Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] IAX2 Incomplete 3-Way Handshake (Spoofing)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] IAX2 Incomplete 3-Way Handshake (Spoofing)
Date: 23 Apr 2008 14:07:01 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  IAX2 Incomplete 3-Way Handshake (Spoofing)
------------------------------------------------------------------------


SUMMARY

A vulnerability in Asterisk's IAX2 support allows remote attackers that 
can spoof IAX2 packets to cause the product generate increasing amounts of 
traffic that will be sent to the spoofed source.

DETAILS

Vulnerable Systems:
 * Asterisk Open Source 1.0.x - all versions
 * Asterisk Open Source 1.2.x - all versions prior to 1.2.28
 * Asterisk Open Source 1.4.x - all versions prior to 1.4.19.1
 * Asterisk Business Edition A.x.x - all versions
 * Asterisk Business Edition B.x.x - all versions prior to B.2.5.2
 * Asterisk Business Edition C.x.x - all versions prior to C.1.8.1
 * AsteriskNOW 1.0.x - all versions prior to 1.0.3
 * Asterisk Appliance Developer Kit 0.x.x - all versions
 * s800i (Asterisk Appliance) 1.0.x - all versions prior to 1.1.0.3

Immune Systems:
 * Asterisk Open Source version 1.2.28
 * Asterisk Open Source version 1.4.19.1
 * Asterisk Business Edition version B.2.5.2
 * Asterisk Business Edition version C.1.8.1
 * AsteriskNOW version 1.0.3
 * s800i (Asterisk Appliance) version 1.1.0.3

Javantea originally reported an issue in IAX2, whereby an attacker could 
send a spoofed IAX2 NEW message, and Asterisk would start sending early 
audio to the target address, without ever receiving an initial response. 
That original vulnerability was addressed in June 2007, by requiring a 
response to the initial NEW message before starting to send any audio.

Javantea subsequently found that we were doing insufficient verification 
of the ACK response and that the ACK response could be spoofed, just like 
the initial NEW message. We have addressed this failure with two changes. 
First, we have started to require that the ACK response contains the 
unique source call number that we send in our reply to the NEW message. 
Any ACK response that does not contain the source call number that we have 
created will be silently thrown away. Second, we have made the generation 
of our source call number a little more difficult to predict, by randomly 
selecting a source call number, instead of allocating them sequentially.

Workaround:
Disable remote unauthenticated IAX2 sessions, by disallowing guest access.

Resolution:
Upgrade your Asterisk installation to revision 114561 or later, or install 
one of the releases shown below.

Exploit:
 session = altsci_iax2.IAX_session(host, port, verbose)

 # Capability == GSM, ...
 data = 
altsci_iax2.IAX_create_ie(altsci_iax2.IAX_IE_TYPE['IAX_IE_CAPABILITY'], 
altsci_iax2.pack_long(0x000002aa))
 # Reqd Version, Called number, codec prefs, Calling Presentation,
 # Calling TON, Calling TNS, Format?
 session.send(data)

 resp = session.recv()

 doit = 0
 if resp[0] == altsci_iax2.IAX_FRAMETYPE['FT_IAXCTL'] and resp[1] == 
altsci_iax2.IAXCTL_SUBCLASS['IC_ACCEPT']:
  print "Accepted, let's ack"
  data = ''
  session.send(data, frame_type = altsci_iax2.IAX_FRAMETYPE['FT_IAXCTL'], 
subclass = altsci_iax2.IAXCTL_SUBCLASS['IC_ACK'])
  doit = 1
 #end if

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1897> 
CVE-2008-1897


ADDITIONAL INFORMATION

The information has been provided by  <mailto:jvoss@altsci.com> Joel R. 
Voss aka. Javantea.
The original article can be found at:  
<http://downloads.digium.com/pub/security/AST-2008-006.html> 
http://downloads.digium.com/pub/security/AST-2008-006.html and  
<https://www.altsci.com/concepts/page.php?s=asteri&p=2> 
https://www.altsci.com/concepts/page.php?s=asteri&p=2



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] IAX2 Incomplete 3-Way Handshake (Spoofing), SecuriTeam <=
Previous by Date:  [NT] Foxit Reader Malformed PDF Vulnerabilities, SecuriTeam
Previous by Thread:  [NT] Foxit Reader Malformed PDF Vulnerabilities, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]