SBN

VOIPPACK update for February 2010 brings faster VoIP cracking and destruction

So it’s time to issue an update to VOIPPACK, with some new goodies!

This update includes

  • two new tools called “bypassalwaysreject” and “sipopenrelay”
  • DoS exploits for Asterisk PBX called “asteriskdiscomfort”, “asterisksscanfdos” and “iax2resourceexhaust”
  • Generic DoS exploit “sipinviteflood”
  • Optimizations for the SIP Digest leak tool “sipdigestleak” and the SIP digest cracker

What does “bypassalwaysreject” do?

Asterisk PBX had introduced a new option “alwaysauthreject” which disables traditional enumeration of extensions. This tool makes use of an undisclosed method of enumerating extensions which works on Asterisk as of at least Asterisk 1.6.2.1 (and possibly the latest version too).

What does “sipopenrelay” do?

This new tool tries to find misconfigured dialplans or ACLs by calling (sending INVITE messages) a specific phone number with different prefixes. This emulates current attack trends on the SIP front as described in various blog posts.The result would be free calls which indicate the possibility of toll fraud.

What about the new DoS tools?

Asterisk Discomfort exploits a DoS vulnerability that was fixed in AST-2009-010. The vulnerability lies in parsing of RTP comfort noise stream. The result is that Asterisk PBX crashes.

Asterisk SSCANF DoS exploits AST-2009-005 which has the result of crashing Asterisk PBX.

Invite Flood tool exploits a DoS found in various endpoints and PBX servers. It sends a large number of INVITE messages, initiating lots of calls and eventually causing either a crash or the application to hang.

IAX2 Resource exhaust is a DoS vulnerability that was fixed in AST-2009-006 and exploited a design flaw in the IAX2 protocol, in some ways similar to INVITE flood DoS. The result is that Asterisk starts taking too much resources, becoming unresponsive. Sometimes it crashes.

And the enhancements?

SIP Digest Leak tool and it’s sister Digest cracker have both been updated to support two new features.

  1. Zerolen SDP option in SIP Digest Leak means that when some SIP endpoints pick up the call, they send a hangup immediately. This cuts the waiting time for the attacker and immediately gives him/her the challenge response.
  2. Support for using John the Ripper as an external tool to crack Digest passwords. The jumbo patch needs to be applied to John the ripper – I’ll be posting on how to do this later on.

That is all for now, hope you enjoy the update. For more information about VOIPPACK take a look at the products page.

*** This is a Security Bloggers Network syndicated blog from EnableSecurity authored by Sandro. Read the original post at: https://enablesecurity.wordpress.com/2010/02/16/voippack-update-for-february-2010-brings-faster-voip-cracking-and-destruction/