Black Box Analysis and Attacks of Nortel VoIP Implementations
Black Box Analysis and Attacks of Nortel VoIP ... - CanSecWest
Black Box Analysis and Attacks of Nortel VoIP ... - CanSecWest
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Black</strong> <strong>Box</strong> <strong>Analysis</strong> <strong>and</strong><strong>Attacks</strong> <strong>of</strong> <strong>Nortel</strong> <strong>VoIP</strong> <strong>Implementations</strong>Richard Gowman, CISSPEldon Sprickerh<strong>of</strong>f, CISSP CISAwww.esentire.comCopyright 2007 eSentire, Inc.
Who we are...➲ eSentire, Inc.➲ Based out <strong>of</strong> Cambridge, ON.➲ Collaborative Threat Management (OngoingSecurity <strong>Analysis</strong>, Penetration Testing)➲ Established in 2001.
Why Are We Speaking?➲ Engaged in <strong>VoIP</strong> Security <strong>Analysis</strong>➲ <strong>Nortel</strong> always seemed to get <strong>of</strong>f easy (mostattention paid to Cisco <strong>and</strong> Avaya?)➲ We have several clients that use <strong>Nortel</strong> IPTelephony.
Overview➲ Misconceptions about <strong>Nortel</strong> IP Telephony➲ Physical Traffic Capture Configuration➲ Protocols➲ Attack Tree➲ Implementation Weaknesses➲ Remedies Against <strong>Attacks</strong>➲ <strong>Nortel</strong>'s Responses➲ Tidbits
Misconceptions➲ Voodoo➲ Implemented by external consultants➲ Not fully understood by Voice group➲ Not fully understood by Network group➲ Security == Chicken Little
Misconceptions➲ “<strong>Nortel</strong> uses a proprietary protocol <strong>and</strong> it'simpossible to eavesdrop or extract theconversation.”➲ “I did a packet capture <strong>and</strong> only got VLANtagged data.”➲ “We're OK it's segregated from the datanetwork.”➲ “Haven't seen any tools on the Net.”➲ “nCircle didn't find anything.”➲ “We're getting a SIP firewall.”
On The Wire➲ Hub/Bridge combo➲ VLAN if necessary➲ We used OpenBSD bridge/vlan combo.
Run Through Possible Traffic➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲➲reboot_phone<strong>of</strong>fhook_<strong>and</strong>_hangup<strong>of</strong>fhook_onedigit_hangupcall_internal_no_answercall_internal_answerinternal_call_usinternal_call_no_pickupinternal_call_us_answerspeakerphone_nocallspeakerphone_callspeakerphone_call_answerredialredial_answerchange_volumedisconnect_server_cabledisconnect_server_cable_in_conversationdisconnect_client_cable_in_conversationnmap_clientexternal_call_incall_externalAnd so on....
(1) Protocols➲ It sure ain't SIP, baby.(UNIStim) ➲ Unified Networks IP Stimulus➲ US Patent 7068641➲ Canadian Patent 2273657
UNIStim➲ Some details can be found in Asterix doc'n➲ But didn't seem to necessarily mesh with(?version what we found (possibly an older
UNIStim➲ UDP protocol➲ Contains a sequence number, a few flags,<strong>and</strong> comm<strong>and</strong>s/parameters
UNIStim Sequence Number➲ Sequence number increments by 1 for eachpacket.➲ Both client <strong>and</strong> server appear to ignorepackets with incorrect sequence number(back (although they still send an ACK
UNIStim Flags➲ Flag1: 0x00 – Error, 0x01 – ACK, 0x02 PUSH➲ Flag2: 0x00 – ServerACK/Irrelevant, 0x01 –(server server (to client), 0x02 – client (to➲ Tag: (Client only) 4 bytes that the server willinstruct the client to use➲ cmd/sub cmd: These fields are combined togive the instruction to the client/server.
Network Capture(DHCP) ➲ Headset boots up(UNIStim) ➲ Initial conversation with PBX➲ RTP packets sent directly between twophones
UNIStim➲ Again, not SIP.➲ <strong>Nortel</strong> will tell you that they support SIP <strong>and</strong>H.323➲ IP sets themselves only speak UNIStim.➲ SIP functionality “available” throughUNIStim Terminal Proxy Server➲ Not “Open Source”➲ UNIStim channel driver exists for Asterix.
Security Considerations➲ Confidentiality➲ Integrity➲ Availability
Confidentiality➲ For Phone Call Easy to sniff <strong>and</strong>reassemble phoneconversations.(Ethereal/Wiresharkcan do it right out <strong>of</strong>the box for any RTP(.stream➲ For Control Stream Also easy to sniffUNISTim packets, soyou can see exactlywho the phone iscalling.
Integrity➲ For Phone Call RTP also has asequence number,so must sniff itbefore being able toinject. Nothing preventsyou from modifyingpackets as they passthrough...➲ For Control Stream Seq number (intheory!) means thatyou must sniff anRTP packet first, <strong>and</strong>then can take overthe stream. Again, nothingprevents you frommodifying thepackets in transit...
Availability➲ For Phone Call Determine seqnumber <strong>and</strong> spo<strong>of</strong>some packets. Theother end now hearswhat you want(which could be(.all nothing at➲ For Control Stream Determine seqnumber <strong>and</strong> tell thephone to dowhatever you want itto do (including(.up hanging
(2) Availability➲ For Phone Start sending itpackets (with a validsequence number.)If you don't doeverything properly,you'll confuse thephone <strong>and</strong> cause itto reboot (whichtakes a few(.minutes➲ For Call Manager Of course, nothingworks if you can takedown the CallManager. (More on(: later... this
<strong>Attacks</strong>/Recon➲ SYN Floods➲ Network Mapping➲ Fuzzing➲ Brute Force Pass➲ UNISTim seq numbrute force➲ Pickup/Hangup➲ Media Card➲ RTP injection➲ ChangeDisplay➲ Dial➲ Terminate Conn➲ Force Conn Open
“This is UNIX. I know this!”➲ nmap shows:➲ tcp/21➲ tcp/23➲ tcp/80➲ tcp/111➲ tcp/513➲ udp/5060➲ udp/161➲ icmp
What else?➲ SNMP: OID 1.3.6.1.2.1.1.1 (sysDescr,(Release sysUptime, S<strong>of</strong>tware➲ SNMP community name: public➲ FTP, HTTP: VxWorks➲ ICMP: Timestamp
SYN Floods➲ Server welldefended against flood <strong>of</strong>halfopen packets.➲ But the protocol appears to be weaklydefended against fuzzing attacks.
“Atemi”➲ Send r<strong>and</strong>om crap to ports➲ Create a broadfisted DoS (works wellagainst TCP).➲ Take down the Primary, helps to findSecondary <strong>and</strong> Tertiary servers.
5 Appendix Ⅰ Thunder Pro<strong>of</strong> <strong>and</strong> Surge ProtectionThis series speed dome adopts TVS lighting protection technology. It can effectively prevent damagesfrom various pulse signals below 1500W, such as sudden lighting <strong>and</strong> surge. While maintaining yourlocal electrical safety code, you still need to take necessary precaution measures when installing thespeed dome in the outdoor environment.• The distance between the signal transmission cable <strong>and</strong> high-voltage device (or high-voltage cable)shall be at least 50 meters.• Outdoor cable layout shall go under the penthouse if possible.• For vast l<strong>and</strong>, please use sealing steel tube under the l<strong>and</strong> to implement cable layout <strong>and</strong> connectsone point to the earth. Open floor cable layout is forbidden.• In area <strong>of</strong> strong thunderstorm hit or near high sensitive voltage (such as near high-voltagetransformer substation), you need to install additional high-power thunder protection device orlightning rod.• The thunder protection <strong>and</strong> earth <strong>of</strong> the outdoor device <strong>and</strong> cable shall be considered in the buildingwhole thunder protection <strong>and</strong> conform to your local national or industry st<strong>and</strong>ard.• System shall adopt equal-potential wiring. The earth device shall meet anti-jamming <strong>and</strong> at thesame time conforms to your local electrical safety code. The earth device shall not short circuit to N(neutral) line <strong>of</strong> high voltage power grid or mixed with other wires. When connect the system to theearth alone, the earth resistance shall not be more than 4Ω <strong>and</strong> earth cable cross-sectional areashall below 25 mm2. See Figure 5-1.Figure 5-120
UNISTim Seq Num Brute Force➲ Sequence number for UNISTim packetsappears to be 32bits. Unless you can sniffa packet, you must guess <strong>and</strong> 32bits is toolarge (due to hardware limitations on the(.themselves phones➲ However, from observation, the first 16 bitsalways seem to be 0. This makes a bruteforce attack on the sequence number very(.so feasible. (About a minute or
Dial➲ Cause a phone to dial any number youwant.➲ Want to get that annoying coworker fired?Just about any 1900 number will do (unlessthey're blocked).➲ Keep initiating calls from your boss to theCEO (or their spouse – marital discord).
Terminate Connection➲ Causes a connection to be closed.➲ Inject one packet towards server sayingclient has hung up.➲ Also inject one packet towards client sayingother side has hung up.
Force Conn Open➲ Initiate a phone call without recipientknowing.➲ Why wait for a phone call in order to listen into your victim?
Brute Force Admin Password➲ ADMIN1➲ Telnet is probably your best bet.➲ Try “1111” as the password first.
Media Card Tidbits➲ Tertiary IP telephony provisioning➲ 32 phones per card➲ Doesn't require a separate PBX(apparently).➲ Only has UDP ports open (not susceptibleto TCP SYN attacks).➲ But appears to be particularly susceptible toprotocolsensitive fuzzing attacks.
Media Card OnePacket DoS Hex Example➲ UDP➲ SRC Port: 5000, DST Port: 5100➲ HEX DATA DELETED UNTIL ISSUERESOLVED
Official <strong>Nortel</strong> Position➲ Securing Multimedia & IP Telephony➲ “Instant” Secure Multimedia Zone Secure(SMC) Multimedia Controller 2450➲ Virtual “moat” around servers(.etc ➲ Stateful filters (SIP, H.323,➲ Denial <strong>of</strong> Service defence engine➲ Secure UNIStim encryption proxy➲ 802.1X with EAP➲ SRTP➲ Gratuitous ARP Denial, Switch Lockdown
Security is a PITA➲ Easy to ignore (Just get it working!)➲ Adds overhead➲ Can limit debugging capability➲ Compatibility issues (conference calls, etc.)➲ Major PITA to add afterthefact
Configuration➲ Limit administration access.➲ Lock down protocols (some firewallfunctionality exists in the product itself).
Finally... ChangeDisplay➲ Tell the phone what to display Could use to display callerid name/number Plus, it's a lot <strong>of</strong> fun...
UNIStimpy: Slides <strong>and</strong> Code➲ http://www.esentire.com/unistimpy➲ Code coming soon!➲ Shameless Plug: We consult!