Finding Holes in Your PBX Before Someone Else Does. Covers switching algorithms, susceptibility to tapping, conferencing, remote access, maintenance feature vulnerabilities, line testing capabilities, undocumented maintenance features, software loading and update tampering, tamper and error detection, crash-restart attacks, live microphone vulnerabilities, embedded login IDs and passwords, alarms and audit trails, silent monitoring, override (intrude), voice mail security, and denial of service.
You can download it from the following link: https://packetstormsecurity.com/files/download/22507/PBX-draft.doc
Source: https://packetstormsecurity.com/files/22507/PBX-draft.doc.html