The same type of vulnerability exists in injecting malicious code into the conversation, a bit harder than a simple trojan horse, but it is possible. Similar to subliminal messages in Movies.. :) EnetSec had the Model 2600 which had the capability of decoding phone calls breaking them apart, etc for anything that was being transmitted across modem, voice, fax, ip, etc. /m ----- Original Message ----- From: Dug Song <dugsongat_private> To: <pen-testat_private> Sent: Thursday, June 14, 2001 6:10 PM Subject: Re: Voice over IP > On Thu, Jun 14, 2001 Brandon Young wrote: > > > A couple of colleagues and I are working on a security audit for a > > VOIP system. Anyone know of any exploits and vulnerabilities that may > > exist with Cisco's call manager? One thing we have found is that the > > traffic can be sniffed during phone calls. TCP is used for the > > initial connection setup and then once the phone has setup a session > > to the call manager it then uses the RTP protocol. We found that the > > conversation is placed in the PCMU audio codec. We are looking to > > find a way to extract the payloads and reassemble the audio so that > > we can play back the phone conversations. We are also looking at > > launching a man in the middle attack and getting access to the > > conversation and trying and listen to it in real time instead of > > capturing and replaying. Any ideas on some possible ways to execute > > this? > > soon to be integrated into the dsniff suite: > > http://www.monkey.org/~provos/vomit/ > > decode and convert Cisco IP phone calls into .wav format for playback > (either realtime or from a tcpdump capture), and inject .wav data into > ongoing telephone conversations. > > be sure to leave a tip for Niels. :-) > > -d. > > p.s. he really does leave me those kind of crazy messages... > > --- > http://www.monkey.org/~dugsong/
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 20:40:01 PDT