Can You Hear Me Now? - VoIP (In)Security, and Jumping VLANs, Oh my!
I could write for days about what I learning in SEC540 - VoIP Security, a SANS course presented by Raul Siles and Eric Cole. I had fun, and got a chance to harass a fellow SANS instructor :-p It was a fantastic course! Lets put it this way, if you are in a position where you need to advise a company on how to implement VoIP, and/or are responsible in any way, shape, or fashion for a VoIP deployment in your organization, you need to go take this course. Here are some of my thoughts:
- SIP, the primary signaling protocol, was designed to be easy to use, which means they leave out security. Its based on other similar protocols such as HTTP and SMTP, using the same kind of handlers (i.e. INVITE is similar to an HTTP GET).
- Many of the problems with SIP are implementation specific, and can be locked down in the configuration. For example, if you setup an Asterisk server and leave registration open, that spells trouble! This is how things like SPIT and Vishing are happening. An example of a security enhancement in your implementation is to run SIP over TCP to prevent replay attacks and spoofing.
- There are many other problems that are inherent to SIP/RTP itself. For example, RTP has to use UDP in order for calls not ....to......sound.....like..........this. However, this makes it easy to inject audio into a call because the sequence number is only doing just that, sequencing.
- VLANS are not a security mechanism. If someone was going to prison, they most likely would not wear womens underwear in favor of boxer shorts (iron clad ones if available). In the same light, you would never design your network without VLANs and have one big gigantic flat network. This would leave everyone more vulnerable to ARP cache poisoning and a host of other attacks. You would want to have VLANs in place to segment your network. However, as is the case with going to prison, you are screwed either way.
This brings us to a new tool released at Toorcon 9 in October of this year. Jason Ostrom and John Kindervag gave a presentation called "VoIP Penetration Testing: Lessons Learned, Tools and Techniques". They released a tool called VoIP Hopper (http://voiphopper.sourceforge.net). It uses CDP and other methods to figure out what the VoIP VLAN is and assign it to an 802.1q interface in Linux. This puts you on the VoIP VLAN where you can attack phones, intercept calls, etc...
I ran voiphopper on Backtrack 2.0, since I did not have 802.1q compiled into my kernel. It is not included by default, so you have to download it to BT, then compile it with the "make" command. once compiled, you can see it has the following options:
Usage: voiphopper [-i interface] [-l] [-m MAC] [-a] [-v VLANID] [-D] Options: -i Interface to sniff on -l List available interfaces -m MAC Address to spoof -a Avaya DHCP Option 176 -v Vlan to hop to without sniffing for CDP -D Don't change the MAC address of default interface
I plugged into the back of my Cisco 7940 VoIP phone and then ran it with the following options:
bt voiphopper-0.9.7 # voiphopper -i eth0 Capturing CDP Packets on eth0 Captured IEEE 802.3, CDP Packet of 125 bytes Discovered VoIP VLAN: 100 Error trying to add VLAN 100 to Interface eth0: Invalid argument Attempting dhcp request for new interface eth0.100 dhcpcd: MAC address = 00:18:8b:c6:ed:04 dhcpcd: your IP address = 192.168.1.27
Neat! Now look, I have an interface on the VoIP VLAN (100 in this case):
bt voiphopper-0.9.7 # ifconfig eth0.100 eth0.100 Link encap:Ethernet HWaddr 00:18:8B:C6:ED:04 inet addr:192.168.1.27 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::218:8bff:fec6:ed04/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:88 errors:0 dropped:0 overruns:0 frame:0 TX packets:575 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5526 (5.3 KiB) TX bytes:33434 (32.6 KiB)
Lets see what's on this subnet:
bt voiphopper-0.9.7 # nmap -sP 192.168.1.1-254 Starting Nmap 4.20 ( http://insecure.org ) at 2007-12-14 14:27 GMT Host 192.168.1.1 appears to be up. MAC Address: 00:17:E0:4A:65:B1 (Cisco Systems) Host 192.168.1.2 appears to be up. MAC Address: 00:17:E0:4A:65:B1 (Cisco Systems) Host 192.168.1.11 appears to be up. MAC Address: 00:17:95:F8:B7:29 (Cisco Systems) Host 192.168.1.12 appears to be up. MAC Address: 00:17:95:F8:B7:74 (Cisco Systems) Host 192.168.1.13 appears to be up. MAC Address: 00:17:95:2B:83:C0 (Cisco Systems) Host 192.168.1.14 appears to be up. MAC Address: 00:17:95:F9:C9:FB (Cisco Systems) Host 192.168.1.15 appears to be up. MAC Address: 00:18:19:24:1C:6F (Cisco Systems) Host 192.168.1.18 appears to be up. MAC Address: 00:0F:90:89:6D:2C (Cisco Systems) Host 192.168.1.19 appears to be up. MAC Address: 00:0F:90:88:35:08 (Cisco Systems) Host 192.168.1.20 appears to be up. MAC Address: 00:0F:90:88:3B:93 (Cisco Systems) Host 192.168.1.21 appears to be up. MAC Address: 00:0F:90:88:3C:27 (Cisco Systems) Host 192.168.1.22 appears to be up. MAC Address: 00:0F:90:88:31:A7 (Cisco Systems) Host 192.168.1.23 appears to be up. MAC Address: 00:0E:38:41:33:8A (Cisco Systems) Host 192.168.1.26 appears to be up. MAC Address: 00:15:FA:1A:D4:D4 (Cisco Systems) Host 192.168.1.27 appears to be up. Nmap finished: 254 IP addresses (15 hosts up) scanned in 44.149 seconds
Looks like a whole bunch of Cisco phones! From here I can ARP cache poison and do all sorts of nasty stuff. There has been much push back on this technique, as first its nice when CDP is enabled. CDP is great for attackers, it gives out all sorts of information. The following tcpdump command will dump the CDP packets out so you can see them:
bt voiphopper-0.9.7 # tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000' tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 14:30:27.612332 CDPv2, ttl: 180s, checksum: 692 (unverified), length 125 Device-ID (0x01), length: 15 bytes: 'SEP0015FA1AD4D4' Address (0x02), length: 13 bytes: IPv4 (1) 192.168.1.26 Port-ID (0x03), length: 6 bytes: 'Port 2' Capability (0x04), length: 4 bytes: (0x00000090): L3 capable Version String (0x05), length: 12 bytes: P0030702T023 Platform (0x06), length: 19 bytes: 'Cisco IP Phone 7940' Native VLAN ID (0x0a), length: 2 bytes: 200 Duplex (0x0b), length: 1 byte: full ATA-186 VoIP VLAN request (0x0e), length: 3 bytes: app 1, vlan 100 AVVID trust bitmap (0x12), length: 1 byte: 0x00 AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00 1 packets captured 2 packets received by filter 0 packets dropped by kernel bt voiphopper-0.9.7 #
Note: The filter 'ether[20:2] == 0x2000' is checking if bytes 20 and 21, from the start of the ethernet header, for a value of 2000 (hex).
And look, a new version of Nmap to run against the phones!
paimei:~/downloads paulda$ sudo nmap -e en0 -sV -p 1-65535 -O 192.168.1.11 Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-14 14:37 EST Interesting ports on 192.168.1.11: Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Cisco IP Phone http config No exact OS matches for host (If you know what OS is running on it, see http://insecure.org/nmap/submit/ ). TCP/IP fingerprint: OS:SCAN(V=4.50%D=12/14%OT=80%CT=1%CU=31202%PV=Y%DS=1%G=Y%TM=4762DBC9%P=i386 OS:-apple-darwin8.11.1)SEQ(SP=0%GCD=A000%ISR=95%TI=I%II=I%SS=S%TS=U)OPS(O1= OS:M5B0%O2=M5B0%O3=M5B0%O4=M5B0%O5=M5B0%O6=M5B0)WIN(W1=578%W2=578%W3=578%W4 OS:=578%W5=578%W6=578)ECN(R=Y%DF=N%T=FA%W=578%O=M5B0%CC=N%Q=)T1(R=Y%DF=N%T= OS:FA%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=FA%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T OS:3(R=Y%DF=N%T=FA%W=578%S=O%A=S+%F=AS%O=M5B0%RD=0%Q=)T4(R=Y%DF=N%T=FA%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=FA%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6( OS:R=Y%DF=N%T=FA%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=FA%W=0%S=Z%A=S+%F OS:=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=FA%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%R OS:UCK=G%RUL=G%RUD=G)U1(R=N)IE(R=Y%DFI=N%T=FA%TOSI=Z%CD=S%SI=S%DLI=S) Network Distance: 1 hop Service Info: Device: VoIP phone OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 102.205 seconds
So, thats all well and good, but what if you are not running CDP? Thats okay, your phone will happily grant you access to that information:
Oh, and what if there are no phones vulnerable to anything? Thats okay, you can use yersinia to become the spanning tree root and take over the entire network:
No more details here, as I did not want to disrupt the network!
YATS: Removing Jpeg Metadata with ExifTool
Quite some time ago, we mentioned an article where a Hacker who was interviewed "anonymously" for an article had his location revealed via the IPTC Metdata located in his picture in the article. As a follow on, we'll show you a command line tool (available on Windows, linux and OS X - a perl script)- ExifTool - that can show you the data. The real follow on to an earlier metadata tech segment, we'll show you how to remove all of the possible metadata with ExifTool as well.
First, let's view the meta data
NORAD:$ exiftool -a -u -g1 <jpeg filename>
Lots of awesome output. The IPTC bits are used by the AP...
So, how can we delete most info with:
NORAD:$ exiftool -All= <jpeg filename>
Alternatively if we just wanted to remove the most offending bits, the XMP data (IPTC, if I recall) we can just use
NORAD:$ exiftool -xmp:all= <jpeg filename>
As an added bonus, one of the other things that was discovered with the article during the investigation, was that an image of 0x80 had been cropped to disguise his face and surroundings, but the image thumbnail had been left as the original, full sized image. We can use exiftool to extract the thumbnail with
NORAD:$ exiftool -b -ThumbnailImage <jpeg filename> > <jpeg thumbnail filename>
and view the resulting output in an image viewer of your choice.
On another note, you can do some quick auditing with a Firefox Add-on called FxIF, which when you view image properties, it will reveal a limited set of image metadata.
This is just scratching the surface of ExifTool!
Stories Of Interest
Autorun = Autocompromise - [Paul] - A few thoughts on this one, well yea autorun is bad. I mean just look at the name, "auto" + "run". Nice when malware can automatically be run! First, there are viruses that spread through USB keys. I know this is nostolgic for many (remember when Viruses could only spread through 5.25" Floppy Disks?), but a real concern for companies, especially ones who say, "I don't have to lock that down, its on the "inside" of my network!". Guess what, so are the attackers. Also, is autorun exploitable in OS X as it runs DVD Player when you pop in a DVD? And defense, disable auto run with group policy, you'll sleep a little better at night, until I tell you that I've been successful in social engineering access to PCs and just running the script manually. Try not to leave PCs unattended!
Quicktime patches - [Larry] - Finally after two week. What I thought was interesting was the patch of the Flash Player fixes - It doesn't actually fix the problem, just limits the handler to allow only files that are safe - and they doesn't explain exactly how it is supposed to work. Can you say spoofed "safeness"?
Very Sexy Attack Against OWA - [Paul] - Just to put this in context, it is what is reported as a 0day for Echange 2003. However, I bet many still run that version. Essentially, due to a bug in OWA, you can perform a phising, "spear phishing", attack against a company and collect OWA logins. Its pretty neat!
Squirrel Mail Compromise - [Larry] - I'm not sure what to say, but I need to say something :-)
Video Game Console Botnet - [Paul] - I think this is a great paper that discusses how so called "7th generation" botnets could be used to build a botnet. Heck, why not? There are tons of them on the net now (Wii, PS3, and XBOX360), they've got good CPU/RAM/Storage, and commerce comes into play (CC are used to purchase music, games, subscriptions, etc...). However, I disagree with the uniformity of the platform. Wii, PS3, and XBOX360 all use different firmware and have 2 different process architecures, PowerPC for Wii and Xbox, and Cell for the PS3.
Websense Filering Bypass - [Larry] - Wow, that was easy. Just use the Firefox USer agent switcher, and set your user agent to that of RealPlayer, MSN Messenger or WebEx. I wonder how the iPhone user agent stacks up? Again, another cool add on for Firefox.
GNUCitizen take on hacking embedded - [Paul] - some great research on hacking embedded devices, and a mistake on Security Focus! Aruba does have a fix for the vuln reported, see here http://www.arubanetworks.com/support/alerts/aid-070907b.asc
Chris Hoff pwns j00! - [Larry] - As a "simulation" of a SCADA type attack, Chris sent a 0-day exploit for the Quicktime RTSP vulnerability to his friend Rich Mogull. Chris was then able to take control of Rich's home automation system, and browse cameras, turn off lights, and have fun with music - much like an attack against a SCADA system. On another note, ALWAYS GET PERMISSION. Go listen to the next Network Security podcast, where both Rich and Chris will be on!
New Version Of Nmap, 4.50, has landed! - [Paul - I <3 Nmap! Check out the release notes here. I think that the GUI, now called Zenmap is most notable, its an updated version of Umit, which we covered in a previous episode. 4.50 also includes an updated OS and service fingerprinter, a LUA scripting interface (Which is good because the perl library for interfacing with Perl and Nmap was dated). However, why not Ruby!!!o
Secret plans in the trash - [Larry] - Secret bank construction plans, detailing all of the physical security measeures was found by a hairdresser in a trash can out side of the new bank branch. Now, the real important question is, what is the hairdresser doing going through the bank's trash?
SquirrelMail Package Compromise - [Paul] - This is a good way to get inside people's systems, trojan open-source software. It has far reaching effects too, such as when Dbeian, Gentoo, and Fedora pick up the trojaned package. Defense is tough, MD5 sums only go so far, as if the attacker has root on the package maintainer's system you can just re-calculate the hash. This is where monitoring your network for extrusions is critical, ala Richard Bejtlich.
All ur XSS b-long 2 us - [Larry] - Notification service for your XSS vulns - not actual testing, just notification when your site is submitted. This is not the end all, be all - what happens when you implement web app X and another site with web app X gets listed, and not by the App? The only way to get the notice is be aware of your applications - oh, and go subscribe to the RSS feeds at xssed.com
Expose Clients to the Internet? - [Paul] - So, I'm not really into mud slinging (okay, Security Now! gets a smearing every now and again, but then again they start every podcast with 20 minutes about Spinrite, a product which he sells and writes). But I almost drove off the road when they began talking about how its okay to expose clients directly to the Internet because when they are using the wireless at Starbucks they are exposed to the Internet anyway. Defense-In-Depth!! I could streak through my neighborhood naked too, but eventually someone is going to see me. [ed: and who oever sees you will need to poke out thier eyes with a sharp stick. /me shudders - Larry] Same thing, you can expose yourself to the Internet directly, but eventually some malware is going to infect your system, disable your personal firewall, and leave you naked and open to, er attacks. Do I dare say "expose holes"? Don't make it easy for an attacker, remember its about not getting outsmarted and an organization with no firewall is just plain stupid.
NOTE ON PREDICTIONS: We keep listeners up-to-date every week with the latest information on whats happening in the world of security, and what is likely going to happen based on weekly observations of the world around us. Therefore, we don't make stupid predictions here on Security Weekly of "Whats coming next year?", stay tuned and listen, that way you don't have to wait until December of each month before you find out whats going to happen.
Where do we test now? - [Larry] - As we talked about last week, SANS proctored testing is available at CompUSA locations. Now CompUSA announces that it is closing it's doors nation-wide. What do we do now?
Build Your Own Gateway Firewall - [Paul] - While this looks like fun, I think its best left to embedded. Something like a Soekris box, which you can get for $300, is a much better choice. Why? It takes up less space, has less moving parts, generates less heat and power, and forces you to make your firewall only do what a firewall should do, inspect packets and permit or deny them, which means its got better security.
nmap 4.50 released [securethoughts, Larry] - "The changelog shows 320 changes since 4.00 with a lot of great stuff in this release! It has a brand new GUI and results viewer (Zenmap), a scripting engine allowing you to write your own scripts for high-performance network discovery (or use one of the 40 scripts shipped with it), the 2nd generation OS detection system (now with more than a thousand fingerprints), nearly 1,500 more version detection signatures, and a lot more!"
Hurray For Goolge - They removed 40,000 malware sites! - [Paul] - W00t! I think Google should be doing more of this, and continue to work with companies like Sunbelt that can help accurately define what sites are hosting malware, and which ones are legit.o
Top 5 VoIP Vulnerabilities in 2007 - [Paul] - So, first, I had the "top x of xxx year" crap. Second, these are attacks, not vulnerabilities. However, lets discuss them...
Other Stories Of Interest
Santa failing to comply with UK data protection laws - [Larry] - Dammit Santa! No cookies for you! :-)
w00t! - [Larry] - W00t named word of the year by Mirriam Webster website.
Listener Submitted Stories
More Leopard DoS Vulns (Mach-O and VPN) - [securethoughts] - Three new DoS vulns have been found this week by digit-labs. The first one is a local DoS when processing malformed Mach-O binaries. The second is a remote DoS on Leopard's vpnd. The third is another local DoS in xnu. No patches yet! (Post has links to exploits)
Improving Password Protection With Easy To Remember Drawings - Interesting research on using Draw-A-Secret with Backgrounds (BDAS) to improve 'password' strength. The main research paper is available here: http://portal.acm.org/citation.cfm?doid=1315245.1315252 and I have a short blog posting about it here: http://ab-rtfm.blogspot.com/
DNS poisoning [mmiller] - PC world story about DNS research going on at Google and the Georgia Institute of Technology.
nmap 4.50 released [securethoughts] - "The changelog shows 320 changes since 4.00 with a lot of great stuff in this release! It has a brand new GUI and results viewer (Zenmap), a scripting engine allowing you to write your own scripts for high-performance network discovery (or use one of the 40 scripts shipped with it), the 2nd generation OS detection system (now with more than a thousand fingerprints), nearly 1,500 more version detection signatures, and a lot more!"