Blog

VOIPPACK 1.4 with added support for Cisco and Trixbox

2011-01-25T17:01:48Z

Last week we distributed a new version of VOIPPACK with the following new tools:

Cisco environment:

vp_cucmjailbreak : Given an ssh username and password for CUCM's restricted shell, this script creates a new root user and installs MOSDEF
vp_ciscophonescanner : Searches for Cisco phones on the target network by using HTTP and DNS probes
vp_cucmtftplist : Makes use of CUCM's "TFTP" server to list the phone's mac addresses / phone names

Trixbox / FreePBX environment:

vp_fopextensionenum : Enumerates extensions on FreePBX through the flash operator panel
vp_freepbx_exec1 : Installs MOSDEF on vulnerable Trixbox or FreePBX servers given a username and password for the admin interface

Generic:

vp_mgcpscanner : A generic MGCP network scanner

Additionally we improved vp_sipenumerate to be able to scan Asterisk servers regardless of the alwaysauthreject option in Asterisk and work better wtih vp_bypassalwaysreject too!

What does cucmjailbreak do?

This is a new tool that automates the procedure outlined on Recurity lab's blog and allows CANVAS to install MOSDEF. This effectively allows you to use stolen Cisco Call manager credentials to fully compromise the server. The following video demonstrates the tool in action:

What does fopextensionenum do?

When trying to gain access to phone extensions on a target PBX server, attackers first need to find out which extensions exist on the server. Typically one would use features in SIP to do this, however an easier method is to abuse the Flash Operator Panel (FOP) to enumerate extensions easily. The following video demonstrates the tool in action:

What does ciscophonescanner do?

This tool scans a target IP address range and extracts the names of each phone found. It currently does this by making use of 2 methods: reverse DNS names and connecting to the HTTP interface of the Cisco phone. Video demo:

What about the other tools?

CUCM TFTP list tool (vp_cucmtftplist) makes use of the Cisco CallManager's special TFTP server which allows listing of the files on the TFTP server
FreePBX exec1 tool (vp_freepbx_exec1) allows installation of MOSDEF on a target vulnerable Trixbox and FreePBX by abusing an unpatched php script in the administrative section. This leads to root access to the target server
We also added a generic MGCP scanner (vp_mgcpscanner) which helps finding devices that speak the protocol

That's it for now. For more information about VOIPPACK take a look at the products page.

Using XSS to switch off dotDefender 4.0

2010-06-01T11:10:43Z

AppliCure's dotDefender version 4.0 had a security flaw in the log viewing feature of the administrative interface. We just published an advisory for this vulnerability. Here's the interesting part:

"The log viewer facility in dotDefender does not properly htmlencode user supplied input. This leads to a cross site scripting vulnerability when the log viewer displays HTTP headers."

The following video shows how an attacker can make use of cross site scripting to get the system administrator to automatically switch off dotDefender. This effectively disables the WAF, leaving the web application exposed to any attacks that said WAF was supposed to protect against.

Advisory: ES-20100601

Video demo: http://vimeo.com/12132622

FAQ

But doesn't the attacker need to reach the administrator interface?

Nope - its the administrator's authenticated web browser that disables the WAF due to the injected javascript. Therefore the attacker just needs to reach the website protected by the WAF.

VOIPPACK update for February 2010 brings faster VoIP cracking and destruction

2010-02-16T13:30:40Z

So it's time to issue an update to VOIPPACK, with some new goodies!

This update includes

two new tools called "bypassalwaysreject" and "sipopenrelay"
DoS exploits for Asterisk PBX called "asteriskdiscomfort", "asterisksscanfdos" and "iax2resourceexhaust"
Generic DoS exploit "sipinviteflood"
Optimizations for the SIP Digest leak tool "sipdigestleak" and the SIP digest cracker

What does "bypassalwaysreject" do?

Asterisk PBX had introduced a new option "alwaysauthreject" which disables traditional enumeration of extensions. This tool makes use of an undisclosed method of enumerating extensions which works on Asterisk as of at least Asterisk 1.6.2.1 (and possibly the latest version too).

What does "sipopenrelay" do?

This new tool tries to find misconfigured dialplans or ACLs by calling (sending INVITE messages) a specific phone number with different prefixes. This emulates current attack trends on the SIP front as described in various blog posts.The result would be free calls which indicate the possibility of toll fraud.

What about the new DoS tools?

Asterisk Discomfort exploits a DoS vulnerability that was fixed in AST-2009-010. The vulnerability lies in parsing of RTP comfort noise stream. The result is that Asterisk PBX crashes.

Asterisk SSCANF DoS exploits AST-2009-005 which has the result of crashing Asterisk PBX.

Invite Flood tool exploits a DoS found in various endpoints and PBX servers. It sends a large number of INVITE messages, initiating lots of calls and eventually causing either a crash or the application to hang.

IAX2 Resource exhaust is a DoS vulnerability that was fixed in AST-2009-006 and exploited a design flaw in the IAX2 protocol, in some ways similar to INVITE flood DoS. The result is that Asterisk starts taking too much resources, becoming unresponsive. Sometimes it crashes.

And the enhancements?

SIP Digest Leak tool and it's sister Digest cracker have both been updated to support two new features.

Zerolen SDP option in SIP Digest Leak means that when some SIP endpoints pick up the call, they send a hangup immediately. This cuts the waiting time for the attacker and immediately gives him/her the challenge response.
Support for using John the Ripper as an external tool to crack Digest passwords. The jumbo patch needs to be applied to John the ripper - I'll be posting on how to do this later on.

That is all for now, hope you enjoy the update. For more information about VOIPPACK take a look at the products page.

What I've been working on...

2009-09-17T11:02:25Z

Lots of links included:

SEC-T in Sweden where I presented on VoIP security and the Internet .. proof that there's lots of VoIP devices being exposed on the 'net, and the sharks are there to profit by abusing them
Updated SIPVicious to support new features used for the SEC-T presentation
BruCON VoIP Auditing Workshop, which will be held tomorrow and the next day .. attendees will get to build their own tools and demonstrate security issues in popular PBX servers and SIP phones (more details on sipvicious.org)
Upcoming research in the following topics: Opensource PBX server security, SIP Digest leakage (some details here)
VOIPSCANNER.com is another project that is being upgraded
VOIPPACK updates, more details on this soon
And in between there's real work too :-)

HAR2009: Talks of interest

2009-08-13T14:23:46Z

After a long wait, HAR is finally with us. There's a large number of talks and events and I thought I'd make a list of the ones that I hope to attend today:

"Teh Internetz are pwned" by Scott McIntyre: all the internet threats and issues from the point of view of an Internet Service provider.. might be illuminating ;-)

"Rootkits are awesome" by Mike Kemp, will be an update talk about his research into DLP (data loss prevention) and I hear that he'll be picking on more products

"Countering behavior based malware analysis" by Nomenumbra

"Advanced MySQL Exploitation" by Muhaimin Dzulfakar, the author of MySqloit

"Securing networks from an ISP perspective" by Bradley Freeman, seems to be along the lines of the talk by Scott McIntyre but from the point of view of a research & education network perspective, JANET

Then there's the workshops (and beer) which appear to be worth visiting in between the talks. Busy times indeed, but if you're around email me.

VOIPSCANNER.com - SaaS VoIP security auditing

2009-07-17T08:35:27Z

One thing that I've been working on is making it easy for organizations and consultants to check their IP PBX for security issues. Toll fraud, or theft of service (phone calls) is becoming quite a problem for organizations that expose their PBX on the Internet. VOIPSCANNER.com aims to make it easier to find out how easy it is for attackers out there to gain access to your PBX.

So head over to VOIPSCANNER.com and create an account!

Using this tool consists of the following steps:

Enter the IP address of your PBX server and scan away

Receive a report by email that shows the findings

How does it work really?
VoIPScanner.com is making use of the next generation of SIPVicious (2.0) in the background and right now it does the following automatically:

Checks if an IP PBX is listening on the given address

Does extension enumeration, just like svwar in SIPVicious

For each extension found it starts a password cracking attack

Generate a PDF report such as this one

Any feedback or affiliate requests, contact me.

WAF research media coverage and a response to Imperva

2009-05-20T13:00:08Z

Our presentation at OWASP Europe in Krakow on Web Application Firewall shortcomings was featured on Darkreading, and Wendel was quoted in the article. Other sites and blogs (such as Heise) also mentioned the presentation. Imperva's (which happens to be a WAF vendor) blog had some comments about the presentation as well, and in this post I hope to answer some of the claims.

"What Wendel (TrustWave) and Sandro (EnabledSecurity) basically showed is that they can figure out if a WAF is deployed to protect a web application and two techniques that can allegedly "bypass" WAFs."

Unfortunately we had a couple of technical issues that meant that our presentation did not start on time and some of the live demos could not be shown. We had just 30 minutes to present which was not enough. We did perform the demos the next day anyway to a number of people who had some interesting feedback (more on that later). Either way, we mentioned more than two techniques that can lead to a bypass in some of the Web Application Firewalls.

"The two speakers described WAFs basically as a combination of black lists and white lists while missing the entire point in WAFs that learn the web application interfaces and usage patterns using dynamic profiling mechanisms and express complex security rules through advanced correlation engines. Actually, WAFs were developed to overcome the disadvantages in purely signature based products like IDSs."

I do not currently have access to Imperva's SecureSphere, but aren't "dynamic profiling and express complex security rules" there to automatically create whitelists? That is what the SecureSphere datasheet and the specifications page implies. If not, can you explain how this works (and also explain express complex security rules)?

Most WAFs by default support blacklist approach and on large complex sites the positive model is not easy to setup or maintain. Making use of learning features of various WAF products is definitely going to help, but does not solve issues such as maintenance. A good question is "what sort of traffic do you use to train your WAF"? A large number of WAFs are configured to make use of the blacklist approach most of the times, even though the positive / whitelist model is supported by the WAF product.

"Presenting the ability to detect WAFs deployed in front of a web application as a major security risk is just biased"

Detection of the WAF is not a major security issue within itself, but is just another step in the reconnaissance stage of an attack.

As for the feedback that we received at OWASP, many of the participants who had first hand experience with Web Application Firewalls agreed that positive model Web Application Firewalls are a pain to maintain. Everyone came to the conclusion that you need dedicated personnel to maintain a large web application protected by a WAF. That is hardly something that the vendors want you to know.

Web Application Firewalls and VoIP on the intertubes

2009-05-15T20:09:18Z

So the OWASP at Krakow (which was a great experience!) came to an end. The conference was a mixture of technical and non-technical presentations; I liked the w3af presentation and thought it was well delivered, and I heard that the "HTTP Parameter Pollution" was particularly interesting. It seems that the Web Applications Firewall talk that we gave steered the attention of various organizations, media (DarkReading) and people (Twitter). The presentation went a big bonkers and Murphey's Law kicked in. However we got the chance to demonstrate the missed content after the conference for an audience that provided a lot of good feedback.

I'll also be presenting a session on VoIP scanning on the internet at CONFidence tomorrow. Most other presentations and research seems to focus on VoIP (in)security + layer 2 issues, such as sniffing clear text VoIP. In contrast to this, my session will be more focused on what attackers coming Internet (can) do to your SIP PBX and endpoints. The focus is on demonstrating using both live demos and recorded videos and destribing some interesting (rather new) attacks that apply to VoIP on the Internet.

The state of Web Application Security and their Firewalls

2009-04-26T20:24:31Z

Back from Troopers09 in Munich after presenting our (Wendel Guglielmetti Henrique from Trustwave and yourstruly) research on Web Application Firewalls. Troopers was great and the organizers (Enno Rey and co) made a great job out of the conference. Kudos to them! During the presentation we demonstrated some tools that will help security analysts and penetration testers to identify WAFs and fingerprint their rules.We hope to release these tools soon.. meanwhile if you would like to beta test, please send me a note.

Last week Bryan Miller from Syrinx Technologies interviewed me on Web Application Security and WAFs. You may listen to this podcast here where I gave my views on web application security and an introduction to the presentation for Troopers. If you would like to keep updated with this podcast, you may subscribe using the RSS feed.

[slideshare id=1344590&doc=wendel-sandro-troopers09-1-090426151524-phpapp02]

VOIPPACK for April adds Asterisk scanning, leaking phones and Troopers09

2009-04-15T14:18:03Z

Announcing the VOIPPACK April edition supporting IAX2 and can now scan Asterisk servers. Because the feedback for sipautohack was great, we included a similar tool for the Asterisk protocol called iax2autohack in the April edition of VOIPPACK. The following are the new tools avialable in this update:

iax2enumerate which like sipenumerate, tries to guess extensions present on the Asterisk box, and will inform you if the extension has any password set or not

iax2cracker which given a known extension on the Asterisk box, will attempt to recover the password through an online bruteforce attack

iax2autohack which finds out any Asterisk servers on the network, enumerates the extensions and launches a password cracking attack on each extension

The following demo shows iax2autohack in action:

[vimeo http://vimeo.com/4162693]

For more information about VOIPPACK and our other offerings check out the products page.

Additionally we confirmed a few phones that are vulnerable to the SIP Digest Leak vulnerability (tools included in VOIPPACK) for the Cisco 7940, Grandstream, Fritzbox and more, thanks to Sjur and another unnamed entity ;-) Will be working on further research and releasing a paper after Troopers09 where Wendel G Henrique and I will be presenting our Web Application Firewall research and releasing new tools.

Watch twitter if you're interested in what's happening ;-)