VoIP security: Implementation and Protocol Problems

VoIP Security

Implementa3on and Protocol Problems

Sean Heelan, ISSA Seminar, May 2009

Overview

• VoIP background info • Finding and exploi3ng implementa3on related bugs

• Finding and exploi3ng protocol related bugs • Ques3ons!

VoIP Security ‐ Implementa3on and Protocol Problems 5th May 2009 2

Who am I

• Graduate student in Computer Science • Primarily interested in soNware verifica3on and program analysis


VoIP Background Info


Popularity of VoIP

• Why bother looking for security problems? • ~50% of American businesses using it in some form in 2008 (src. Computer Economics)

• Anyone here today? • Home users – Skype, Gizmo, Blueface etc.


Ambiguous graph 3me


Protocols

• SIP • SCCP • H.225 • H.239 • H.245 • RTCP • SDP • MGCP


Protocols

• IAX2 • Skype • H.460 • H.450 • RTP • STUN • RSVP • SS7 • ….and so on


Protocols

• Why so many? • Call setup, signalling, data transfer, route nego3a3on, PSTN interoperability

• Each requiring a different protocol and a different implementa3on

• Usually in C or C++


Protocols

• More protocols == More ahack vectors • Heterogeneous networks are good for an ahacker and bad for an administrator

• Tes3ng efforts are diluted across devices and protocols

• No public tes3ng tools available for the majority of the protocols men3oned


VoIP: A hackers dream

• Integrates the voice communica3ons of an organisa3on into an environment the ahacker is familiar with

• Same protocols, tools and environments • Open standards and accessible devices • Scary as hell when you think about it – you just moved your en3re comms infrastructure to our playground

• Cheers! VoIP Security ‐ Implementa3on and

Protocol Problems 5th May 2009 11

Ahacking the implementa3on


Good ol’ memory corrup3on

Servers running on Windows, Linux or other Unix

+ Phones running on a tradi3onal OS or oNen embedded Linux

+ Wrihen in C/C++

= Buffer overflows, NULL pointers, infinite loops and all their friends


Finding the bugs

• Fuzzing ‐ a rather effec3ve hammer for many a nail

• Automa3cally genera3on/sending semi‐valid requests to a target in the hope of crashing it

• Requires no understanding of the applica3on/device internals

• Responsibly for the detec3on of a huge percentage of security bugs


Fuzzing in 2 minutes

• Genera3on based • Muta3on based

• Extensions – Binary analysis, feedback loops, debuggers


Fuzzing example 1 INVITE sip:[email protected] SIP/2.0 CSeq: 536870905 INVITE Via: SIP/2.0/UDP 192.168.3.104:6060;branch=z9hG4bKmj1079uq Content-Type: application/sdp Content-Length: 378

s_static(“INVITE ") s_string(“sip:[email protected]”) s_static(” SIP/2.0 \r\n")

INVITE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SIP/2.0 CSeq: 536870905 INVITE Via: SIP/2.0/UDP 192.168.3.104:6060;branch=z9hG4bKmj1079uq Content-Type: application/sdp Content-Length: 378


Fuzzing example 2 INVITE sip:[email protected] SIP/2.0 CSeq: 536870905 INVITE Via: SIP/2.0/UDP 192.168.3.104:6060;branch=z9hG4bKmj1079uq Content-Type: application/sdp Content-Length: 378

s_static("Content-Length: ") s_dword(378, fuzzable=True, format=“ascii”) s_static("\r\n")

INVITE sip:[email protected] SIP/2.0 CSeq: 536870905 INVITE Via: SIP/2.0/UDP 192.168.3.104:6060;branch=z9hG4bKmj1079uq Content-Type: application/sdp Content-Length: 4294967296


Building your own fuzzer

• Genera3onal fuzzing frameworks available – Peach, Sulley, Fusil, Spike etc

• Map out the protocol in a high level descrip3on language

• Auxiliary tools for crash detec3on and logging


Feeling lazy?

• Free fuzzers for SIP – PROTOS, VoIPER • Commercial fuzzers ‐ Codenomicon, MuDynamics

• Use a generic fuzzer like GPF – takes a packet capture and mutates it


Does it work?


And the award for epic fail goes to….


Memory corrup3on summary

• Fuzzers make it simple to find bugs • Trivial to find DoS condi3ons • Currently no public exploits that remotely execute malicious code on hard‐phones

• Exploi3ng vulnerabili3es in soN‐phones is much easier, diho for servers running on tradi3onal opera3ng systems


So hard‐phones are safe then?

• Not quite … • Run a variety of services along with the VoIP core

• Web server, TFTP server/client, terminal admin console

• Introduces every ahack vector available against these services


Web service ahacks

• Most hard‐phones provide a web based admin interface, as do many servers

• Notoriously security agnos3c • XSS, CSRF, SQL injec3on, default/no passwords, authen3ca3on bypass

“Cisco Unified Communica7ons Manager is vulnerable to a SQL Injec7on aBack in the parameter key of the admin and user interface pages. A successful aBack could allow an authen7cated aBacker to access informa7on such as usernames and password hashes that are stored in the database.” – Cisco 2008


Web ahack example

• Snom 320 VoIP phones • Admin interface accepts unauthorized POST data

• Admin interface can also be used to make calls

• GNUCi3zen.org combined the above two ‘features’ for remote surveillance


GNUCi3zen.org – Snom 320 ahack

• Ahacker scans for vulnerable devices by checking for remotely accessible signature files

• Ahacker sends POST to vic3m’s IP with data: NUMBER=ATTACKERNUM

• Ahacker answers the incoming call • Vulnerable device uses inbuilt receiver to capture ambient sound and send to the ahacker


Finding web service bugs

• Simple to automate • Standard tools for finding SQL, CSRF and XSS bugs – w3af ahack framework

• Using SIP packets as an injec3on vector – XSS in log data

• Far easier to find and exploit a bug in a web interface than to create a reliable memory corrup3on exploit


Ahacking the protocols


Ahacking the protocols

• Authen3ca3on • Authoriza3on • Encryp3on • Same approach as every TCP/IP based service


Ahacking the protocols ‐ discovery

• Many VoIP protocols are TCP based and run on standard ports – nmap

• Specialist tools available for certain protocols – SIPVicious, iaxscan – Can scan thousands of hosts an hour

• Scanning random hosts turns up hoards of easily accessible servers


Ahacking the protocols ‐ authen3ca3on

• SIP and IAX2 – 2 step authen3ca3on by default • What does that mean? – We can enumerate valid accounts first and then crack passwords

• Account discovery search space – Two step auth = X*X – Single step auth = XX Where X is the size of the username/password pool

• We’d shoot a web developer that did this but apparently it’s OK for VoIP


Ahacking the protocols ‐ authen3ca3on

• Many networks s3ll use 3 or 4 digit usernames and passwords

• SIPVicious/iaxscan can check all possible combina3ons in minutes


Ahacking the protocols ‐ sniffing

• Not en3rely a protocol level problem • Intercepted communica3ons can be easily reconstructed into audio/video files – wireshark, UCSniff

• VLAN hopping – exploi3ng networks that rely on layer 2 protocols to allow access to the voice LAN – Voip Hopper


Taking the trunk

• Stealing individual accounts is fun and all but how about stealing the phone company?

• Requires admin access to an accessible router or switch

• How? • Straight through the front door


Taking the trunk

• Robert Moore – 2007, stole 10 million minutes worth of talk 3me

• Step 1: Bought informa3on on corporate IP addresses for $800

• Step 2: Scanned for accessible VoIP routers and switches

• Step 3: Scanned for default passwords and unpatched Cisco boxes

• Step 4: Profit! (Or jail in Mr. Moore’s case)


Taking the trunk

• “70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure”

• “I'd say 85% of them were misconfigured routers. They had the default passwords on them"

• “The telecoms we couldn't get into had access lists or boxes we couldn't get into because of strong passwords.”

‐ Source: http://www.informationweek.com


Ahacking the protocols ‐ summary

• Essen3ally the same offence/defence we’ve had for years

• Discovery, enumera3on and exploita3on follow roughly the same paherns as most other TCP/IP services

• Protec3ng against these problems is the same struggle with password management, access lists and updates


Ques3on Time! http://seanhn.wordpress.com


Technology

VoIP security: Implementation and Protocol Problems