lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: jlacour at zonelabs.com (John LaCour)
Subject: RE: ASN.1 telephony critical infrastructure warning - VOIP

> Gadi Evron wrote:
> 
> ASN is what VOIP is based on, and thus the critical 
> infrastructure for 
> telephony which is based on VOIP.
> 
> Zak Dechovich wrote:
> 
>  > Mail from Zak Dechovich <ZakGroups@...UREOL.COM>
>  >
>  >
>  > ASN1 is mainly used for the telephony infrastructure 
> (VoIP),  > any code that attacks this infrastructure can be 


"ASN.1 is what VoIP is based on" is an overly broad statement.
The ITU H.323 umbrella of protocols use ASN.1 as the data 
encoding method for several of the protocols.

There are many other VoIP signaling protocols which don't
use ASN.1.  SIP comes to mind.  Most VoIP media is RTP 
(RFC 3550) which doesn't use ASN.1 at all.

Particular VoIP implementations that happen to use ASN.1
may or may not use it correctly.  Those that have flawed
ASN.1 implementations may or may not be exploitable.  If
a given system is exploitable, its likely that the exploit
will be specific to a certain vendor and/or platform.

IMHO, the possibility of some kind of VoIP worm propagating 
by exploiting ASN.1 is highly unlikely.  

-John

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ