Black Box Analysis and Attacks of Nortel VoIP Implementations

Black Box Analysis andAttacks of Nortel VoIP ImplementationsRichard Gowman, CISSPEldon Sprickerhoff, CISSP CISAwww.esentire.comCopyright 2007 eSentire, Inc.

Who we are...➲ eSentire, Inc.➲ Based out of Cambridge, ON.➲ Collaborative Threat Management (OngoingSecurity Analysis, Penetration Testing)➲ Established in 2001.

Why Are We Speaking?➲ Engaged in VoIP Security Analysis➲ Nortel always seemed to get off easy (mostattention paid to Cisco and Avaya?)➲ We have several clients that use Nortel IPTelephony.

Overview➲ Misconceptions about Nortel IP Telephony➲ Physical Traffic Capture Configuration➲ Protocols➲ Attack Tree➲ Implementation Weaknesses➲ Remedies Against Attacks➲ Nortel's Responses➲ Tidbits

Misconceptions➲ Voodoo➲ Implemented by external consultants➲ Not fully understood by Voice group➲ Not fully understood by Network group➲ Security == Chicken Little

Misconceptions➲ “Nortel uses a proprietary protocol and it'simpossible to eavesdrop or extract theconversation.”➲ “I did a packet capture and only got VLANtagged data.”➲ “We're OK ­ it's segregated from the datanetwork.”➲ “Haven't seen any tools on the Net.”➲ “nCircle didn't find anything.”➲ “We're getting a SIP firewall.”

On The Wire➲ Hub/Bridge combo➲ VLAN if necessary➲ We used OpenBSD bridge/vlan combo.

Run Through Possible Traffic➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲reboot_phoneoffhook_and_hangupoffhook_onedigit_hangupcall_internal_no_answercall_internal_answerinternal_call_usinternal_call_no_pickupinternal_call_us_answerspeakerphone_nocallspeakerphone_callspeakerphone_call_answerredialredial_answerchange_volumedisconnect_server_cabledisconnect_server_cable_in_conversationdisconnect_client_cable_in_conversationnmap_clientexternal_call_incall_externalAnd so on....

(‏‎1‎‏)‏ Protocols➲ It sure ain't SIP, baby.(‏UNIStim‏)‏ ➲ Unified Networks IP Stimulus➲ US Patent 7068641➲ Canadian Patent 2273657

UNIStim➲ Some details can be found in Asterix doc'n➲ But didn't seem to necessarily mesh with(?‏version what we found (possibly an older

UNIStim➲ UDP protocol➲ Contains a sequence number, a few flags,and commands/parameters

UNIStim Sequence Number➲ Sequence number increments by 1 for eachpacket.➲ Both client and server appear to ignorepackets with incorrect sequence number(‏back (although they still send an ACK

UNIStim Flags➲ Flag1: 0x00 – Error, 0x01 – ACK, 0x02 ­PUSH➲ Flag2: 0x00 – ServerACK/Irrelevant, 0x01 –(‏server server (to client), 0x02 – client (to➲ Tag: (Client only) 4 bytes that the server willinstruct the client to use➲ cmd/sub cmd: These fields are combined togive the instruction to the client/server.

Network Capture(‏DHCP‏)‏ ➲ Headset boots up(‏UNIStim‏)‏ ➲ Initial conversation with PBX➲ RTP packets sent directly between twophones

UNIStim➲ Again, not SIP.➲ Nortel will tell you that they support SIP andH.323➲ IP sets themselves only speak UNIStim.➲ SIP functionality “available” throughUNIStim Terminal Proxy Server➲ Not “Open Source”➲ UNIStim channel driver exists for Asterix.

Security Considerations➲ Confidentiality➲ Integrity➲ Availability

Confidentiality➲ For Phone Call Easy to sniff andreassemble phoneconversations.(Ethereal/Wiresharkcan do it right out ofthe box for any RTP(.‏stream➲ For Control Stream Also easy to sniffUNISTim packets, soyou can see exactlywho the phone iscalling.

Integrity➲ For Phone Call RTP also has asequence number,so must sniff itbefore being able toinject. Nothing preventsyou from modifyingpackets as they passthrough...➲ For Control Stream Seq number (intheory!) means thatyou must sniff anRTP packet first, andthen can take overthe stream. Again, nothingprevents you frommodifying thepackets in transit...

Availability➲ For Phone Call Determine seqnumber and spoofsome packets. Theother end now hearswhat you want(which could be(.‏all nothing at➲ For Control Stream Determine seqnumber and tell thephone to dowhatever you want itto do (including(.‏up hanging

(‏‎2‎‏)‏ Availability➲ For Phone Start sending itpackets (with a validsequence number.)If you don't doeverything properly,you'll confuse thephone and cause itto reboot (whichtakes a few(.‏minutes➲ For Call Manager Of course, nothingworks if you can takedown the CallManager. (More on(:‏ later... this

Attacks/Recon➲ SYN Floods➲ Network Mapping➲ Fuzzing➲ Brute Force Pass➲ UNISTim seq numbrute force➲ Pickup/Hangup➲ Media Card➲ RTP injection➲ ChangeDisplay➲ Dial➲ Terminate Conn➲ Force Conn Open

“This is UNIX. I know this!”➲ nmap shows:➲ tcp/21➲ tcp/23➲ tcp/80➲ tcp/111➲ tcp/513➲ udp/5060➲ udp/161➲ icmp

What else?➲ SNMP: OID 1.3.6.1.2.1.1.1 (sysDescr,(‏Release sysUptime, Software➲ SNMP community name: public➲ FTP, HTTP: VxWorks➲ ICMP: Timestamp

SYN Floods➲ Server well­defended against flood ofhalf­open packets.➲ But the protocol appears to be weaklydefended against fuzzing attacks.

“Atemi”➲ Send random crap to ports➲ Create a broadfisted DoS (works wellagainst TCP).➲ Take down the Primary, helps to findSecondary and Tertiary servers.

5 Appendix Ⅰ Thunder Proof and Surge ProtectionThis series speed dome adopts TVS lighting protection technology. It can effectively prevent damagesfrom various pulse signals below 1500W, such as sudden lighting and surge. While maintaining yourlocal electrical safety code, you still need to take necessary precaution measures when installing thespeed dome in the outdoor environment.• The distance between the signal transmission cable and high-voltage device (or high-voltage cable)shall be at least 50 meters.• Outdoor cable layout shall go under the penthouse if possible.• For vast land, please use sealing steel tube under the land to implement cable layout and connectsone point to the earth. Open floor cable layout is forbidden.• In area of strong thunderstorm hit or near high sensitive voltage (such as near high-voltagetransformer substation), you need to install additional high-power thunder protection device orlightning rod.• The thunder protection and earth of the outdoor device and cable shall be considered in the buildingwhole thunder protection and conform to your local national or industry standard.• System shall adopt equal-potential wiring. The earth device shall meet anti-jamming and at thesame time conforms to your local electrical safety code. The earth device shall not short circuit to N(neutral) line of high voltage power grid or mixed with other wires. When connect the system to theearth alone, the earth resistance shall not be more than 4Ω and earth cable cross-sectional areashall below 25 mm2. See Figure 5-1.Figure 5-120

UNISTim Seq Num Brute Force➲ Sequence number for UNISTim packetsappears to be 32bits. Unless you can sniffa packet, you must guess and 32bits is toolarge (due to hardware limitations on the(.‏themselves phones➲ However, from observation, the first 16 bitsalways seem to be 0. This makes a bruteforce attack on the sequence number very(.‏so feasible. (About a minute or

Dial➲ Cause a phone to dial any number youwant.➲ Want to get that annoying co­worker fired?Just about any 1­900 number will do (unlessthey're blocked).➲ Keep initiating calls from your boss to theCEO (or their spouse – marital discord).

Terminate Connection➲ Causes a connection to be closed.➲ Inject one packet towards server sayingclient has hung up.➲ Also inject one packet towards client sayingother side has hung up.

Force Conn Open➲ Initiate a phone call without recipientknowing.➲ Why wait for a phone call in order to listen into your victim?

Brute Force Admin Password➲ ADMIN1➲ Telnet is probably your best bet.➲ Try “1111” as the password first.

Media Card Tidbits➲ Tertiary IP telephony provisioning➲ 32 phones per card➲ Doesn't require a separate PBX(apparently).➲ Only has UDP ports open (not susceptibleto TCP SYN attacks).➲ But appears to be particularly susceptible toprotocol­sensitive fuzzing attacks.

Media Card One­Packet DoS Hex Example➲ UDP➲ SRC Port: 5000, DST Port: 5100➲ HEX DATA DELETED UNTIL ISSUERESOLVED

Official Nortel Position➲ Securing Multimedia & IP Telephony➲ “Instant” Secure Multimedia Zone Secure(‏SMC‏)‏ Multimedia Controller 2450➲ Virtual “moat” around servers(.‏etc ➲ Stateful filters (SIP, H.323,➲ Denial of Service defence engine➲ Secure UNIStim encryption proxy➲ 802.1X with EAP➲ SRTP➲ Gratuitous ARP Denial, Switch Lockdown

Security is a PITA➲ Easy to ignore (Just get it working!)➲ Adds overhead➲ Can limit debugging capability➲ Compatibility issues (conference calls, etc.)➲ Major PITA to add after­the­fact

Configuration➲ Limit administration access.➲ Lock down protocols (some firewallfunctionality exists in the product itself).

Finally... ChangeDisplay➲ Tell the phone what to display Could use to display caller­id name/number Plus, it's a lot of fun...

UNIStimpy: Slides and Code➲ http://www.esentire.com/unistimpy➲ Code coming soon!➲ Shameless Plug: We consult!