Skip to main content
SpringerLink
Log in

Advanced fuzzing in the VoIP space

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Voice over IP is emerging as the key technology in the current and future Internet. This paper shares some essential practical experience gathered over a two years period in searching for vulnerabilities in the VoIP space. We will show a terrifying landscape of the most dangerous vulnerabilities capable to lead to a complete compromise of an internal network. All of the described vulnerabilities have been disclosed responsibly by our group and were discovered using our in-house developed fuzzing software KIF. The paper provides also mitigation techniques for all described vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. FreePBX: full-featured PBX web application. http://freepbx.org

  2. MPack: Insight into MPACK Hacker kit. http://www.malwarehelp.org/news/article-6268.html/

  3. The Asterisk PBX. http://www.asterisk.org/

  4. The Voice over IP Security Alliance (VOIPSA). http://www.voipsa.org/Activities/taxonomy.php

  5. trixbox: Asterisk-based IP-PBX. http://www.trixbox.com/

  6. Abdelnur, H., State, R., Festor, O.: Security Advisory: “SIP Digest Access Authentication RELAY-ATTACK for Toll-Fraud”. http://voipsa.org/pipermail/voipsec_voipsa.org/2007-November/002475.html

  7. Abdelnur, H., State, R., Festor, O.: Security Advisory: “SQL injection in asterisk-addons and XSS injection in WWW application in Areski, FreePBX and Trixbox”. http://voipsa.org/pipermail/voipsec_voipsa.org/2007-October/002466.html

  8. Abdelnur, H., State, R., Festor, O.: KiF: a stateful SIP fuzzer. In: Proceedings of Principles, Systems and Applications of IP Telecommunications, IPTComm, pp. 47–56, New-York, NY, USA, July 2007. ACM Press, New York (2007)

  9. Butti L., Tinnes J.: Discovering and exploiting 802.11 wireless vulnerabilities. J. Comput. Virol. 4(1), 25–37 (2008)

    Article  Google Scholar 

  10. Crocker, D.: Augmented BNF for Syntax Specifications: ABNF. Standards Track, November 1997

  11. Fogie, S., Grossman, J., Hansen, R., Rager, A., Petkov, P.D.: XSS Exploits: Cross Site Scripting Attacks and Defense. Syngress (2007)

  12. Johnston, A.B., Piscitello, D.M.: Understanding Voice over Ip Security. Artech (2006)

  13. Litchfield D., Anley C., Heasman J., Grindlay B.: The Database Hacker’s Handbook: Defending Database Servers. Wiley, New York (2005)

    Google Scholar 

  14. Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. http://www.ietf.org/rfc/rfc3261.txt, June 2002

  15. Sutton M., Greene A., Amini P.: Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional, Reading (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. INRIA Nancy – Grand Est, Vandoevre-Les-Nancy, France

    Humberto Abdelnur & Olivier Festor

  2. University of Luxembourg, Luxembourg, Luxembourg

    Radu State

Authors
  1. Humberto Abdelnur
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Radu State
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Olivier Festor
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Humberto Abdelnur.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Abdelnur, H., State, R. & Festor, O. Advanced fuzzing in the VoIP space. J Comput Virol 6, 57–64 (2010). https://doi.org/10.1007/s11416-009-0123-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-009-0123-7

Keywords

Search

Navigation