[Asterisk-Dev] Re: Inestability with H323

Derek Smithies derek at indranet.co.nz
Mon Apr 19 15:51:56 MST 2004 

Hi,

> >   iax2 has many more exploits than openh323.

Yes, I do need to substantiate such comments, and it does need to be 
done on list, given that the initial claim was done on list.


All of the below discussion assumes I can listen in to a conversation.
If you cannot listen in, well, you do not know the conversation is there 
to attack/exploit.

Openh323 had a number of quite subtle attacks that were possible against
the AsnParser. These were found by the NISCC (National Infrastructure
Security Coordinaton Centre - http://www.niscc.co.uk/) in the UK, and have 
been fixed.

Both openh323 and iax2 send audio in UDP packets. It is possible to for a 
malicous third party to do a DOS attack  by sending additional packets, 
and disrupting the audio stream. It is slightly harder to create these
packets for openh323, as there is a bit more information in the header of 
the packet that has to be added.

With iax2, control frames are sent as UDP, with information in the clear.
A third party can easily read the control frames, and associated data.
With openh323, you have to disect this information with an asnparser, and 
read this information from a TCP stream. Further, this information can be
encrypted with ssl. You will note that openh323 has the option to register 
to a gatekeeper, with SSL.

Now, what can I do with the information gained by listening in to an iax2 
conversation.
1)I can send hangup packets, to terminate the discussion.
2)I can send additional dtmf packets to cause havoc to an IVR system
3)I can send AST_FRAME_VOICE packets with a different codec.
            This will change the variable specifying which codec to use 
            for decoding voice. Hopefully, the decoders will cope with the 
            wrong codec format, and not crash.

Now sure, I am doing a man in the middle attack on two systems talking on 
UDP.  
This is quite a lot easier than doing the same attack on two systems 
talking TCP.
 =>See the point: it is much easier to wreck havoc on iax2 than openh323.
   Does that mean iax2 has many more exploits than openh323?
   Hmm, maybe I should have said, it is much easier to attack an iax2 system.
  
  OpenH323 does have that security layer of ssl when registering to a 
  gateway, so I suppose you could regard that as one less vulnerability 
  for openh323.

Let us not consider the presence of the asnparser as a security layer. The 
asnparser provides security by obscurity - it makes it harder for malicous 
people to attack. Some malicous people will go elsewhere, cause it is 
easier to attack easy targets. Others will work harder, cause there is a 
challenge.


Derek.
==================================================
On Mon, 19 Apr 2004, Mark Spencer wrote:

> > d)you don't need to worry about exploits in the openh323 code.
> >   iax2 has many more exploits than openh323.
> 
> Would you care to either on- or off-list substantiate your allegation?
> 
> Mark
> 
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
> 
> 
> 

-- 
Derek Smithies Ph.D.                           This PC runs pine on linux for email
IndraNet Technologies Ltd.                     If you find a virus apparently from me, it has
Email: derek at indranet.co.nz                    forged  the e-mail headers on someone else's machine
ph +64 3 365 6485                              Please do not notify me when (apparently) receiving a
Web: http://www.indranet-technologies.com/     windows virus from me......

More information about the asterisk-dev mailing list