“The log viewer facility in dotDefender does not properly htmlencode user supplied input. This leads to a cross site scripting vulnerability when the log viewer displays HTTP headers.”

The following video shows how an attacker can make use of cross site scripting to get the system administrator to automatically switch off dotDefender. This effectively disables the WAF, leaving the web application exposed to any attacks that said WAF was supposed to protect against.

Advisory: ES-20100601

Video demo: http://vimeo.com/12132622

FAQ

But doesn’t the attacker need to reach the administrator interface?

Nope – its the administrator’s authenticated web browser that disables the WAF due to the injected javascript. Therefore the attacker just needs to reach the website protected by the WAF.

This update includes

• two new tools called “bypassalwaysreject” and “sipopenrelay”
• DoS exploits for Asterisk PBX called “asteriskdiscomfort”, “asterisksscanfdos” and “iax2resourceexhaust”
• Generic DoS exploit “sipinviteflood”
• Optimizations for the SIP Digest leak tool “sipdigestleak” and the SIP digest cracker

What does “bypassalwaysreject” do?

Asterisk PBX had introduced a new option “alwaysauthreject” which disables traditional enumeration of extensions. This tool makes use of an undisclosed method of enumerating extensions which works on Asterisk as of at least Asterisk 1.6.2.1 (and possibly the latest version too).

What does “sipopenrelay” do?

This new tool tries to find misconfigured dialplans or ACLs by calling (sending INVITE messages) a specific phone number with different prefixes. This emulates current attack trends on the SIP front as described in various blog posts.The result would be free calls which indicate the possibility of toll fraud.

What about the new DoS tools?

Asterisk Discomfort exploits a DoS vulnerability that was fixed in AST-2009-010. The vulnerability lies in parsing of RTP comfort noise stream. The result is that Asterisk PBX crashes.

Asterisk SSCANF DoS exploits AST-2009-005 which has the result of crashing Asterisk PBX.

Invite Flood tool exploits a DoS found in various endpoints and PBX servers. It sends a large number of INVITE messages, initiating lots of calls and eventually causing either a crash or the application to hang.

IAX2 Resource exhaust is a DoS vulnerability that was fixed in AST-2009-006 and exploited a design flaw in the IAX2 protocol, in some ways similar to INVITE flood DoS. The result is that Asterisk starts taking too much resources, becoming unresponsive. Sometimes it crashes.

And the enhancements?

SIP Digest Leak tool and it’s sister Digest cracker have both been updated to support two new features.

1. Zerolen SDP option in SIP Digest Leak means that when some SIP endpoints pick up the call, they send a hangup immediately. This cuts the waiting time for the attacker and immediately gives him/her the challenge response.
2. Support for using John the Ripper as an external tool to crack Digest passwords. The jumbo patch needs to be applied to John the ripper – I’ll be posting on how to do this later on.

That is all for now, hope you enjoy the update. For more information about VOIPPACK take a look at the products page.

• SEC-T in Sweden where I presented on VoIP security and the Internet .. proof that there’s lots of VoIP devices being exposed on the ‘net, and the sharks are there to profit by abusing them
• Updated SIPVicious to support new features used for the SEC-T presentation
• BruCON VoIP Auditing Workshop, which will be held tomorrow and the next day .. attendees will get to build their own tools and demonstrate security issues in popular PBX servers and SIP phones (more details on sipvicious.org)
• Upcoming research in the following topics: Opensource PBX server security, SIP Digest leakage (some details here)
• VOIPSCANNER.com is another project that is being upgraded
• VOIPPACK updates, more details on this soon
• And in between there’s real work too :-)

• “Teh Internetz are pwned” by Scott McIntyre: all the internet threats and issues from the point of view of an Internet Service provider.. might be illuminating ;-)
• “Rootkits are awesome” by Mike Kemp, will be an update talk about his research into DLP (data loss prevention) and I hear that he’ll be picking on more products
• “Countering behavior based malware analysis” by Nomenumbra
• “Advanced MySQL Exploitation” by Muhaimin Dzulfakar, the author of MySqloit
• “Securing networks from an ISP perspective” by Bradley Freeman, seems to be along the lines of the talk by Scott McIntyre but from the point of view of a research & education network perspective, JANET

Then there’s the workshops (and beer) which appear to be worth visiting in between the talks. Busy times indeed, but if you’re around email me.

So head over to VOIPSCANNER.com and create an account!

Using this tool consists of the following steps:

1. Register an account and buy credit (or use the time limited promo ENABLESEC to get some for free)
2. Enter the IP address of your PBX server and scan away
3. Receive a report by email that shows the findings

How does it work really?
VoIPScanner.com is making use of the next generation of SIPVicious (2.0) in the background and right now it does the following automatically:

1. Checks if an IP PBX is listening on the given address
2. Does extension enumeration, just like svwar in SIPVicious
3. For each extension found it starts a password cracking attack
4. Generate a PDF report such as this one

Any feedback or affiliate requests, contact me.

Our presentation at OWASP Europe in Krakow on Web Application Firewall shortcomings was featured on Darkreading, and Wendel was quoted in the article. Other sites and blogs (such as Heise) also mentioned the presentation. Imperva’s (which happens to be a WAF vendor) blog had some comments about the presentation as well, and in this post I hope to answer some of the claims.

“What Wendel (TrustWave) and Sandro (EnabledSecurity) basically showed is that they can figure out if a WAF is deployed to protect a web application and two techniques that can allegedly “bypass” WAFs.”

Unfortunately we had a couple of technical issues that meant that our presentation did not start on time and some of the live demos could not be shown. We had just 30 minutes to present which was not enough. We did perform the demos the next day anyway to a number of people who had some interesting feedback (more on that later). Either way, we mentioned more than two techniques that can lead to a bypass in some of the Web Application Firewalls.

“The two speakers described WAFs basically as a combination of black lists and white lists while missing the entire point in WAFs that learn the web application interfaces and usage patterns using dynamic profiling mechanisms and express complex security rules through advanced correlation engines. Actually, WAFs were developed to overcome the disadvantages in purely signature based products like IDSs.”

I do not currently have access to Imperva’s SecureSphere, but aren’t “dynamic profiling and express complex security rules” there to automatically create whitelists? That is what the SecureSphere datasheet and the specifications page implies. If not, can you explain how this works (and also explain express complex security rules)?

Most WAFs by default support blacklist approach and on large complex sites the positive model is not easy to setup or maintain. Making use of learning features of various WAF products is definitely going to help, but does not solve issues such as maintenance. A good question is “what sort of traffic do you use to train your WAF”? A large number of WAFs are configured to make use of the blacklist approach most of the times, even though the positive / whitelist model is supported by the WAF product.

“Presenting the ability to detect WAFs deployed in front of a web application as a major security risk is just biased”

Detection of the WAF is not a major security issue within itself, but is just another step in the reconnaissance stage of an attack.

As for the feedback that we received at OWASP, many of the participants who had first hand experience with Web Application Firewalls agreed that positive model Web Application Firewalls are a pain to maintain. Everyone came to the conclusion that you  need dedicated personnel to maintain a large web application protected by a WAF. That is hardly something that the vendors want you to know.

I’ll also be presenting a session on VoIP scanning on the internet at CONFidence tomorrow. Most other presentations and research seems to focus on VoIP (in)security + layer 2 issues, such as sniffing clear text VoIP. In contrast to this, my session will be more focused on what attackers coming Internet (can) do to your SIP PBX and endpoints. The focus is on demonstrating using both live demos and recorded videos and destribing some interesting (rather new) attacks that apply to VoIP on the Internet.

Last week Bryan Miller from Syrinx Technologies interviewed me on Web Application Security and WAFs. You may listen to this podcast here where I gave my views on web application security and an introduction to the presentation for Troopers. If you would like to keep updated with this podcast, you may subscribe using the RSS feed.

• iax2enumerate which like sipenumerate, tries to guess extensions present on the Asterisk box, and will inform you if the extension has any password set or not
• iax2cracker which given a known extension on the Asterisk box, will attempt to recover the password through an online bruteforce attack
• iax2autohack which finds out any Asterisk servers on the network, enumerates the extensions and launches a password cracking attack on each extension

The following demo shows iax2autohack in action:

For more information about VOIPPACK and our other offerings check out the products page.

Additionally we confirmed a few phones that are vulnerable to the SIP Digest Leak vulnerability (tools included in VOIPPACK) for the Cisco 7940, Grandstream, Fritzbox and more, thanks to Sjur and another unnamed entity ;-) Will be working on further research and releasing a paper after Troopers09 where Wendel G Henrique and I will be presenting our Web Application Firewall research and releasing new tools.

Watch twitter if you’re interested in what’s happening ;-)

What is VOIPSCANNER.com?

VOIPSCANNER.COM makes scanning your public facing IP PBX for security holes easier than ever. No need for desktop applications or any software installation, just enter the IP address of your IP PBX and you will receive a report of what attackers out there might find about your IP PBX.