[VOIPSEC] VoIP-Phones: Weakness in proccessing
Christopher A. Martin
chris at infravast.com
Fri Jul 22 09:04:45 CDT 2005
Another facet to consider is attack patterns...e.g., what led up to the
actual attack against voip (port scanning, failed sip/323 authentication
attempts, smtp user enumeration, dns info gathering, ssh scanning, spam,
etc...).
One attack may be a precursor to a voip attack.
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Ari Takanen
Sent: 07/21/2005 7:04 PM
To: Geoff Devine
Cc: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] VoIP-Phones: Weakness in proccessing
Geoff,
Sorry I could not respond to your comment earlier. You said that all
permutations are impossible to test, which is of course true, but we
have to try. Both robustness tests and fuzzers are attempting to cover
all these unexpected inputs. Fuzzers are typically semi-random,
whereas robustness tests are more advanced, systematic and "smart".
One can start with the free robustness testing techniques introduced
by PROTOS in their SIP and H.323 test-suites. I hope all vendors are
using them by now. PROTOS provides the minimum baseline for
robustness. Also that PROTOS research shows that it is not only ascii
protocols that have these problems. Actually many binary protocols
described in ASN.1 have much more serious problems due to the freedom
of being able to describe about any types of structures with it.
PROTOS tests in SIP have been continued in our company, and
Codenomicon SIP Test Tool is constantly increasing the test coverage
in SIP. From the 4500 PROTOS tests, we are already beyond 100,000 test
cases for SIP. But the number of test cases is not important, it is
the coverage of the tools. You can have millions of redundant fuzzing
test cases and still not reach the coverage of PROTOS even.
It is good to finally notice that people looking for security flaws in
SIP are going beyond the robustness testing coverage of PROTOS! It has
been quite quiet after the release of PROTOS test-suite by CERT/CC.
There is lots of work quietly being done in the commercial companies
though. For example, our company is working with our commercial
customers to fix these issues without disclosing any of the found
flaws publicly. Nobody wants public attention to SIP weaknesses, and
it is in nobodys interest for the exploits to start spreading in VoIP
scene (except perhaps that might be the interest of the hackers).
There is nothing new or special in this bug, it is just a quality
assurance flaw that should have been tested away.
/Ari
PS: Update your SIP phone regularly!
On Fri, Jul 08, 2005 at 09:01:10AM -0400, Geoff Devine wrote:
> I'd point out that this kind of problem is the most glaring security
> weakness with SIP. As a completely unstructured text-based
> protocol, you can't possibly test all permutations of SIP messages.
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list