What I’ve been working on…
Lots of links included:
- SEC-T in Sweden where I presented on VoIP security and the Internet .. proof that there’s lots of VoIP devices being exposed on the ‘net, and the sharks are there to profit by abusing them
- Updated SIPVicious to support new features used for the SEC-T presentation
- BruCON VoIP Auditing Workshop, which will be held tomorrow and the next day .. attendees will get to build their own tools and demonstrate security issues in popular PBX servers and SIP phones (more details on sipvicious.org)
- Upcoming research in the following topics: Opensource PBX server security, SIP Digest leakage (some details here)
- VOIPSCANNER.com is another project that is being upgraded
- VOIPPACK updates, more details on this soon
- And in between there’s real work too :-)
Filed under: Site news | Leave a Comment
HAR2009: Talks of interest
After a long wait, HAR is finally with us. There’s a large number of talks and events and I thought I’d make a list of the ones that I hope to attend today:
- “Teh Internetz are pwned” by Scott McIntyre: all the internet threats and issues from the point of view of an Internet Service provider.. might be illuminating ;-)
- “Rootkits are awesome” by Mike Kemp, will be an update talk about his research into DLP (data loss prevention) and I hear that he’ll be picking on more products
- “Countering behavior based malware analysis” by Nomenumbra
- “Advanced MySQL Exploitation” by Muhaimin Dzulfakar, the author of MySqloit
- “Securing networks from an ISP perspective” by Bradley Freeman, seems to be along the lines of the talk by Scott McIntyre but from the point of view of a research & education network perspective, JANET
Then there’s the workshops (and beer) which appear to be worth visiting in between the talks. Busy times indeed, but if you’re around email me.
Filed under: Site news | Leave a Comment
One thing that I’ve been working on is making it easy for organizations and consultants to check their IP PBX for security issues. Toll fraud, or theft of service (phone calls) is becoming quite a problem for organizations that expose their PBX on the Internet. VOIPSCANNER.com aims to make it easier to find out how easy it is for attackers out there to gain access to your PBX.
So head over to VOIPSCANNER.com and create an account!
Using this tool consists of the following steps:
- Register an account and buy credit (or use the time limited promo ENABLESEC to get some for free)
- Enter the IP address of your PBX server and scan away
- Receive a report by email that shows the findings
How does it work really?
VoIPScanner.com is making use of the next generation of SIPVicious (2.0) in the background and right now it does the following automatically:
- Checks if an IP PBX is listening on the given address
- Does extension enumeration, just like svwar in SIPVicious
- For each extension found it starts a password cracking attack
- Generate a PDF report such as this one
Any feedback or affiliate requests, contact me.
Filed under: Site news | Leave a Comment
Tags: saas security, saas voip, sip security, sipvicious 2.0, sipvicious-ng, voip report, voip security report, voipscanner
Our presentation at OWASP Europe in Krakow on Web Application Firewall shortcomings was featured on Darkreading, and Wendel was quoted in the article. Other sites and blogs (such as Heise) also mentioned the presentation. Imperva’s (which happens to be a WAF vendor) blog had some comments about the presentation as well, and in this post I hope to answer some of the claims.
“What Wendel (TrustWave) and Sandro (EnabledSecurity) basically showed is that they can figure out if a WAF is deployed to protect a web application and two techniques that can allegedly “bypass” WAFs.”
Unfortunately we had a couple of technical issues that meant that our presentation did not start on time and some of the live demos could not be shown. We had just 30 minutes to present which was not enough. We did perform the demos the next day anyway to a number of people who had some interesting feedback (more on that later). Either way, we mentioned more than two techniques that can lead to a bypass in some of the Web Application Firewalls.
“The two speakers described WAFs basically as a combination of black lists and white lists while missing the entire point in WAFs that learn the web application interfaces and usage patterns using dynamic profiling mechanisms and express complex security rules through advanced correlation engines. Actually, WAFs were developed to overcome the disadvantages in purely signature based products like IDSs.”
I do not currently have access to Imperva’s SecureSphere, but aren’t “dynamic profiling and express complex security rules” there to automatically create whitelists? That is what the SecureSphere datasheet and the specifications page implies. If not, can you explain how this works (and also explain express complex security rules)?
Most WAFs by default support blacklist approach and on large complex sites the positive model is not easy to setup or maintain. Making use of learning features of various WAF products is definitely going to help, but does not solve issues such as maintenance. A good question is “what sort of traffic do you use to train your WAF”? A large number of WAFs are configured to make use of the blacklist approach most of the times, even though the positive / whitelist model is supported by the WAF product.
“Presenting the ability to detect WAFs deployed in front of a web application as a major security risk is just biased”
Detection of the WAF is not a major security issue within itself, but is just another step in the reconnaissance stage of an attack.
As for the feedback that we received at OWASP, many of the participants who had first hand experience with Web Application Firewalls agreed that positive model Web Application Firewalls are a pain to maintain. Everyone came to the conclusion that you need dedicated personnel to maintain a large web application protected by a WAF. That is hardly something that the vendors want you to know.
Filed under: rant | Leave a Comment
Tags: appseceu09, imperva, owasp, sandro, securesphere, waf security, wendel
So the OWASP at Krakow (which was a great experience!) came to an end. The conference was a mixture of technical and non-technical presentations; I liked the w3af presentation and thought it was well delivered, and I heard that the “HTTP Parameter Pollution” was particularly interesting. It seems that the Web Applications Firewall talk that we gave steered the attention of various organizations, media (DarkReading) and people (Twitter). The presentation went a big bonkers and Murphey’s Law kicked in. However we got the chance to demonstrate the missed content after the conference for an audience that provided a lot of good feedback.
I’ll also be presenting a session on VoIP scanning on the internet at CONFidence tomorrow. Most other presentations and research seems to focus on VoIP (in)security + layer 2 issues, such as sniffing clear text VoIP. In contrast to this, my session will be more focused on what attackers coming Internet (can) do to your SIP PBX and endpoints. The focus is on demonstrating using both live demos and recorded videos and destribing some interesting (rather new) attacks that apply to VoIP on the Internet.
Filed under: Site news | Leave a Comment
Tags: confidence, darkreading, krakow, voip, waf, web application firewall
Back from Troopers09 in Munich after presenting our (Wendel Guglielmetti Henrique from Trustwave and yourstruly) research on Web Application Firewalls. Troopers was great and the organizers (Enno Rey and co) made a great job out of the conference. Kudos to them! During the presentation we demonstrated some tools that will help security analysts and penetration testers to identify WAFs and fingerprint their rules.We hope to release these tools soon.. meanwhile if you would like to beta test, please send me a note.
Last week Bryan Miller from Syrinx Technologies interviewed me on Web Application Security and WAFs. You may listen to this podcast here where I gave my views on web application security and an introduction to the presentation for Troopers. If you would like to keep updated with this podcast, you may subscribe using the RSS feed.
Filed under: Site news | Leave a Comment
Tags: interview, podcast, syrinx, troopers09, trustwave, web application firewall, web application security
Announcing the VOIPPACK April edition supporting IAX2 and can now scan Asterisk servers. Because the feedback for sipautohack was great, we included a similar tool for the Asterisk protocol called iax2autohack in the April edition of VOIPPACK. The following are the new tools avialable in this update:
- iax2enumerate which like sipenumerate, tries to guess extensions present on the Asterisk box, and will inform you if the extension has any password set or not
- iax2cracker which given a known extension on the Asterisk box, will attempt to recover the password through an online bruteforce attack
- iax2autohack which finds out any Asterisk servers on the network, enumerates the extensions and launches a password cracking attack on each extension
The following demo shows iax2autohack in action:
For more information about VOIPPACK and our other offerings check out the products page.
Additionally we confirmed a few phones that are vulnerable to the SIP Digest Leak vulnerability (tools included in VOIPPACK) for the Cisco 7940, Grandstream, Fritzbox and more, thanks to Sjur and another unnamed entity ;-) Will be working on further research and releasing a paper after Troopers09 where Wendel G Henrique and I will be presenting our Web Application Firewall research and releasing new tools.
Watch twitter if you’re interested in what’s happening ;-)
Filed under: Site news | Leave a Comment
Tags: asterisk security, canvas, iax2 security, iax2autohack, sipautohack, voip security, voippack
One of the projects that we’ve been busy with is VOIPSCANNER.com. I am now pleased to announce that it is (semi-)public beta. During beta stage the service will be free but we shall be approving each application individually. Apply for a beta code now.
What is VOIPSCANNER.com?
VOIPSCANNER.COM makes scanning your public facing IP PBX for security holes easier than ever. No need for desktop applications or any software installation, just enter the IP address of your IP PBX and you will receive a report of what attackers out there might find about your IP PBX.
Filed under: Site news | Leave a Comment
Tags: sipautohack, sipvicious, voipscanner
A paper is coming up on the subject because there’s been quite some buzz on this on Twitter and some VoIP security blogs. The VOIPSA post explains that this is available to CANVAS users. Check out the VOIPPACK page for more information. And Sjur’s blog attracted quite some attention with the title “Get the password from ANY SIP device?!?! It is fully possible!”.
Meanwhile, we’re having a tutorial rush over here – 2nd tutorial related to VoIP and VOIPPACK published here. By following the steps outlined in the document, you’ll be able to do the following:
- Understand how the SIP Digest Leak attack works
- Be able to get an IP Phone to ring
- Get the IP Phone to leak the challenge response
- Recover the password
Abstract:
The SIP Digest Leak is a vulnerability that affects a large number of SIP Phones, including both hardware and software IP Phones as well as phone adapters (VoIP to analogue). The vulnerability allows leakage of the Digest authentication response, which is computed from the password. An offline password attack is then possible and can recover most passwords based on the challenge response.
Oh and just in case you’re wondering .. nope this is not an April’s fool joke. This IETF document describes a similar issue. Hang on for the paper on the topic.
Filed under: Site news | Leave a Comment
Which means that if you are running OpenX, make sure to update to the latest version which was issued just now. The latest download can be found here.
We posted an advisory detailing some well hidden SQL injection vulnerabilities as well as XSS, the possibility of arbitrary file deletion and CRLF injection. Additionally, we made available a video (below) on your favorite video sharing site explaining how we were able to identify the flaws by making use of Acunetix Acusensor (not much skills involved there), analyze the flaws and eventually develop some code to exploit one of the blind SQL injection vulnerabilities. This exploit is not publicly available but interested organizations can contact info@enablesecurity.com for further details.
Filed under: Research, Site news | Leave a Comment
Tags: blind sql, openx, sql injection, sqli, web application security
