jvoss@altsci.com
jvoss@myuw.net
April 18, 2008
AltSci IAX2 0.7
[sig]
AltSci IAX2 0.6
[sig]
UPDATE May 24, 2008
I have done a mildly thorough investigation of 1.4.19.1 (the fixed version) and I understand their solution (verify a pseudo-random call number). The solution is as good as I recommended. It does not solve the non-spoofed DoS attack since the attacker can use the call number it receives from the accept packet, but it does make the spoofed DoS attack much less useful (1:5 amplification is practically worthless). I consider this grevious security bug to be fixed. I have not tested backwards compatibility of devices and software versions. I plan to test whether this can be recreated via uncommon use cases such as psuedorandom guessing, sending random commands, etc. I hope that Asterisk will accept my apologies for releasing the exploit before they had a chance to respond. I plan to disclose all future vulnerabilities full disclosure after a timely opportunity for the vendor to respond. I encourage all other security researchers who use my tools to release the vulnerabilities that they find in a similar manner for the benefit of the community.
UPDATE April 24, 2008
Asterisk has responded to the release of my second exploit and framework with a set of patches to SVN. They have made the bug report above publicly available which pleases me. I haven't tested this to make sure that it isn't vulnerable, but I can assure you that I will. I will also spend time to see if their patch is backwards compatible with other versions of Asterisk and soft phones. I applaud Asterisk for their work toward fixing this obvious flaw. Together I believe that we can write and test a good VoIP protocol.
Once in a while a person finds an author who writes enough for a person to really like that author. The ideas that come across are coherent, consistent, and moving. Cory Doctorow is such an author for me. He understands technology, he is brilliant at coming up with plausible futuristic scenarios and he conveys ideas that are as important as anything we will face today. I've met him twice, once at Toorcon San Diego 2006 and once yesterday at a reading. He answered my question quite well. His new book "Little Brother" focuses on a revolution of ideas and values in present day America. He pits students against a tyrannical DHS frighteningly similar to the DHS we know today. He explains with incredible clarity why a war against an abstract noun is invalid and a system designed to protect people from rare events at the cost of their freedom is no more than common tyranny.
My question was: "What brought you to the idea of the probability of rare events and the detectors being useless?" He explained that the problem is that lurid rare events are much less of a threat than common events that harm a person. In his book he explains that trying to find a needle in a haystack is incredibly difficult when the margin of error of detection is so high. Any system designed to trade freedom for really poor results should be rejected.
We live in a country where basic freedoms are being trashed, we are at war with a country who has not attacked us, and the general populous will never revolt against it. We're basically in a downward spiral. With a new president and a possible solution to the war and removal of nationwide wiretaps and institutional torture, we can have hope for a new tomorrow. But persevering and incredible diligence is required still. We cannot afford to allow any screwups to send us back to our downward spiral if we get a chance to fix it. Tell the next president, Mr. Obama that we we're expecting nothing less than a complete change in the way our government is running.
Read more »I am a hacker, a self-employed programmer, an open-source advocate, a scientist, and an independent security researcher.
