Category: Breaking

Breaking
by Sergej Schmidt

Assesment of Visual Voicemail on iPhones

VVM on iOS 5.0.1

Visual Voicemail (VVM) is a common feature of phone providers which allows accessing the good old voice-mailbox through the phone’s visual interface. In contrast to the classical voicemail approach, VVM allows intuitive navigation through voice-messages without dealing with an automated voice which tells you about message count and possible options. However, this implies the need of actually loading the messages of missed calls on the phone. The VVM-app displays missed calls and downloads corresponding messages which have been left by the initial caller. The software comes with your iPhone and is not intended for uninstallation. However, providers have to support it and will have to activate it for supporting clients. This feature is available on iPhones since August 2009 and became available on BlackBerrys and few Nokia phones later. Android doesn’t implement VVM in general. However some telecommunication providers offer their own apps to add this feature. Since version 4.0, Android offers an official Voicemail Provider API enabling better integration for the mobile OS.

Lately we had a deeper look at a VVM client. The client is integrated (on iPhones) into the phone app but has to be activated by the provider (and a special backend is needed). We assume it’s handled through a stealth SMS or alike, since related network traffic is not visible. Also most providers charge you for this feature. Some contracts include VVM, but typically it has to be activated initially. Even if connection to a wireless LAN exists, the traffic between phone and the VVM backend is routed through the 3G interface and doesn’t pass the Wi-Fi connection. This is interesting, since actually the Wi-Fi connection is typically preferred. This allows the providers to limit the backend access to their own „IPs used on the 3G networks“, meaning only customers with a SIM card from the corresponding provider can access the mailbox system. From a corporate point of view this also means, that a phone connected to a wireless LAN with an active VPN connection would certainly bypass its „default way to the Internet“ and consequently also bypass potentially present security controls like proxy servers.

After actual VVM usage, we jailbroke the phone and installed assessment tools. In addition we installed Cydia (third party app store), an SSH daemon (to connect remotely) and tcpdump (to sniff network traffic). Cydia makes use of the packet management as known from “Debian GNU/Linux”. So we used  “dpkg -i”  to install the local packet (.deb) of KeychainViewer, which was not available through the repository.

By sniffing the network traffic it was possible to examine the IMAP protocol revealing username and the corresponding hashed password (which allows to repeat a successful login) and of course all voicemail files. We want to highlight, that all the voicemail files have been transferred unencrypted. In addition we had a look at the keychain entries of the app. This revealed information (used protocol, port and server IP) already known from sniffing the network traffic and some new details. The first thing we recognized was the format of the account name (as already seen in network traffic) as well as the password, which is stored in cleartext. Knowing the server IP address, we already reach the critical amount of sensitive information becoming available through sniffing the network traffic. As the IMAP protocol on port 143 is used for communication, we were able to test the retrieved connection data and credentials by using a standard email client. Unsurprisingly it worked out well. The screenshots show how we used thunderbird to read the folder structure of the mailbox itself. Voice calls are basically implemented as emails with an .amr audio file attached.

Mailbox with Thunderbird

In addition we found, that after activation of the VVM feature, the configuration (.plist) file is stored at /var/mobile/Library/Voicemail/com.apple.voicemail.imap.parameters.plist
containing the username, protocol information, the state of the voicemail account and the server IP. Having the username and server IP, which depends on the provider but can typically be figured out very easily, an attacker can run brute force attacks against the email server which is exposed to the Internet.
Furthermore the whole data transfer turned out to be unencrypted. One could argue that sniffing 2G/3G isn’t that easy when compared with sniffing Wi-Fi traffic. But even though eavesdropping or MITM attacks are not as likely as on Wi-Fi networks, they shouldn’t be completely ignored. Unfortunately login credentials tend to be long-living data. Once intercepted, these data will give an attacker the opportunity to access mailboxes and corresponding applications for a long time.

Providers still seem to rely on the non-interceptable properties of their networks. Even though intercepting isn’t easy, several publications have proofed them wrong in the last years. Thus this thread model is at least questionable.In addition scenarios exist, in which traffic is routed through untrusted areas e.g. in case of roaming. Considering the increasing importance of TCP/IP, traffic will more and more pass untrusted areas. In addition the trust model seems not to imply the actual user as a threat against sensitive data stored on the device (such as credentials for the VVM server). Last but not least, finding sensitive information such as login credentials unencrypted/unhashed still comes with a sobering taste.
All this has to be kept in mind, when using such technologies and may lead to the question, if the providers trust/thread model matches your own or those of your environment/company.

Have a nice day,
Sergej

Continue reading
Breaking
by Christopher Werny

Don’t Pay Money for Someone Else’s Calls, Again

One of our customers called us recently and asked for some support in investigating a toll fraud issue they encountered in one of their sites. Their telecommunications provider had contacted them informing them that they had accumulated a bill of 30.000€ over the last ten days.

Without knowing anything more specific, I drove to the affected site to get the whole picture.

They have a VoIP deployment based on Cisco Unified Communications Manager (CUCM, aka Call Manager) as Call Agent. The CUCM is connected via a H.323 trunk to a Cisco 2911 ISR G2 which is acting as a voice gateway. The ISR has a primary rate ISDN (PRI) Interface which is connected to the PBX of the telco. Furthermore they use a feature called Direct-inward Dial (DID) or Direct Dial-in (DDI) which is offered by Telco’s to enable calling parties to dial directly to an extension on a PBX or voice gateway.

Basically one then has a so called head number (in networking terms a prefix), together with some phone extensions. When someone from outside wants to call, he dials the head number + phone extension. Before the telco forwards the call to the ISR, the head number is stripped and only the phone extension number is forwarded to the voice gateway. E.g. when calling 12345-678, the local voice gateway will only see the 678 as called number.

After having a good overview of the design, I started to dig around in the log and configuration files to understand what exactly happened and why.

So here is what happened:

Apparently someone from some East European country had called the head number of our customer and prepended a “malicious number” (in some country in Africa) to which the ISR should setup a call.  The ISR only sees the malicious (African) number because, as said before, the head number was stripped by the telco. The malicious number was of course some $EXPENSIVE_LONG_DISTANCE_CALL ;). So the voice gateway received a call from the PBX and forwarded it back to setup the call with that number.

Before we proceed, a little bit of theory how a Cisco router decides how to forward a call, might be helpful:

In Cisco IOS, the call-routing table is configured based on so called dial-peers. These dial-peers specify how a call with a specific destination number should be forwarded.

As an example:

dial-peer voice 1234 pots
description ===incoming_calls===
incoming called number ^[2-7]..$
port 0/3/0

 

This configuration tells the router that calls to a number which matches the regular expression, should be forwarded to port 0/3/0.

As it turns out our customer uses the following dial-peer which is used for outbound calls.

dial-peer voice 5678 pots
description ===outgoing calls===
destination pattern 8T
port 1/1/1:15 -> The ISDN Interface

 

The T is a placeholder value which means that any amount of digits can follow the 8. The reason the pattern matches the digit 8 is that this digit must be dialed before the actual number.

Do I have to mention that the malicious number also starts with an 8? 😉

So back to the presumed course of action:

The call with the malicious number hits the router. The router tries to match a configured dial-peer to forward the call.  I think you can guess which dial peer matched for the malicious number 😉

So the router sends the call back to the PBX to setup a call to the malicious number. Which is billed to our customer…

We then monitored the situation and applied a workaround (more on this in a minute) and observed what happened. As it turned out, unfortunately the attacker was able to circumvent our workaround. We discovered that is was possible to “dial-in” to the router directly by just calling the head number (as the PBX leaves the called number field empty). E.g. the called number field in the log files looks like this:

“Called Number=”

 

The router subsequently provided a line and it was possible to call the number again. Our workaround did only affect incoming calls with the number prepended, but not those where the router is the actual origin of the establishment of the call.

So how can we resolve this issue and stop the toll fraud?

As a long-term solution the configured dial patterns should be reviewed and modified to prevent such things in the future, but – given the overall complexity of the setup – this could not be done overnight.

I am currently working with the customer to develop more suitable dial patterns. I will write a follow up post with the final results when we are finished.

In the mean-time, we developed a temporary workaround to prevent this from happening again:

In Cisco IOS you can manipulate the calling or called-number with so called translation rules and you are also able to reject calls based on the called number. Our customer does not use any extension beginning with 8, so we can drop all calls on the gateway which starts with 8 as called number. So we developed the following translation-rule:

 voice translation Rule 11
  rule 1 reject /^8+/
  rule 2 reject /^$/
 voice translation-profile reject_calls
   translate called 11

 

Rule number 2 addresses the case when the called number field is empty. We mapped this profile to the dial-peers responsible for the incoming calls and specified that calls with the numbers in the translation rule must be rejected.

dial-peer voice 3456 pots
description ===Incoming_Calls===
call-block translation-profile incoming reject_calls
call-block disconnect-cause incoming call-reject
incoming called-number

 
Lessons learned:

Be careful when you develop and implement your dial patterns, as errors in this space can cost you quite a lot of money 😉

VoIP is a complex technology and this complexity can lead to all types of vulnerabilities, as Daniel and Enno are going to show in their talk at Troopers 2012. Toll fraud is still quite common and happens all the time, as you can see in an ERNW newsletter from 2009 covering a similar story from another environment.

On a side note:

The telco told us that our customer is the 8th customer affected by a toll fraud issue in the last two months. According to the telco all eight companies are in the same city, and the initial VoIP deployment at our customer was performed by an external service provider.

Maybe the same service provider has done the deployment in the other companies too…

Have a great day,
Chris

Continue reading
Breaking
by Matthias Luft

No Connectivity — No Malware Protection

During a recent penetration test, we evaluated the security of a typical corporate employee notebook. It was to be assessed whether employees with a default corporate user account would be able to gain administrative access and subsequently abuse the system for attacks against a certain high value database system. When evaluating this problem set, the first step is to find ways to bring tools and exploit code on the system. Usually this task requires the bypassing of the malware protection agent of the system. At some point, we thought we figured a way to encode exploits and payloads in a way that would not be detected by the malware protection solution. Continue reading “No Connectivity — No Malware Protection”

Continue reading
Breaking
by Timo Schmid

Python Library for De- and Encoding of WCF-Binary streams

In a .NET environment WCF services can use the proprietary WCF binary XML protocol described here. Microsoft uses this protocol to save some time parsing the transmitted XML data. If you have to (pen-) test such services, it would be nice to read (and modify) the communication between (for example) clients and servers. One possibility is Fiddler.

Fiddler’s strengths include its extensibility and its WCF binary plugins. Sadly, these plugins can only decode and display the binary content as XML text.

Our first tool of choice for webapp pentests (Burp Suite) has also a plugin feature, and one can also find plugins for decoding (and encoding XML back to) WCF binary streams. But all WCF binary plugins out there are based on the .NET library which means one either has to work on MS Windows or with Mono. Another disadvantage is the validation and auto-correction feature of such libraries… not very useful for penetration testing 😉

That’s why we decided to write a small python library according to Microsoft’s Open Specification which enables us to decode and encode WCF binary streams. The library has a rudimentary commandline interface for converting XML to WCF binary and vice versa, as well as a plugin for our python-to-Burp plugin (pyBurp).

Continue reading “Python Library for De- and Encoding of WCF-Binary streams”

Continue reading
Breaking
by Timo Schmid

Use Python for Burp plugins with pyBurp

One of our favorite tools for conducting penetration tests (especially, but not only, web application tests) is Portswiggers’s Burp Suite. Burp allows to extend its features by writing own plugins. But because Burp is written in Java, it only supports Java classes as plugins. Additionally, Burp only allows to use one plugin at the same time which has to be loaded on start-up.

Now we have written a Burp-Python proxy (called pyBurp) which adds some features to the plugin system:

  • write plugins in Python
  • load and unload plugins at every time
  • load multiple plugins

Continue reading “Use Python for Burp plugins with pyBurp”

Continue reading
Breaking
by Florian Horsch

How Safe is Smart?

Bluetooth Smart Ready LogoAbout two months ago the Bluetooth SIG renamed their latest standard, which was previously known as “Bluetooth v4.0”. When version numbers get higher and higher marketing likes to interfere and try something new. In this case: Bluetooth Smart.

Sounds smart, but is it?

Without getting into too much detail, let me quickly quote Wikipedia to get started:

 “Cost-reduced single-mode chips, which enable highly integrated and compact devices, feature a lightweight Link Layer providing ultra-low power idle mode operation, simple device discovery, and reliable point-to-multipoint data transfer with advanced power-save and secure encrypted connections at the lowest possible cost.”

http://en.wikipedia.org/wiki/Bluetooth#Bluetooth_v4.0 (sounds more like a marketing text than a proper technical specification, but gives you a rough idea what you as an end-user can expect ;)).

So we’re talking about the usual stuff: Lower energy consumption combined with more functionality. Great!

Ubertooth One Description
Ubertooth One - Photo from: ubertooth.sourceforge.net

Sounds smart, but is it safe?

With “Bluetooth Smart Ready” products just coming in it’s too early to tell. But one thing is for sure: 2012 will be the year where every major consumer product (smartphones, heart-rate straps or even simple clocks) will be equipped with it. Oh, and guess what… a new wireless standard doesn’t just come along with a new shiny gadget. Obviously you need an app for that. How about tracking your heart beat? Personally I’m looking forward for the first Bluetooth Smart Ready cardiac pacemaker…

And back to security: Either you trust the Bluetooth committee which states “Bluetooth technology is an industry leader when it comes to wireless data security.”, OR you ask somebody who would tell you the plain truth (given there is one): Michael Ossmann.

Will it blend?

We did the latter and invited Michael to talk at TROOPERS12. He is a wireless security experts who also makes hardware tools to progress with his research. In early 2011 he successfully crowd-funded his latest gadget: Ubertooth One. A very capable Bluetooth monitoring device.

We’re looking forward to mid March where we all meet to discuss things in more depth at TROOPERS12. Until then keep yourself up-to-date and have a look into Michael’s latest blog entry: Bluetooth for Bad Guys

Have a wonderful Christmas time,
Florian

PS: Drop us a comment, when you find some “Bluetooth Smart Ready” labels under your Christmas tree 😉

Continue reading
Breaking
by Kevin Schaller

Liferay Portlet Shell

During one of our pentests in some corporate environment we were to analyze an application-server called Liferay. Liferay comes with a lot of functionalities, runs on top of Apache Tomcat and includes a nice API that makes it very easy to add components or further functionality that are not part of the core. These (potentially selfmade) “addons” are called “portlets” and they can be inserted in any place in the frontend.

We quickly found an active default-account (test@liferay.com : test) which immediately led to the question: how to get access on the system-layer through the account on the application. Because we were not aware of any portlet which provided the desired functionality, we decided to write it on our own and created a straight-forward portlet for system level command execution.

As mentioned above, Liferay offers an API for adding portlets to the core. This can be done by creating a standard war-file which contains java-classes, including the desired functionality and some – in this case – Liferay-specific xml-based configuration files. War files are often used to expand the functionality of java-servers (e.g. Tomcat can also be extended via war-files) – it just needs to contain the application-specific xml-files.

Our java-class includes a html-form consisting of an input-field and a button, which sends commands (via GET) to the server. On the server the input gets executed in a shell – a new java HTTP-Shell is born. After some adjustments regarding to the operating system and the java compiler (1) we had a GET-Parameter-based HTTP-Shell.

The following steps are necessary to deploy the shell portlet:

How to create the war-file?

1.) Download the zip-archive

2.) Unzip

3.) Execute create.bat / create.sh [Note: javac and jar must be installed in the PATH.]

4.) Have fun with the ShellPortlet.war

How to deploy the war-file?

1.) Login to your Liferay-System with a privileged user-account and open http://yourdomain.com/group/control_panel/manage

2.) You should find a category called “Server” on the left side in the navigation. Click “Install Plugin” and on the next site click “Install more plugins” followed by “Fileupload”

3.) Upload the war-file and use “tail -f $CATALINA_HOME/logs/catalina.out” or (on Windows) the Tomcat-console to observe the logs for any error/exception. When everything worked you’ll find an entry like “1 Portlet for ShellPortlet is available for use”

4.) Now go back to your mainpage via the link in the upper area “Back to Liferay”. Then click “Add” -> “More” and you will see all categories in which the portlets are sorted.

5.) If everything went right you will find a category named “Ownage” in this list. Click on it and drag&drop the shellportlet anywhere on your website.

6.) Have fun playing! 🙂

This shows – once again – that it’s not that hard to gain system-access over a (web-) application. Everyone who uses web-applications should secure the higher-privileged accounts by strong passwords or better deactivate them in case they are not needed. It also shows that – once again – comprehensive and reasonable hardening would have prevented the compromise of yet another system.

(1): The java-class must be compiled by the same compiler-version which the tomcat-server is using. (E.g.: If the tomcat uses jre1.6, the java-class in the war-file must be compiled by a javac which is out of the jdk1.6)

Download

SHA1-Hash: f6a7764f098ecc516479dbf6da2ff0017414de00

Continue reading
Breaking
by Daniel Mende

pytacle preview

Hi,

today I’ll give a short preview of my newest tool, pytacle. It is simply a little helper program to control gnuradio/airprobe/kraken/some_other_tools, convert their input/output and to find a use able clear/cipher text combination to break A5/1. In the end it should record, crack and decode/play a gsm phone call with ~5 mouse clicks.

Take a look at this video:

The code is not available yet, as its not finished 😉 the recording and cracking part are working, but the decoding doesn’t. I need to put some more time into the code, but there isn’t much spare in that time of the year 😀

cheers

/daniel

Continue reading
Breaking
by Michael Schaefer

A Wrap-up on MFD Security

On last year’s TROOPERS11, Matthias (mluft) and I gave a talk on Multifunction Devices. Hardly surprising: It was related to the state of secure operation of MFDs. It was heavily motivated by experiences we collected out in the wild. We faced a frightening low level of awareness concerning the role of MFDs for the overall security picture – in particular regarding the processing of sensitive data…

However, instead of only showing and proving well-known weaknesses and vulnerabilities, we decided to adapt ERNW’s Seven Sisters model in order to match the needs of secure MFD operation and to develop some kind of guideline. As Matthias already lost some words on this, I’m not gonna waste your valuable time by repeating, what has already been said. However I described our approach and our thoughts on that topic in a recently published ERNW Newsletter. If for what ever reason you didn’t see our talk or even didn’t attend TROOPERS11 at all, have a look on Newsletter 37 and give us feedback on what you think about the whole topic…

Btw: Enno just wrote some lines about what’s so special about the TROOPERS conference. In case you might want to discuss mentioned and related topics at first hand, think about joining TROOPERS12. For our part, we cannot wait to come together at Heidelberg next March.

See you there
Michael alias Micele

Continue reading
Breaking
by Enno Rey

All Your Clouds are Belong to us

This is a _very_ interesting paper just published by some researchers (mainly) from RUB (Ruhr-University Bochum). Here’s the abstract:

“Cloud Computing resources are handled through control interfaces. It is through these interfaces that the new machine images can be added, existing ones can be modied, and instances can be started or ceased. Effectively, a successful attack on a Cloud control interface grants the attacker a complete power over the victim’s account, with all the stored data included.

In this paper, we provide a security analysis pertaining to the control interfaces of a large Public Cloud (Amazon) and a widely used Private Cloud software (Eucalyptus).

Our research results are alarming: in regards to the Amazon EC2 and S3 services, the control interfaces could be compromised via the novel signature wrapping and advanced XSS techniques. Similarly, the Eucalyptus control interfaces were vulnerable to classical signature wrapping attacks, and had nearly no protection against XSS. As a follow up to those discoveries, we additionally describe the countermeasures against these attacks, as well as introduce a novel ‘black box’ analysis methodology for public Cloud interfaces.”

===

While the actual described vulnerabilities have been fixed in the interim this stresses once more the point we made in this post: the overall security posture of the management (or “cloud control” as the authors of  the above paper call it) interfaces is crucial for potentially all the data that’s processed by/on your cloud based machines or applications.

Great research from those guys! This will help to drive the discussion and security efforts for a reasonable use of cloud based resources in the right direction…

thanks

Enno

Continue reading