Hacking ZyXEL Gateways

An interesting paper recently published by Adrian Pastor of ProCheckup discusses vulnerabilities and attacks against ZyXEL gateways, including (yikes) Remote wardriving/attacking internal networks over the Internet, among others:

  • Privilege escalation from “user‟ to “admin‟ account
  • SNMP read and SNMP write access enabled by default
  • Persistent XSS via SNMP
  • Poor session management allows hijacking of admin sessions
  • Authentication vulnerable to replay and password cracking attacks
  • Disclosure of credentials

    • Considering the code reuse among various products made by most vendors of these residential gateways, not to mention the widespread deployment by service providers, I think it would be quite interesting for VOIPSA folks to expand on Adrian Pastor’s work and pursue this type of testing on some of the VoIP gateway products that ZyXEL offers, specifically the Analog Telephone Adapter, Station Gateway and Integrated Access Device to start. Also, the web interface of embedded devices like these are especially problemmatic from a security perspective, and it’s well worth a look at another one of Adrian Pastor’s papers over at OWASP.

    “So what” you might say about the security of these types of devices? Well, SANS diary notes some strange things afoot at the Circle K with Dlink, and there is the recent BT Home Hub CVE-2008-1334 vulnerability. More routers and details at GNU Citizen’s router hacking challenge.

    Four new security vulnerabilities in Asterisk – time to upgrade!

    Earlier this week, the team at Digium released four new security vulnerabilities:

    The solution is, predictably, to upgrade to the latest version of whichever stream of Asterisk you are using.

    Technorati Tags:
    , , , , , ,

    FBI VoIP Surveillance Requirements Leaked

    Wikileaks recently published a leaked 88 page document entitled FBI Electronic Surveillance Needs for Carrier-Grade Voice over Packet (CGVoP) Service (PDF), which is part of the CALEA Implementation Plan published in January 2003. The document describes detailed FBI requirements for surveillance of phone calls made utilizing packet networks as their transport. The document broadly defines CGVoP Service as:

    “The set of subscription-based voice services and features provided over carrier-managed packet networks, and includes wireline and wireless services.”

    The document covers such surveillance events as:

    • Registration and Authorization events including address registration and de-registration, mobility authorization and de-authorization
    • Call Management events including call origination, termination, answer, call release, address resolution, admission control, and media modification
    • Signaling events including subject signaling, network signaling, and post-cut-through dialing and signaling
    • Feature Use events including call redirection, party hold, party retrieve, party join, party drop, call merge, and call split
    • Communication Content events including content delivery start, change, and stop, as well as content unavailable
    • Feature Management events including feature activation and deactivation
    • Surveillance Status events including surveillance activation, continuation, change, and deactivation.

    The document also discusses authorized access to identifying information and communication content, and more generalized surveillance requirements. It looks like they’ve fairly well covered the bases…

    Info on how to listen remotely to today’s RUCUS session at IETF

    ietflogo-1.jpgIf you are interested in listening in to today’s session here at IETF about “Reducing Unwanted Communications Using SIP” (RUCUS) which I’ve mentioned previously, I’ve posted information about how to participate in IETF remotely. The RUCUS session takes place from 1300-1500 US Eastern time today.

    Streaming audio should be available on ietf71-ch4.

    Jabber group chat should be available as well, but I don’t know yet in which chat room it will be. There isn’t yet a chat room on the IETF server for ‘rucus’. I’ll update this post once I know where the chat room is.

    UPDATE: A request is in to create the ‘rucus@jabber.ietf.org’ room. If that room isn’t created in time, we’ll use the SIPPING room at ‘sipping@jabber.ietf.org’. We’ll announce on the streaming audio which one we are using.

    Technorati Tags:
    , , , ,


    buy viagra
    buy viagra online
    viagra online
    discount viagra
    order viagra
    cheap viagra
    generic viagra
    generica viagra
    viagra buy
    viagra price
    order viagra online
    viagra generic
    viagra pill
    where buy viagra
    buy viagra cheap
    viagra order
    get viagra
    buy online viagra
    online viagra
    viagra sale online
    where to buy viagra
    cheapest viagra
    purchase viagra
    cheap viagra online
    viagra buy online
    buying viagra
    buy viagra on
    generic viagra canada
    prescription viagra
    buy viagra norway
    generic viagra pack
    buy viagra in nevada
    buy viagra now online
    viagra online buy
    find viagra online
    buy cheap viagra online
    cheap generic viagra
    buy cheap viagra
    generic viagra online
    viagra sale
    generic viagra cheap
    buy viagra on line
    where buy generic viagra
    viagra online bestellen
    viagra prescription online
    generic online viagra
    low price viagra
    cheapest viagra price
    buy generic viagra
    viagra uk
    viagra online prescription
    cheap est viagra
    viagra soft tab
    viagra discount
    viagra cheap
    where to buy viagra on line
    buying viagra online
    buy viagra now
    purchase viagra online
    viagra pharmacy
    natural viagra
    buy viagra in canada
    viagra paypal
    viagra on line
    viagra 100mg
    viagra without prescription
    cheapest place to buy viagra online
    generic Cialis
    buy cialis
    buy cialis online
    cialis online
    online cialis
    order cialis
    cheap cialis
    discount Cialis
    generic cialis price
    cialis prescription
    buy cialis generic
    cialis online discount
    cheapest cialis
    buy discount cialis
    purchase cheap cialis online
    order cialis online
    cialis for sale
    cialis price
    purchase cialis
    cialis online pharmacy
    buy Cheap Cialis
    cialis story
    generic cialis online
    best cialis price
    cheapest cialis generic
    order generic cialis
    low cost cialis
    buy cialis generic online
    levitra
    buy levitra
    cheap levitra
    levitra online
    buy levitra online
    order levitra
    order levitra online
    cialis levitra
    generic levitra
    online levitra
    buy cheap levitra
    discount levitra
    levitra sale
    buy generic levitra
    levitra online pharmacy
    levitra price
    purchase levitra
    cheap levitra online
    levitra story
    levitra on line
    levitra prescription
    levitra cheap
    best price for levitra
    buy xanax
    buy phentermine
    buy lasix
    tramadol
    buy tramadol
    buy tramadol online
    tramadol online
    cheap tramadol
    order tramadol
    tramadol hcl
    ultram tramadol
    tramadol prescription
    online tramadol
    tramadol sale
    purchase tramadol
    buy cheap tramadol
    order tramadol online
    overnight tramadol
    tramadol cheap
    tramadol pharmacy
    discount tramadol
    tramadol hydrochloride
    tramadol 50mg
    cheap tramadol online
    generic tramadol
    buy clomid
    buy prozac
    buy cipro
    buy diflucan
    buy acomplia
    buy lexapro
    buy flagyl
    buy propecia
    order propecia
    cheap propecia
    propecia online
    order propecia online
    buy propecia online
    generic propecia
    compare propecia
    propecia without prescription
    propecia prescription
    propecia pill
    discount propecia
    online propecia
    cheapest propecia
    get propecia
    propecia order
    propecia price
    propecia uk
    propecia cost
    propecia sale
    purchase propecia
    buy cheap propecia
    propecia sale online
    buy online propecia
    online pharmacy propecia
    online prescription propecia
    buy generic propecia
    buying propecia
    buy propecia now
    buy fosamax
    buy kamagra
    buy clomid online
    buy prozac online
    buy cipro online
    buy diflucan online
    buy acomplia online
    buy lexapro online
    buy flagyl online

    Web page for RUCUS BOF at IETF 71 now at new URL

    ietflogo-1.jpgAs I mentioned previously (here and here), the “RUCUS” BOF about voice spam at IETF 71 in Philadelphia is one of great interest with its focus on voice spam, a.k.a. “SPam for Internet Telephony” or “SPIT”. Unfortunately BOF co-chair Hannes Tschofenig ran into a problem with his domain and had to move the page to a new URL: http://www.shingou.info/bof-rucus.html

    If you saved the URL or sent it on to someone, you’ll need to update to using the new URL. If you didn’t visit the RUCUS page before, please do check it out – and feel free to join the RUCUS mailing list. Of course, if you can, please do join us in person in Philadelphia!

    Technorati Tags:
    , , , , ,

    Senate OKs E911 requirements

    I gotta run and coach my kids basketball, but I’ll put this up real quick.

    Ars Technica has a write up about the new E911 requirements bill passed by the Senate.

    Ars usually does a great job with their analysis, so I won’t bother. My only comment is that congress seems to write Policy without concern for the effort of implementing Procedures. Now that the FCC will have the authority to dictate new requirements, I hope (but I doubt) they will work with companies and technologies to implement this correctly.

    OK, so I’m cynical about the government, I’ve worked in it all my life.

    EDIT: BTW, just in case some were wondering if this applies to VoIP Security, for my environment, E911 service is a security requirement.

    Update Asterisk

    Over on Bugtraq, another Asterisk vulnerability has been announced. Several buffer overflows affect the below version:

    ——————————————————————-
    Package / Vulnerable / Unaffected
    ——————————————————————-
    1 net-misc/asterisk = 1.2.17-r1
    >= 1.2.21.1-r1

    This one comes with an admonishment to upgrade to the latest patch:

    All Asterisk users should upgrade to the latest version:

    # emerge –sync
    # emerge –ask –oneshot –verbose “>=net-misc/asterisk-1.2.17-r1”

    This is the link to the announcement at Gentoo Linux. I was hoping to find the link to the actual patch over at Asterisk, but I don’t see the right reference yet. The CVE #’s are all from 2007, but the announcement seems to be from 2008. If anyone finds the link, drop me a line or leave it in the comments.

    On a minor note, the Nortel Networks UNIStim IP Phone with firmware version 0604DAS is vulnerable to a ping of death. No patch yet, but keep your eye on Nortel’s Security Advisory site for a response from the company.

    VoIP Hopper 0.9.9 released with improved VLAN hopping

    Blue Box listener Frank Leonhardt clued us in to the fact that VoIP Hopper 0.9.9 was released back on February 19th. VoIP Hopper is a tool that allows you to “hop” between the data a voice VLANs (or any other VLANs) that was written primarily because the authors were tired of hearing people say that VLANs were a true security mechanism (Hint: They’re NOT!). We’ve written about it before and talked about on a Blue Box episode and a Telcom Junkies show and it is indeed an interesting test tool. Per the release notice, this version 0.9.9 has these new features:

    • CDP Generator! VoIP Hopper can generate CDP packets in order to discover the Voice VLAN ID, as any IP Phone based on CDP would do. In this CDP spoof mode, VoIP Hopper will send two CDP packets in order to decipher the VVID, then it will iterate between sleeping for 60 seconds, and sending another packet. Not only is this faster than CDP sniffing, but it can also help bypass any mechanisms that rely on CDP for permitting access to the Voice VLAN.
    • Voice VLAN Interface Delete: VoIP Hopper can delete the created Voice
      Interface

    • MAC Address Spoof, then exit: VoIP Hopper can change the MAC Address of
      an interface offline and exit, without VLAN Hopping.

    You can visit the VoIP Hopper site to learn more.

    Technorati Tags:
    , , , , ,