One again we welcome Eric Winsborrow, the Chief Marketing Officer of Sipera Systems. This post is based on an article he originally wrote for SC Magazine in June 2008, and is the first of two parts detailing how a real VoIP exploit can lead to the loss of confidential data....Lawrence.

Can you place a call to someone using VoIP and steal their personal data without even talking to them? Most people would have said “No” until they saw the demonstration at Black Hat 2007, which showed how to remotely exploit a soft phone installed on a Windows laptop and view or steal the personal data stored on that laptop. This means IT security administrators, responsible for keeping tabs on confidential data for privacy and compliance, must pay attention to the risks inherent in VoIP.

Traditionally, threats from VoIP/unified communications (UC) do not make it to the top of the list of information security issues. Rather, such lists contain threats such as system probing, email attacks, default password attacks, and sniffing. However, the VoIP-to-data exploit puts VoIP/UC among top information security concerns

The VoIP/UC threat

Like any complex computer system, VoIP/UC networks present unique security challenges. Despite many attempts to formulate best security practices for VoIP/UC solutions within an enterprise, such best practices are not always enforced or correctly followed. The reasons behind this may be budgets, time, misunderstandings, or even just apathy towards security. Whatever the reasons, leaving VoIP/UC networks unprotected makes it and the co-existing data networks vulnerable to numerous security threats.

To give a simple example, standard security best practices recommend the separation of the voice virtual local area network (VLAN) from the data VLAN to prevent traffic from one to reach another. However, unified communications enable soft phones to be installed on the data VLAN and talk to hard VoIP phones on the voice VLAN. Completely blocking the traffic between the two VLANs will prevent this communication, though IT administrators may allow traffic between the two VLANs freely. Such a policy can enable legitimate communication between the two VLANs, but if not monitored, it also allows worms, viruses and other attacks to cross over to the other side and vice-versa.

All enterprises do not yet deploy soft phones, but VoIP soft phones are becoming an integral part of many unified communications frameworks. One of the reasons is that they enable software-based migration of end user devices to VoIP. Additionally, soft phones also enable users to be reachable wherever they take their laptops. Even if the enterprise does not expressly deploy VoIP soft phones, employees may use a freely available VoIP soft phone with several public VoIP service providers. It is not wise to ignore VoIP threats when investing resources to protect confidential data and assets residing on a data network. Equal importance must be given to protecting VoIP/UC devices to achieve comprehensive security across the enterprise.

Let's look at a potential attack. One possible exploit uses an IETF SIP (Session Initiation Protocol)-based soft phone.

Step 1: Finding an exploitable vulnerability. One of the most effective techniques to uncover implementation vulnerabilities in protocol parser implementations is to subject them to a “[fuzzing|http://en.wikipedia.org/wiki/Fuzzing]” attack. According to Wikipedia: “Fuzzing is a software testing technique that provides random data (“fuzz”) to the inputs of a program”.

A fuzzing attack is more effective on ASCII based protocol implementations (e.g., SIP), Unlike binary protocols, the ASCII protocol message format is very flexible, making it difficult to build robust parser implementations. Several freely available tools can be used to launch such fuzzing attacks against the soft phones and discover vulnerabilities in them.

Figure 1 shows an example of a “fuzzed” SIP INVITE message with an oversized SIP “From” header value. Often, such oversized fields uncover buffer overflow vulnerabilities in the target software. http://community.nortel.com/go/servlet/JiveServlet/downloadImage/38-6094-8952/fu zzed-sip-example1.jpg Figure 1: An example of “fuzzed” SIP message with oversized header value.

Subsequently, these buffer overflow vulnerabilities can be exploited to execute arbitrary code on the victim's system. Typically, when subjected to such oversized messages, the vulnerable soft phones crash, which means that when you find the one fuzzed message that crashes the soft phone program, you have found the exploit case. Subsequently, this test case can be tweaked to inject an executable shell code into the soft phone.

Step 2: Exploiting the vulnerability to execute shell code. Using the exploit case to execute arbitrary code on the machine where the vulnerable soft phone is installed involves carefully crafting the content of the bad input buffer. Such crafting is done by studying the OS memory addresses and then carefully inserting these addresses and the encoded “shell code” into the input buffer. This crafted byte sequence can then be inserted into the SIP INVITE message.

That brings us to the most interesting part of this expliot – executing shell code on the target machine. In the second part of this post, we’ll look at steps 3 and 4 of this class of VoIP attack, and then explore some mitigation techniques. So stay tuned to the Nortel Voice Security Blog to learn more about how to defend your voice system against these kinds of exploits.

Eric Winsborrow, CMO, Sipera Systems