[Asterisk-Dev] Re: Inestability with H323
Derek Smithies
derek at indranet.co.nz
Mon Apr 19 15:51:56 MST 2004
Hi,
> > iax2 has many more exploits than openh323.
Yes, I do need to substantiate such comments, and it does need to be
done on list, given that the initial claim was done on list.
All of the below discussion assumes I can listen in to a conversation.
If you cannot listen in, well, you do not know the conversation is there
to attack/exploit.
Openh323 had a number of quite subtle attacks that were possible against
the AsnParser. These were found by the NISCC (National Infrastructure
Security Coordinaton Centre - http://www.niscc.co.uk/) in the UK, and have
been fixed.
Both openh323 and iax2 send audio in UDP packets. It is possible to for a
malicous third party to do a DOS attack by sending additional packets,
and disrupting the audio stream. It is slightly harder to create these
packets for openh323, as there is a bit more information in the header of
the packet that has to be added.
With iax2, control frames are sent as UDP, with information in the clear.
A third party can easily read the control frames, and associated data.
With openh323, you have to disect this information with an asnparser, and
read this information from a TCP stream. Further, this information can be
encrypted with ssl. You will note that openh323 has the option to register
to a gatekeeper, with SSL.
Now, what can I do with the information gained by listening in to an iax2
conversation.
1)I can send hangup packets, to terminate the discussion.
2)I can send additional dtmf packets to cause havoc to an IVR system
3)I can send AST_FRAME_VOICE packets with a different codec.
This will change the variable specifying which codec to use
for decoding voice. Hopefully, the decoders will cope with the
wrong codec format, and not crash.
Now sure, I am doing a man in the middle attack on two systems talking on
UDP.
This is quite a lot easier than doing the same attack on two systems
talking TCP.
=>See the point: it is much easier to wreck havoc on iax2 than openh323.
Does that mean iax2 has many more exploits than openh323?
Hmm, maybe I should have said, it is much easier to attack an iax2 system.
OpenH323 does have that security layer of ssl when registering to a
gateway, so I suppose you could regard that as one less vulnerability
for openh323.
Let us not consider the presence of the asnparser as a security layer. The
asnparser provides security by obscurity - it makes it harder for malicous
people to attack. Some malicous people will go elsewhere, cause it is
easier to attack easy targets. Others will work harder, cause there is a
challenge.
Derek.
==================================================
On Mon, 19 Apr 2004, Mark Spencer wrote:
> > d)you don't need to worry about exploits in the openh323 code.
> > iax2 has many more exploits than openh323.
>
> Would you care to either on- or off-list substantiate your allegation?
>
> Mark
>
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
>
>
--
Derek Smithies Ph.D. This PC runs pine on linux for email
IndraNet Technologies Ltd. If you find a virus apparently from me, it has
Email: derek at indranet.co.nz forged the e-mail headers on someone else's machine
ph +64 3 365 6485 Please do not notify me when (apparently) receiving a
Web: http://www.indranet-technologies.com/ windows virus from me......
More information about the asterisk-dev
mailing list