Category Archives: Security

Hacking ZyXEL Gateways

An interesting paper recently published by Adrian Pastor of ProCheckup discusses vulnerabilities and attacks against ZyXEL gateways, including (yikes) Remote wardriving/attacking internal networks over the Internet, among others:

  • Privilege escalation from “user‟ to “admin‟ account
  • SNMP read and SNMP write access enabled by default
  • Persistent XSS via SNMP
  • Poor session management allows hijacking of admin sessions
  • Authentication vulnerable to replay and password cracking attacks
  • Disclosure of credentials

    • Considering the code reuse among various products made by most vendors of these residential gateways, not to mention the widespread deployment by service providers, I think it would be quite interesting for VOIPSA folks to expand on Adrian Pastor’s work and pursue this type of testing on some of the VoIP gateway products that ZyXEL offers, specifically the Analog Telephone Adapter, Station Gateway and Integrated Access Device to start. Also, the web interface of embedded devices like these are especially problemmatic from a security perspective, and it’s well worth a look at another one of Adrian Pastor’s papers over at OWASP.

    “So what” you might say about the security of these types of devices? Well, SANS diary notes some strange things afoot at the Circle K with Dlink, and there is the recent BT Home Hub CVE-2008-1334 vulnerability. More routers and details at GNU Citizen’s router hacking challenge.

    Four new security vulnerabilities in Asterisk – time to upgrade!

    Earlier this week, the team at Digium released four new security vulnerabilities:

    The solution is, predictably, to upgrade to the latest version of whichever stream of Asterisk you are using.

    Technorati Tags:
    , , , , , ,

    FBI VoIP Surveillance Requirements Leaked

    Wikileaks recently published a leaked 88 page document entitled FBI Electronic Surveillance Needs for Carrier-Grade Voice over Packet (CGVoP) Service (PDF), which is part of the CALEA Implementation Plan published in January 2003. The document describes detailed FBI requirements for surveillance of phone calls made utilizing packet networks as their transport. The document broadly defines CGVoP Service as:

    “The set of subscription-based voice services and features provided over carrier-managed packet networks, and includes wireline and wireless services.”

    The document covers such surveillance events as:

    • Registration and Authorization events including address registration and de-registration, mobility authorization and de-authorization
    • Call Management events including call origination, termination, answer, call release, address resolution, admission control, and media modification
    • Signaling events including subject signaling, network signaling, and post-cut-through dialing and signaling
    • Feature Use events including call redirection, party hold, party retrieve, party join, party drop, call merge, and call split
    • Communication Content events including content delivery start, change, and stop, as well as content unavailable
    • Feature Management events including feature activation and deactivation
    • Surveillance Status events including surveillance activation, continuation, change, and deactivation.

    The document also discusses authorized access to identifying information and communication content, and more generalized surveillance requirements. It looks like they’ve fairly well covered the bases…

    Info on how to listen remotely to today’s RUCUS session at IETF

    ietflogo-1.jpgIf you are interested in listening in to today’s session here at IETF about “Reducing Unwanted Communications Using SIP” (RUCUS) which I’ve mentioned previously, I’ve posted information about how to participate in IETF remotely. The RUCUS session takes place from 1300-1500 US Eastern time today.

    Streaming audio should be available on ietf71-ch4.

    Jabber group chat should be available as well, but I don’t know yet in which chat room it will be. There isn’t yet a chat room on the IETF server for ‘rucus’. I’ll update this post once I know where the chat room is.

    UPDATE: A request is in to create the ‘rucus@jabber.ietf.org’ room. If that room isn’t created in time, we’ll use the SIPPING room at ‘sipping@jabber.ietf.org’. We’ll announce on the streaming audio which one we are using.

    Technorati Tags:
    , , , ,


    buy viagra
    buy viagra online
    viagra online
    discount viagra
    order viagra
    cheap viagra
    generic viagra
    generica viagra
    viagra buy
    viagra price
    order viagra online
    viagra generic
    viagra pill
    where buy viagra
    buy viagra cheap
    viagra order
    get viagra
    buy online viagra
    online viagra
    viagra sale online
    where to buy viagra
    cheapest viagra
    purchase viagra
    cheap viagra online
    viagra buy online
    buying viagra
    buy viagra on
    generic viagra canada
    prescription viagra
    buy viagra norway
    generic viagra pack
    buy viagra in nevada
    buy viagra now online
    viagra online buy
    find viagra online
    buy cheap viagra online
    cheap generic viagra
    buy cheap viagra
    generic viagra online
    viagra sale
    generic viagra cheap
    buy viagra on line
    where buy generic viagra
    viagra online bestellen
    viagra prescription online
    generic online viagra
    low price viagra
    cheapest viagra price
    buy generic viagra
    viagra uk
    viagra online prescription
    cheap est viagra
    viagra soft tab
    viagra discount
    viagra cheap
    where to buy viagra on line
    buying viagra online
    buy viagra now
    purchase viagra online
    viagra pharmacy
    natural viagra
    buy viagra in canada
    viagra paypal
    viagra on line
    viagra 100mg
    viagra without prescription
    cheapest place to buy viagra online
    generic Cialis
    buy cialis
    buy cialis online
    cialis online
    online cialis
    order cialis
    cheap cialis
    discount Cialis
    generic cialis price
    cialis prescription
    buy cialis generic
    cialis online discount
    cheapest cialis
    buy discount cialis
    purchase cheap cialis online
    order cialis online
    cialis for sale
    cialis price
    purchase cialis
    cialis online pharmacy
    buy Cheap Cialis
    cialis story
    generic cialis online
    best cialis price
    cheapest cialis generic
    order generic cialis
    low cost cialis
    buy cialis generic online
    levitra
    buy levitra
    cheap levitra
    levitra online
    buy levitra online
    order levitra
    order levitra online
    cialis levitra
    generic levitra
    online levitra
    buy cheap levitra
    discount levitra
    levitra sale
    buy generic levitra
    levitra online pharmacy
    levitra price
    purchase levitra
    cheap levitra online
    levitra story
    levitra on line
    levitra prescription
    levitra cheap
    best price for levitra
    buy xanax
    buy phentermine
    buy lasix
    tramadol
    buy tramadol
    buy tramadol online
    tramadol online
    cheap tramadol
    order tramadol
    tramadol hcl
    ultram tramadol
    tramadol prescription
    online tramadol
    tramadol sale
    purchase tramadol
    buy cheap tramadol
    order tramadol online
    overnight tramadol
    tramadol cheap
    tramadol pharmacy
    discount tramadol
    tramadol hydrochloride
    tramadol 50mg
    cheap tramadol online
    generic tramadol
    buy clomid
    buy prozac
    buy cipro
    buy diflucan
    buy acomplia
    buy lexapro
    buy flagyl
    buy propecia
    order propecia
    cheap propecia
    propecia online
    order propecia online
    buy propecia online
    generic propecia
    compare propecia
    propecia without prescription
    propecia prescription
    propecia pill
    discount propecia
    online propecia
    cheapest propecia
    get propecia
    propecia order
    propecia price
    propecia uk
    propecia cost
    propecia sale
    purchase propecia
    buy cheap propecia
    propecia sale online
    buy online propecia
    online pharmacy propecia
    online prescription propecia
    buy generic propecia
    buying propecia
    buy propecia now
    buy fosamax
    buy kamagra
    buy clomid online
    buy prozac online
    buy cipro online
    buy diflucan online
    buy acomplia online
    buy lexapro online
    buy flagyl online

    Web page for RUCUS BOF at IETF 71 now at new URL

    ietflogo-1.jpgAs I mentioned previously (here and here), the “RUCUS” BOF about voice spam at IETF 71 in Philadelphia is one of great interest with its focus on voice spam, a.k.a. “SPam for Internet Telephony” or “SPIT”. Unfortunately BOF co-chair Hannes Tschofenig ran into a problem with his domain and had to move the page to a new URL: http://www.shingou.info/bof-rucus.html

    If you saved the URL or sent it on to someone, you’ll need to update to using the new URL. If you didn’t visit the RUCUS page before, please do check it out – and feel free to join the RUCUS mailing list. Of course, if you can, please do join us in person in Philadelphia!

    Technorati Tags:
    , , , , ,

    VoIP Hopper 0.9.9 released with improved VLAN hopping

    Blue Box listener Frank Leonhardt clued us in to the fact that VoIP Hopper 0.9.9 was released back on February 19th. VoIP Hopper is a tool that allows you to “hop” between the data a voice VLANs (or any other VLANs) that was written primarily because the authors were tired of hearing people say that VLANs were a true security mechanism (Hint: They’re NOT!). We’ve written about it before and talked about on a Blue Box episode and a Telcom Junkies show and it is indeed an interesting test tool. Per the release notice, this version 0.9.9 has these new features:

    • CDP Generator! VoIP Hopper can generate CDP packets in order to discover the Voice VLAN ID, as any IP Phone based on CDP would do. In this CDP spoof mode, VoIP Hopper will send two CDP packets in order to decipher the VVID, then it will iterate between sleeping for 60 seconds, and sending another packet. Not only is this faster than CDP sniffing, but it can also help bypass any mechanisms that rely on CDP for permitting access to the Voice VLAN.
    • Voice VLAN Interface Delete: VoIP Hopper can delete the created Voice
      Interface

    • MAC Address Spoof, then exit: VoIP Hopper can change the MAC Address of
      an interface offline and exit, without VLAN Hopping.

    You can visit the VoIP Hopper site to learn more.

    Technorati Tags:
    , , , , ,

    Underpowered Hardware

    One of the issues with VoIP endpoints that I regularly encounter as a security researcher is the problem with underpowered hardware. Many VoIP hardware devices are initially designed with just enough horsepower to do their job in order to keep costs low and stay competitive in the market. Due to VoIP technologies evolving so rapidly and devices being updated to include many additional new features shortly after being brought to market, the software running on these devices generally outgrow the hardware and will consume the few remaining unused resources available on the device. Vendors then have to play a balancing game of what software features can be crammed onto a particular device and it still work properly.

    Not only does this condition of the technology promote attacks like Denial of Service via resource exhaustion, floods, and so forth, but it also gives rise to other vulnerabilities such as this one which was detailed yesterday by Larry Dignan & George Ou. Due to the resource limitations of the hardware device, corners were cut when adding support for the device’s 802.1x PEAP authentication feature which resulted in the server certificate not being checked during authentication, which then devolves into a number of other security issues. Not only does this affect the device being discussed in the article, but it apparently also affects a number of other devices as well who’s designers cut the same corner, likely for the same reason.

    Because VoIP technology evolves so rapidly, and generally grows in resource requirements by leaps and bounds while doing so, VoIP hardware vendors really should be providing much more processing power than the initial software needs when the devices are brought to market. Unfortunately the cost of including this extra horsepower initially is borne by the vendor, whereas the cost of having to upgrade (i.e., replace) masses of deployed hardware devices when their resource limitations become insurmountable is borne by the consumer.  Device replacement results in additional sales and profits for the vendor, so don’t expect properly resilient hardware devices anytime soon…

    Slides about Peer-to-peer SIP (P2PSIP) security now available

    ietflogo-1.jpgWant to learn more about the voip security aspects of peer-to-peer SIP? As I mentioned in the VOIPSEC mailing list last week, researchers from Huawei and the University of California recently released an Internet-Draft called “P2PSIP Security Analysis and Evaluation” which dives into an analysis of security issues in P2PSIP. It’s a good overview and one I’d strongly recommend to folks. (Note – you may want to read “P2PSIP Concepts” first to understand the language being used.)

    Beyond the Internet-Draft, though, the researchers announced yesterday that their slides are now available (PPT) that go into the issues. These are being prepared from presentation at the upcoming IETF 71 meeting March 10-14 in Philadelphia, so if you are attending the event you’ll be able to hear the presentation yourself.

    Peer-to-peer SIP is a fascinating area of current research and it’s good to see work like this being put into exploring the security aspects. Note – the researchers are looking for feedback so if you have comments on what you read, their contact information is in the Internet-Draft.

    Technorati Tags:
    , , , , , , ,

    Blue Box Podcast #76 now available – Cisco, Skype and BT vulnerabilities, when SIP looks like SPIT, VoIP security threat predictions and the FBI forgets to pay their bills

    MD_bluebox157-2.jpgBlue Box Podcast #76 is now available discussing Cisco, Skype and BT
    vulnerabilities, when SIP looks like SPIT, VoIP security threat
    predictions and the FBI forgets to pay their bills, plus listener
    comments and more…

    Jonathan and I recorded the show on January 22nd and I’m now *almost*
    caught up with 1 main show still in the production queue (and about
    10 special editions!)

    Technorati Tags:
    , , , ,

    Join the new RUCUS mailing list if you want to look at ways to end SPIT!

    ietflogo.jpgAs mentioned previously, there is a new session planned for IETF 71 in March called “Reducing Unwanted Communications Using SIP“, a.k.a. “RUCUS”.

    The RUCUS mailing list is now open for subscriptions and we encourage anyone interested in looking at how we address the issue of voice spam, aka “Spam for Internet Telephony” aka “SPIT” to join into the conversation.

    We would ask you to please read the group description prior to joining so that you understand what we are trying to do. The primary goal of this session in March in Philadelphia is to look to understand the architecture necessary to address the issue and identify the pieces of that architecture that may already be there or may need to be put in place.

    Technorati Tags:
    , , , , , , , ,