security or lack of of the VoIP protocols. It talks a lot about encryption and introduces some attacks in that area. Of interest:

• replay attack on SDES key exchange causing SRTP to use the same keystream in multiple sessions. This means that the attacker removes encryption from SRTP-protected data streams.
• An attack on ZRTP involving unauthenticated uesr IDs. This allows bypassing / disabling of authentication or a DoS attack.
• A security issue related to randomness in MIKEY

How to turn a Grandstream SIP phone into a remote bug

The "Institut National de Recherche en Informatique" has done it again. They released details of their research regarding the Grandstream GXV-3000 SIP phone - specially on a bug that allows one to crash the phone, and set it off the hook without ringing. This last exploit effectively turns such phones into a spying device, allowing crooks and other evil entities to discretely listen on conversations in a room where the phone is installed.

Apparently, it is not just these Grandstream devices that are vulnerable to the same attack, but it affects "some SIP stack engines". The trick is to send a "183 Session Progress" SIP message to the phone following an INVITE request, which in turn makes it go all fuzzy and start sending RTP packets to the attacker. The full-disclosure post further illustrates this with a example code in perl.

Meanwhile, all this wouldn't have been possible for the Institute without using their SIP stateful fuzzer. The paper presenting this project can be found here. Least that I can say is that this is very cool stuff.

Cisco IP Phone 7940 exploits

Is it just me, or is public exploit code for SIP devices and SIP software appearing more often? Published on milw0rm - two perl scripts which launch a DoS attack [1][2] on Cisco IP Phone 7940. The advisories[1][2] can be found on full disclosure.

These vulnerabilities seem to be related to sequence of certain SIP requests being sent to the IP phone. So how were these vulnerabilities found? The researchers were making use of their own fuzzer called Madynes VoIP fuzzer KIPH, which supports "state tracking".