H.323 Vulns In Implementation Of The H.225.0 Stand

Full Version: H.323 Vulns In Implementation Of The H.225.0 Stand

GovernmentSecurity.org > The Archives > Exploit Articles

Dillinja

Jan 30 2004, 11:55 AM

Posted on behalf of h4xorHunt3r

I have been working on a paper that deals with the above topic, and a few things about this vuln(s) have caught my attention. First of all, I am not a coder and have no access to tools that exploit this vuln(s). If anyone wishes to make their eyes bleed, try reading the ITU H.323 umbrella of standards. (I used a draft rev of the standard due to be published this June.)

As you may have seen the CERT-CC published an advisory on the H.323 vulns that were researched by the Univ. of Oulu, and is being managed by the NISCC. The Univ. focused their testing on H.225.0 implementations of an unknown group of vendor implementations. Some of the interesting things I noticed were that the Univ. only tested the default TCP 1720 port, which is used for endpoint-endpoint session establishment. They did not look at the control nor the tear phase of this protocl. In addition, H.225.0 also uses ports TCP/UDP 1718 for multicast to gatekeepers, TCP/UDP 1719 for unicast to gatekeepers and UDP 1720 may be used for endpoint-endpoint. (I tried to stay away from the ISDN Q.931 standard as it does not apply to my particular enviornment, though it is also vuln to the same conditions.)

The majority of work arounds I have seen state the admin should block access to TCP/UDP port 1720. I do not believe this work around of itself is adequate enough to protrect these services.

As far as I can tell, a promising yet unresearched (unpublished?) area of this subset of vulns would be in testing the rest of the conneciton phase, control and tear down of the H.225.0 vendor implementation. Then look around at vendor solutions that do not use the default ports. Another unchecked area would be the rest of the H.323 protocol family, and there are a few.

If anyone is interested in doing this type of research, please let me know. I will do what I can to assist, but I am by no means an expert.

Here are the information links:

MS ISA H.323 thread http://www.governmentsecurity.org/forum/in...?showtopic=5936
CERT-CC CA-2004-001 http://www.cert.org/advisories/CA-2004-01.html

Cisco advisories:
http://www.cisco.com/warp/public/707/cisco...0113-h323.shtml
http://www.cisco.com/warp/public/707/cisco...121-voice.shtml

NISCC Advisory:
http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
Univ. of Oulu Abstract:
http://www.ee.oulu.fi/research/ouspg/proto...50v4/index.html
Cheers all.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.