[VOIPSEC] AST-2009-001: Information leak in IAX2 authentication
Dustin D. Trammell
dtrammell at breakingpoint.com
Fri Jan 9 13:03:32 CST 2009
On Thu, 2009-01-08 at 13:28 -0600, Asterisk Security Team wrote:
> +------------------------------------------------------------------------+
> | Description | IAX2 provides a different response during authentication |
> | | when a user does not exist, as compared to when the |
> | | password is merely wrong. This allows an attacker to |
> | | scan a host to find specific users on which to |
> | | concentrate password cracking attempts. |
Hrm... I thought this had been fixed back when I originally reported it
in 2006 shortly after I developed the enumIAX tool[1] for Endler &
Collier's Hacking VoIP Exposed book and disclosed the vulnerability at
ToorCon 8[2]. The sole purpose of enumIAX was to demonstrate this
particular enumeration attack, differentiating between existing users,
existing users with no password, and non-existing users. Was this a
regression or was the bug never originally fixed?
[1] http://sourceforge.net/projects/enumiax/
[2]
http://www.dustintrammell.com/presentations/VoIP-Attacks-ToorCon-8/img46.html
--
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.
More information about the Voipsec
mailing list