VOIPPACK 1.4 with added support for Cisco and Trixbox

Last week we distributed a new version of VOIPPACK with the following new tools:

Cisco environment:

  • vp_cucmjailbreak  : Given an ssh username and password for CUCM's restricted shell, this script creates a new root user and installs MOSDEF
  • vp_ciscophonescanner : Searches for Cisco phones on the target network by using HTTP and DNS probes
  • vp_cucmtftplist : Makes use of CUCM's "TFTP" server to list the phone's mac addresses / phone names

Trixbox / FreePBX environment:

  • vp_fopextensionenum : Enumerates extensions on FreePBX through the flash operator panel
  • vp_freepbx_exec1 : Installs MOSDEF on vulnerable Trixbox or FreePBX servers given a username and password for the admin interface


  • vp_mgcpscanner : A generic MGCP network scanner

Additionally we improved vp_sipenumerate to be able to scan Asterisk servers regardless of the alwaysauthreject option in Asterisk and work better wtih vp_bypassalwaysreject too!

What does cucmjailbreak do?

This is a new tool that automates the procedure outlined on Recurity lab's blog and allows CANVAS to install MOSDEF. This effectively allows you to use stolen Cisco Call manager credentials to fully compromise the server. The following video demonstrates the tool in action:


What does fopextensionenum do?

When trying to gain access to phone extensions on a target PBX server, attackers first need to find out which extensions exist on the server. Typically one would use features in SIP to do this, however an easier method is to abuse the Flash Operator Panel (FOP) to enumerate extensions easily. The following video demonstrates the tool in action:

What does ciscophonescanner do?

This tool scans a target IP address range and extracts the names of each phone found. It currently does this by making use of 2 methods: reverse DNS names and connecting to the HTTP interface of the Cisco phone.  Video demo:

What about the other tools?

  • CUCM TFTP list tool (vp_cucmtftplist) makes use of the Cisco CallManager's special TFTP server which allows listing of the files on the TFTP server
  • FreePBX exec1 tool (vp_freepbx_exec1) allows installation of MOSDEF on a target vulnerable Trixbox and FreePBX by abusing an unpatched php script in the administrative section. This leads to root access to the target server
  • We also added a generic MGCP scanner (vp_mgcpscanner) which helps finding devices that speak the protocol

That's it for now. For more information about VOIPPACK take a look at the products page.


Using XSS to switch off dotDefender 4.0

AppliCure's dotDefender version 4.0 had a security flaw in the log viewing feature of the administrative interface. We just published an advisory for this vulnerability. Here's the interesting part:

"The log viewer facility in dotDefender does not properly htmlencode user supplied input. This leads to a cross site scripting vulnerability when the log viewer displays HTTP headers."

The following video shows how an attacker can make use of cross site scripting to get the system administrator to automatically switch off dotDefender. This effectively disables the WAF, leaving the web application exposed to any attacks that said WAF was supposed to protect against.

Advisory: ES-20100601

Video demo: http://vimeo.com/12132622


But doesn't the attacker need to reach the administrator interface?

Nope - its the administrator's authenticated web browser that disables the WAF due to the injected javascript. Therefore the attacker just needs to reach the website protected by the WAF.


VOIPPACK update for February 2010 brings faster VoIP cracking and destruction

So it's time to issue an update to VOIPPACK, with some new goodies!

This update includes

  • two new tools called "bypassalwaysreject" and "sipopenrelay"
  • DoS exploits for Asterisk PBX called "asteriskdiscomfort", "asterisksscanfdos" and "iax2resourceexhaust"
  • Generic DoS exploit "sipinviteflood"
  • Optimizations for the SIP Digest leak tool "sipdigestleak" and the SIP digest cracker

What does "bypassalwaysreject" do?

Asterisk PBX had introduced a new option "alwaysauthreject" which disables traditional enumeration of extensions. This tool makes use of an undisclosed method of enumerating extensions which works on Asterisk as of at least Asterisk (and possibly the latest version too).

What does "sipopenrelay" do?

This new tool tries to find misconfigured dialplans or ACLs by calling (sending INVITE messages) a specific phone number with different prefixes. This emulates current attack trends on the SIP front as described in various blog posts.The result would be free calls which indicate the possibility of toll fraud.

What about the new DoS tools?

Asterisk Discomfort exploits a DoS vulnerability that was fixed in AST-2009-010. The vulnerability lies in parsing of RTP comfort noise stream. The result is that Asterisk PBX crashes.

Asterisk SSCANF DoS exploits AST-2009-005 which has the result of crashing Asterisk PBX.

Invite Flood tool exploits a DoS found in various endpoints and PBX servers. It sends a large number of INVITE messages, initiating lots of calls and eventually causing either a crash or the application to hang.

IAX2 Resource exhaust is a DoS vulnerability that was fixed in AST-2009-006 and exploited a design flaw in the IAX2 protocol, in some ways similar to INVITE flood DoS. The result is that Asterisk starts taking too much resources, becoming unresponsive. Sometimes it crashes.

And the enhancements?

SIP Digest Leak tool and it's sister Digest cracker have both been updated to support two new features.

  1. Zerolen SDP option in SIP Digest Leak means that when some SIP endpoints pick up the call, they send a hangup immediately. This cuts the waiting time for the attacker and immediately gives him/her the challenge response.
  2. Support for using John the Ripper as an external tool to crack Digest passwords. The jumbo patch needs to be applied to John the ripper - I'll be posting on how to do this later on.

That is all for now, hope you enjoy the update. For more information about VOIPPACK take a look at the products page.


What I've been working on...

Lots of links included:

  • SEC-T in Sweden where I presented on VoIP security and the Internet .. proof that there's lots of VoIP devices being exposed on the 'net, and the sharks are there to profit by abusing them
  • Updated SIPVicious to support new features used for the SEC-T presentation
  • BruCON VoIP Auditing Workshop, which will be held tomorrow and the next day .. attendees will get to build their own tools and demonstrate security issues in popular PBX servers and SIP phones (more details on sipvicious.org)
  • Upcoming research in the following topics: Opensource PBX server security, SIP Digest leakage (some details here)
  • VOIPSCANNER.com is another project that is being upgraded
  • VOIPPACK updates, more details on this soon
  • And in between there's real work too :-)


HAR2009: Talks of interest

After a long wait, HAR is finally with us. There's a large number of talks and events and I thought I'd make a list of the ones that I hope to attend today:

  • "Teh Internetz are pwned" by Scott McIntyre: all the internet threats and issues from the point of view of an Internet Service provider.. might be illuminating ;-)

  • "Rootkits are awesome" by Mike Kemp, will be an update talk about his research into DLP (data loss prevention) and I hear that he'll be picking on more products

  • "Countering behavior based malware analysis" by Nomenumbra

  • "Advanced MySQL Exploitation" by Muhaimin Dzulfakar, the author of MySqloit

  • "Securing networks from an ISP perspective" by Bradley Freeman, seems to be along the lines of the talk by Scott McIntyre but from the point of view of a research & education network perspective, JANET

Then there's the workshops (and beer) which appear to be worth visiting in between the talks. Busy times indeed, but if you're around email me.