The IAX protocol specification assumes that important security protections are going to be handled at other network layers, leaving implementations potentially vulnerable to active attacks. This susceptibility to active attacks arises from the fact that the IAX protocol does not provide integrity protec- tion. Integrity protection ensures that the communication occurring between the real Asterisk server and endpoint has not been tampered with on the wire or has been sent from a rogue server or client.
Another major issue is the predictability of IAX control frame sequencing. For example, a majority of the sequence numbers used are merely incre- mented by one in each frame. This allows an attacker to easily predict the values that are needed for injecting spoofed packets.
The combination of these issues means that vulnerable IAX implementa- tions can be downgraded to plaintext transmissions during the authentication process. The downgrade attack causes an endpoint, which would normally use an MD5 digest for authentication, to send its password in cleartext. In order to perform this attack, the attacker must complete a few steps. First,
Asterisk IAX Endpoint
Attacker
1. Auth Request 2. Auth Request 4. Challenge: 214484840 3. Challenge: 214484840 5. MD5: fc7131a20c49c3d96ba3e2e27d27 6. MD5: fc7131a20c49c3d96ba3e2e27d27 7. Authenticated! Man-in-the-Middle Attack Intercepted Communication Actual Communication
104 Ch ap te r 5
the attacker needs to sniff the network,6 watching for an endpoint attempting to register to the Asterisk server (AS) using a registration request (REGREQ) packet. The attacker then parses out the required values from the REGREQ packet, including the Destination Call ID (DCID), Outbound Sequence Number (oseq), Inbound Sequence Number (iseq), username length, and username. Once the information has been gathered, the attacker needs to increase the iseq value to correspond to the existing session originally created by the AS (making it valid for a spoofed REGAUTH packet). After the sequence information is increased appropriately, the attacker injects a spoofed REGAUTH packet specifying that only plaintext authentication is allowed. If the spoofed packet “wins the race” back to the endpoint (ahead of the AS’s real packet that requires MD5 authentication), the endpoint sends another REGREQ packet across the network with the password in plaintext. This allows the attacker to recover the password from the network with a standard sniffer such as Wireshark.7 See Figure 5-9 for an example.
Figure 5-9: Downgrade attack
Figure 5-9 shows an endpoint attempting to register with the Asterisk server. During the authentication process, the attacker extracts the required session information from this packet. Once the information has been obtained, the attacker injects a REGAUTH packet spoofed from the Asterisk server specifying that only plaintext authentication is allowed. When the endpoint receives this packet, it responds with another REGREQ with the password in plaintext (in Figure 5-9, the sample password 123voiptest is shown). Because this password is sent in plaintext, it can be easily sniffed by an attacker.
In order to demonstrate this issue, the co-author of this chapter (Zane Lackey) has written a tool in Python called IAXAuthJack (downloadable from
http://www.isecpartners.com/tools.html). IAXAuthJack is a tool that actively performs an authentication downgrade attack, forcing a vulnerable endpoint
6 Gaining access to network traffic on switched network is demonstrated in Chapter 2 with tools
like Cain & Abel.
7 See http://www.wireshark.org/.
Asterisk IAX Endpoint
Attacker
Registration Request (REGREQ) Response: 123voiptest (REGREQ)
MD5 Only (REGAUTH) Plaintext Only (REGAUTH)
Sig n al in g an d Medi a: IA X Sec uri t y 105
to reveal its password in plaintext over the network. To achieve this, IAXAuthJack sniffs the network for traffic indicating that registration is taking place between two IAX endpoints. Once a registration packet has been recognized, the tool then injects a REGAUTH packet, which specifies that the endpoint should authenticate in plaintext rather than MD5 or RSA. The tool has two modes of operation, which are described here.
Targeted attack
To test IAXAuthJack in targeted attack mode, you can use the following example command:
iaxauthjack.py -i eth0 -c EndpointIP -s ServerIP
Using this syntax, IAXAuthJack listens on the eth0 Ethernet inter- face for control frames from a specific IAX endpoint whose IP address is specified by the -c argument. The ServerIP value in the previous syntax is the endpoint that is attempting to register with the server, whose IP address is specified by the -s argument. IAXAuthJack.py then injects the spoofed REGAUTH packet between the server and the endpoint, causing the endpoint to respond with a REGREQ packet with the password in plaintext.
Wildcard attack
By contrast, you can test IAXAuthJack in wildcard attack mode with this command:
iaxauthjack.py -i eth0 -a -s ServerIP
In this example, IAXAuthJack listens on the eth0 interface for control frames from any IAX endpoint that is attempting to register with the server. It then injects the spoofed REGAUTH packet, causing the end- point to respond with its password in plaintext. See Figure 5-10 for more details.
106 Ch ap te r 5