Full Report
The bulk of security research pertaining to VoIP call control, setup and signaling protocols has focused on the Session Initiation Protocol (SIP), due to the ubiquity and widespread adoption of this protocol. However, a number of other protocols and protocol suites are in use in many organizations and have been adopted by many of the VoIP vendors. Some examples of these protocols are Cisco’s Skinny Client Control Protocol (SCCP or Skinny), the H.323 suite of protocols, and Asterisk’s Inter-Asterisk eXchange (IAX).
Analysis Summary
# Research: BlackHat Roundup – Ajax and h.323 and iax (A Summary of presented VoIP security research)
## Metadata
- Authors: Nick (as per the byline on the SensePost blog post)
- Institution: SensePost (Publishing based on a conference event)
- Publication: SensePost Blog
- Date: 07 August 2007
## Abstract
This post summarizes key security research presented at a BlackHat conference, focusing specifically on vulnerabilities in the H.323 and IAX VoIP signaling protocols, as presented by Himanshu Dwivedi and Zane Lackey of iSec Partners. Analogous research concerns were noted in the security assessment of new Ajax web applications. The primary takeaway is the reappearance of classic vulnerability patterns (like offline password cracking) in newer communication technologies.
## Research Objective
The primary objective highlighted by the presented research was to explore and demonstrate security vulnerabilities in VoIP protocols beyond the heavily researched Session Initiation Protocol (SIP), specifically targeting **H.323** and **IAX (Inter-Asterisk eXchange)**. A secondary, comparative objective involved assessing the security posture of emerging **Ajax** web applications.
## Methodology
### Approach
The iSec Partners research focused on attacking the **Authentication and Authorization** processes within H.323 and IAX, as well as testing for **Denial of Service (DoS)** conditions. A separate methodology (by Hoffman and Sullivan) involved simulating typical development practices for Ajax applications using commonly available resources to see what security flaws naturally emerge.
### Dataset/Environment
The research analyzed the H.323 and IAX signaling protocols, and a custom-built Ajax application designed to mimic real-world developer output.
### Tools & Technologies
No specific proprietary tools were detailed, but the analysis involved traffic capture and the use of offline techniques like **MD5 hash calculation** for dictionary attacks.
## Key Findings
### Primary Results
1. **Authentication Compromise in H.323/IAX:** Vulnerabilities were identified in the authentication mechanisms of H.323 and IAX, allowing attackers to compromise credentials.
2. **Reapplication of Old Attacks:** Many successful attacks against modern VoIP signaling protocols were found to be direct applications or analogies of well-known, older attack methodologies (specifically referencing past attacks against Windows domain hash authentication).
3. **Prevalence of Classic Web Flaws in Ajax:** The simulated Ajax applications exhibited common and long-known web application vulnerabilities, such as **SQL Injection** and **Parameter Tampering**, despite being wrapped in newer technology.
### Supporting Evidence
The researchers specifically demonstrated how capturing the **username, timestamp, and MD5 hash** during an H.323 authentication exchange provides an attacker with all necessary components to perform an offline dictionary attack to derive the plaintext password.
### Novel Contributions
The novelty lies not necessarily in creating entirely new attack vectors for VoIP, but in systematically applying established attack patterns to these less-researched protocols (H.323/IAX) and using the Ajax comparison to underscore a general industry failure: ignoring long-established security lessons when adopting new platforms.
## Technical Details
The attack against H.323 authentication hinges on exploiting protocol implementations that transmit necessary components (user ID, nonce/timestamp, and hash result) in cleartext during the challenge-response phase. By capturing this triplet, an attacker can test candidate passwords offline by hashing them with the correct parameters and comparing the result to the transmitted hash value.
## Practical Implications
### For Security Practitioners
Security professionals must be aware that protocols like H.323 and IAX, which may be deployed in enterprise environments alongside or instead of SIP, are susceptible to attacks targeting fundamental weak points like unsecure authentication data transmission.
### For Defenders
Defenders must prioritize the validation of all client-supplied data, regardless of the application framework (web or signaling). Specifically for VoIP, ensuring authentication mechanisms use modern, secure handover/transport methods (e.g., strong encryption for signaling) is paramount to prevent offline credential cracking.
### For Researchers
The work suggests a need for deeper, systematic security audits of non-SIP VoIP protocols and encourages researchers to look beyond trendy new technologies to remediate foundational security flaws that keep resurfacing.
## Limitations
The summary notes that the VoIP research deliberately excluded **RTP-based attacks** (targeting the media transport layer) and focused strictly on **signaling and call control protocols**.
## Comparison to Prior Work
This research explicitly contrasts with the bulk of contemporary VoIP research, which at the time was overwhelmingly focused on **SIP**. It draws direct parallels between the H.323/IAX authentication flaws and "old bugbears" from Microsoft Windows domain authentication history, highlighting a lack of institutional memory in adopting security practices.
## Real-world Applications
* **Vulnerability Assessment:** Directly applicable to assessing the security posture of corporate voice networks utilizing older or proprietary VoIP systems built around H.323 or IAX.
* **Code Review:** The findings regarding Ajax emphasize the need for rigorous security training for developers working with new application technologies that rely on client-side interaction.
## Future Work
The author implies that future work should focus on developing robust authentication and authorization standards for H.323 and IAX that resist offline brute-forcing, and encourages sustained vigilance against classic attacks even in "shiny" new technology stacks.
## References
* iSec Partners, Himanshu Dwivedi, Zane Lackey (Presenters on H.323/IAX security)
* SPI Dynamics, Bryan Hoffman, Billy Sullivan (Presenters on Ajax security)