Asterisk IAX2 DoS and Exploit Framework
While researching and writing a soft phone that uses the IAX2 protocol I found a protocol flaw that gave me a reflective amplification DoS attack on Asterisk server. It remains a zero day to this day (https://www.altsci.com/concepts/page.php?s=asteri&p=1). I released it publicly to gain publicity for this flaw. I wrote a simple framework to use the IAX2 protocol and I intend to show how to test the protocol for buffer overflows and DoS attacks in the talk. Releasing a zero day in critical infrastructure is good for publicity, and I hope to release either another zero day or at least an exploit of a known vulnerability. Since I have Asterisk running on several machines and have a server connected to the backbone of the net, I can easily show this DoS and any other exploit I have written in realtime. I plan to only use machines that I own or have permission to use for these tests of course.
Joel R. Voss
Joel R. Voss is an independent security researcher, Neg9 Seattle hacker, and self-employed programmer. He has a Bachelor of Science in Physics from the University of Washington and enjoys thinking about science and technology. He is attending Toorcon Seattle for the talks and the camaraderie which were both amazing last year. He is technically a returning speaker since he gave an unscheduled lightning talk at Toorcon 8 San Diego on Basic Steganography.
|
