Upload
seanhn
View
4.491
Download
2
Embed Size (px)
DESCRIPTION
Presentation from the May 5th 2009 ISSA Ireland seminar
Citation preview
VoIP Security
Implementa3on and Protocol Problems
Sean Heelan, ISSA Seminar, May 2009
Overview
• VoIP background info • Finding and exploi3ng implementa3on related bugs
• Finding and exploi3ng protocol related bugs • Ques3ons!
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 2
Who am I
• Graduate student in Computer Science • Primarily interested in soNware verifica3on and program analysis
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 3
VoIP Background Info
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 4
Popularity of VoIP
• Why bother looking for security problems? • ~50% of American businesses using it in some form in 2008 (src. Computer Economics)
• Anyone here today? • Home users – Skype, Gizmo, Blueface etc.
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 5
Ambiguous graph 3me
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 6
Protocols
• SIP • SCCP • H.225 • H.239 • H.245 • RTCP • SDP • MGCP
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 7
Protocols
• IAX2 • Skype • H.460 • H.450 • RTP • STUN • RSVP • SS7 • ….and so on
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 8
Protocols
• Why so many? • Call setup, signalling, data transfer, route nego3a3on, PSTN interoperability
• Each requiring a different protocol and a different implementa3on
• Usually in C or C++
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 9
Protocols
• More protocols == More ahack vectors • Heterogeneous networks are good for an ahacker and bad for an administrator
• Tes3ng efforts are diluted across devices and protocols
• No public tes3ng tools available for the majority of the protocols men3oned
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 10
VoIP: A hackers dream
• Integrates the voice communica3ons of an organisa3on into an environment the ahacker is familiar with
• Same protocols, tools and environments • Open standards and accessible devices • Scary as hell when you think about it – you just moved your en3re comms infrastructure to our playground
• Cheers! VoIP Security ‐ Implementa3on and
Protocol Problems 5th May 2009 11
Ahacking the implementa3on
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 12
Good ol’ memory corrup3on
Servers running on Windows, Linux or other Unix
+ Phones running on a tradi3onal OS or oNen embedded Linux
+ Wrihen in C/C++
= Buffer overflows, NULL pointers, infinite loops and all their friends
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 13
Finding the bugs
• Fuzzing ‐ a rather effec3ve hammer for many a nail
• Automa3cally genera3on/sending semi‐valid requests to a target in the hope of crashing it
• Requires no understanding of the applica3on/device internals
• Responsibly for the detec3on of a huge percentage of security bugs
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 14
Fuzzing in 2 minutes
• Genera3on based • Muta3on based
• Extensions – Binary analysis, feedback loops, debuggers
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 15
Fuzzing example 1 INVITE sip:[email protected] SIP/2.0 CSeq: 536870905 INVITE Via: SIP/2.0/UDP 192.168.3.104:6060;branch=z9hG4bKmj1079uq Content-Type: application/sdp Content-Length: 378
s_static(“INVITE ") s_string(“sip:[email protected]”) s_static(” SIP/2.0 \r\n")
INVITE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SIP/2.0 CSeq: 536870905 INVITE Via: SIP/2.0/UDP 192.168.3.104:6060;branch=z9hG4bKmj1079uq Content-Type: application/sdp Content-Length: 378
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 16
Fuzzing example 2 INVITE sip:[email protected] SIP/2.0 CSeq: 536870905 INVITE Via: SIP/2.0/UDP 192.168.3.104:6060;branch=z9hG4bKmj1079uq Content-Type: application/sdp Content-Length: 378
s_static("Content-Length: ") s_dword(378, fuzzable=True, format=“ascii”) s_static("\r\n")
INVITE sip:[email protected] SIP/2.0 CSeq: 536870905 INVITE Via: SIP/2.0/UDP 192.168.3.104:6060;branch=z9hG4bKmj1079uq Content-Type: application/sdp Content-Length: 4294967296
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 17
Building your own fuzzer
• Genera3onal fuzzing frameworks available – Peach, Sulley, Fusil, Spike etc
• Map out the protocol in a high level descrip3on language
• Auxiliary tools for crash detec3on and logging
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 18
Feeling lazy?
• Free fuzzers for SIP – PROTOS, VoIPER • Commercial fuzzers ‐ Codenomicon, MuDynamics
• Use a generic fuzzer like GPF – takes a packet capture and mutates it
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 19
Does it work?
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 20
And the award for epic fail goes to….
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 21
Memory corrup3on summary
• Fuzzers make it simple to find bugs • Trivial to find DoS condi3ons • Currently no public exploits that remotely execute malicious code on hard‐phones
• Exploi3ng vulnerabili3es in soN‐phones is much easier, diho for servers running on tradi3onal opera3ng systems
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 22
So hard‐phones are safe then?
• Not quite … • Run a variety of services along with the VoIP core
• Web server, TFTP server/client, terminal admin console
• Introduces every ahack vector available against these services
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 23
Web service ahacks
• Most hard‐phones provide a web based admin interface, as do many servers
• Notoriously security agnos3c • XSS, CSRF, SQL injec3on, default/no passwords, authen3ca3on bypass
“Cisco Unified Communica7ons Manager is vulnerable to a SQL Injec7on aBack in the parameter key of the admin and user interface pages. A successful aBack could allow an authen7cated aBacker to access informa7on such as usernames and password hashes that are stored in the database.” – Cisco 2008
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 24
Web ahack example
• Snom 320 VoIP phones • Admin interface accepts unauthorized POST data
• Admin interface can also be used to make calls
• GNUCi3zen.org combined the above two ‘features’ for remote surveillance
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 25
GNUCi3zen.org – Snom 320 ahack
• Ahacker scans for vulnerable devices by checking for remotely accessible signature files
• Ahacker sends POST to vic3m’s IP with data: NUMBER=ATTACKERNUM
• Ahacker answers the incoming call • Vulnerable device uses inbuilt receiver to capture ambient sound and send to the ahacker
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 26
Finding web service bugs
• Simple to automate • Standard tools for finding SQL, CSRF and XSS bugs – w3af ahack framework
• Using SIP packets as an injec3on vector – XSS in log data
• Far easier to find and exploit a bug in a web interface than to create a reliable memory corrup3on exploit
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 27
Ahacking the protocols
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 28
Ahacking the protocols
• Authen3ca3on • Authoriza3on • Encryp3on • Same approach as every TCP/IP based service
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 29
Ahacking the protocols ‐ discovery
• Many VoIP protocols are TCP based and run on standard ports – nmap
• Specialist tools available for certain protocols – SIPVicious, iaxscan – Can scan thousands of hosts an hour
• Scanning random hosts turns up hoards of easily accessible servers
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 30
Ahacking the protocols ‐ authen3ca3on
• SIP and IAX2 – 2 step authen3ca3on by default • What does that mean? – We can enumerate valid accounts first and then crack passwords
• Account discovery search space – Two step auth = X*X – Single step auth = XX Where X is the size of the username/password pool
• We’d shoot a web developer that did this but apparently it’s OK for VoIP
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 31
Ahacking the protocols ‐ authen3ca3on
• Many networks s3ll use 3 or 4 digit usernames and passwords
• SIPVicious/iaxscan can check all possible combina3ons in minutes
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 32
Ahacking the protocols ‐ sniffing
• Not en3rely a protocol level problem • Intercepted communica3ons can be easily reconstructed into audio/video files – wireshark, UCSniff
• VLAN hopping – exploi3ng networks that rely on layer 2 protocols to allow access to the voice LAN – Voip Hopper
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 33
Taking the trunk
• Stealing individual accounts is fun and all but how about stealing the phone company?
• Requires admin access to an accessible router or switch
• How? • Straight through the front door
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 34
Taking the trunk
• Robert Moore – 2007, stole 10 million minutes worth of talk 3me
• Step 1: Bought informa3on on corporate IP addresses for $800
• Step 2: Scanned for accessible VoIP routers and switches
• Step 3: Scanned for default passwords and unpatched Cisco boxes
• Step 4: Profit! (Or jail in Mr. Moore’s case)
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 35
Taking the trunk
• “70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure”
• “I'd say 85% of them were misconfigured routers. They had the default passwords on them"
• “The telecoms we couldn't get into had access lists or boxes we couldn't get into because of strong passwords.”
‐ Source: http://www.informationweek.com
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 36
Ahacking the protocols ‐ summary
• Essen3ally the same offence/defence we’ve had for years
• Discovery, enumera3on and exploita3on follow roughly the same paherns as most other TCP/IP services
• Protec3ng against these problems is the same struggle with password management, access lists and updates
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 37
Ques3on Time! http://seanhn.wordpress.com
VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 38