SlideShare a Scribd company logo

RPS/APS vulnerability in snom/yealink and others - slides

Download as PPTX, PDF
Cal Leeming
Cal Leeming

Slides from http://www.youtube.com/watch?v=2yN_-g-0PAk

Technology
1 of 21
Auto provisioning sucks Cal Leeming cal.leeming@simplicitymedialtd.co.uk
Disclaimer • I am a programmer, not a security expert • This has been done using best practises for responsible disclosure • POC code will not be disclosed (but can be easily written in 30~ mins)
how would you feel if.. • You found a vulnerability that allows malicious user to extract user creds remotely with no authentication • Your supplier was shipping you vuln devices by default • Your provider did not fix the problem • The vendor did not fix the problem entirely • All your customers were affected • You were liable for any resulting toll-fraud • You had to explain this to your customers after • This is the BS I had to deal with in June 2012
Companies affected • Yealink Disclosed June 2012, patched Aug 2012, problem still exists • Snom (disclosed today) Disclosed today • ****.co.uk Disclosed 2012, problem still exists • *****.co.uk Not disclosed • Many, many others including those with QSA accreditation from ITSPA
Known attack vectors • 1) Redirection service at root authority (what is it?) http://www.888voip.com/rps-redirection-and-provisioning-service-by-yealink/ • 2) Redirection service at reseller SIP providers, hw wholesalers • 3) Any external facing provisioning system HTTP, TFTP etc
Yealink • V71 firmware – RPS not enabled by default – aes encryption optional for v71 – Still vuln if provider does not implement properly • V70 firmware – RPS enabled by default – No AES encryption required – Legacy services have not been disabled due to this
Yealink • V71 fw cut using binwalk and yaffs2utils • V70 fw cut using binwalk and unsquashfs $ cat ./factory/Setting/autop.cfg [ autoprovision ] server_address = ?http://prov.yealink.co.uk/1/ap/ $ grep -R "server_address" . ./factory/Setting/autop_code.cfg:server_address = ?http://prov.yealink.co.uk/1/ap ./factory/Setting/autop_code.cfg:server_address = ?http://yealink.******** $ curl http://prov.yealink.co.uk/1/ap/0015651738ba.cfg [ autoprovision ] *** Jun 29 15:41:01 ap: http_client.c(712): UserAgent is yealink SIP-T20P 1.2.3.4 00:11:22:33:44:5f Jun 29 15:41:01 ap: http_client.c(1292): query header: GET /tftp/00112233445f.cfg HTTP/1.0^M Host: 1.2.3.4^M User-Agent: yealink SIP-T20P 1.2.3.4 00:11:22:33:44:5f^M Accept: */*^M Connection: Keep-Alive^M ^M
Yealink • • • • MAC range: 001565 XIAMEN YEALINK 16^3 (16,581,375 MACs). Single threaded, single IP scan, 30 reqs/sec Can easily write a scanner in ~30 mins [2013-10-22 12:56:32,463] [scan-yealink-rps.py:131] HIT 001565****** - endpoint is http://*************/***/001565******.cfg [2013-10-22 12:56:32,627] [scan-yealink-rps.py:119] MISS on 001565****** [2013-10-22 12:56:32,792] [scan-yealink-rps.py:119] MISS on 001565******
Snom • FW cut using binwalk and jffs - http://www.kutukupret.com/2010/09/16/mounting-a-jffs2-filesystem-in-linux/ - http://pauldotcom.com/wiki/index.php/Reverse_Engineering_Firmware_Primer DEFAULTVALUE http://provisioning.snom.com/snomXXX/snomXXX.php?mac={mac} snomXXX = {snom300, snom320, snom360, snom370, snom710, snom720, snom760, snom820, snom820, snom87 0, snom m9} python pnpserv.py -u http://url.of.the/settings.xml?mac={mac} python pnpserv.py -u w/o argument defaults to http://provisioning.snom.com/snom3x0/snom3x0.php?mac={mac} http://provisioning.snom.com/snom300/snom300.php?mac=00041337C200
Snom • Requires model number in MAC URL. • This increases scan time right?? • NOPE. http://wiki.snom.com/Settings/mac • Could easily write a scanner in 30~ mins SNIPPET: Snom300 ---- 00041325XXXX, 00041328XXXX, 0004132DXXXX, 0004132FXXXX, 00041334XXXX, 0004133687F000041336FFFF, 00041337XXXX, 0004133BXXXX, 00041350XXXX snom320 ---- 00041324XXXX, 00041327XXXX, 0004132CXXXX, 00041331XXXX, 00041335XXXX, 00041338XXXX, 00041351XXXX [2013-10-22 14:47:50,047] [scan-snom-aps.py:22] Scanning MAC range 00-04-13-25-XX-XX to 00-04-13-25-XX-XX (total 7) [2013-10-22 14:47:50,276] [scan-snom-aps.py:54] MISS on 00041325XXXX [2013-10-22 14:47:50,276] [scan-snom-aps.py:66] HIT 00041325XXXX - endpoint is http://*******/**/***.php?mac=00041325XXXX
Generic auto prov servers • • • • Majority of auto prov servers do not have brute protection Majority of sys admins don’t check auto prov server logs Significant number of well known UK providers are vuln to this Lol 3cx • Almost every handset is vulnerable to this (encryption is not always enforced by default) • Almost every provisioning server is vulnerable to this • At least one big UK company is exposing thousands of details because of this
Dirty tricks • • • • Scanner speed can be significantly increased using coroutines Request throughput can be increased using proxies from public lists Easily reach 1000 requests/sec using 200 lines of python code The majority of servers would crash and burn if URL is hitting dynamic code (PHP) instead of plain text • I have not implemented any of these, as this code is for proof of concept, not a hit-and-run tool to be used maliciously
Immediate protections (for non encrypted configs) • Implement protections using L7 rules (nginx reverse prox, ZXTM etc) • Rate limit based on MAC+IP combo (default 10 MACs/IP/24h) • Enforce user agent checks/validation (not 100%, but helps protect against chancers) • Track IPs which access provisioning info, check for fraud patterns (access from different countries etc) • Automatically block IP if any protections are triggered • Remove/modify on a case-by-case basis • This only slows down brute force attacks, it is does NOT prevent them, nor does it protect against targeted attacks • Be smart
Immediate protections (for encrypted configs) • Haven’t had chance to review these yet • Snom/Yealink will be chiming in with their two cents on protections
Out of the factory protection • Vendors are struggling to make phones secure to auto provisioning out of the factory, relies on providers doing things correctly. • Could you not enforce request validation using a one-time-use key generated from a unique string embedded into that phone? (perhaps serial no?). This combined with encryption gives two layers of security – still not perfect is the SN is leaked • Got ideas? Share them! The only way this will change is if we all do our bit to help
how you can help • Many other vendors are vulnerable, I don’t have enough time to check them all • Got a phone that supports zero touch/auto prov? Give this a try! • Simple pcap/syslog analysis will usually give up secrets • FW cutting only needed if you want to dig a bit deeper • Most providers/vendors are not implementing encrypted config by default • Yealink have partially fixed by adding encrypted config (but it’s not enforced!) • Test as many different makes/firmware as possible!!!!
This is only the beginning • Auto provisioning flaws are only the tip of the ice berg • Poke around, you will be shocked at what you find
its not all doom and gloom • Discovered FS after becoming fed up with incompetent providers • Met some amazing people in this community • Learnt a lot of new skills • Cudatel isn't vulnerable since they ship firmwares with RPS off by default
Acknowledgements • William King aka quentusrex from CudaTel Helped with finding ways to protect customers, much appreciated! • Ken Rice aka SwK from FreeSWITCH Assistance with broadcasting and arranging this conference, thank you! • FreeSWITCH community • Anyone who’s URL I have linked to • People who took time to write up on fw dissection, it saved me literally days of work
Worried about this? there are freeswitch consultants who can help setup secure remote provisioning Reach out to consulting@freeswitch.org
Hint doc names A31008-M2212-R910-3-7643_en_Internat.pdf A31008-M2212-R910-3-7643_en_Internat_2.pdf A31008-M2212-R910-3-7643_en_Internat_3.pdf A31008-M2212-R910-5-7643.pdf Auto Provision Manual version 2.0.4.pdf Auto Provision Manual version 2.0.4_2.pdf Category_HowTo_XMLRPC Redirection - Snom User Wiki.pdf Changelog-YUK-V60FW-03012012.pdf SiemensC450IPConfiguration.pdf Terms_and_Conditions_for_use_of_snom_redirection_services.pdf uts.pdf V70UpgradingManual-21540749528.pdf Voip_einrichten_eng.pdf Yealink Auto Provisioning User Guide.pdf Yealink SIP Phone Release Note of Version 71.pdf YealinkConfigurationConversionToolUserGuide-21535047441.pdf YealinkRedirectionandProvisioningService(RPS)UserManualV10ENG-04371557705.pdf YealinkXMLAPIforRPS-V1.3-ENG (2).pdf YealinkXMLAPIforRPS-V1.3-ENG.pdf

Recommended

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc groupNtxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
44CON
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 

Recommended

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc groupNtxissacsc5 red 1 & 2 basic hacking tools ncc group
Ntxissacsc5 red 1 & 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
44CON
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
SensePost
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
SensePost
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
Filip Waeytens
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
Security Weekly
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
dnomura
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
idsecconf
 
Open Design in a changing design practice
Open Design in a changing design practiceOpen Design in a changing design practice
Open Design in a changing design practice
Peter Troxler
 
Dim geschäftsfeld marktforschung_april2012
Dim geschäftsfeld marktforschung_april2012Dim geschäftsfeld marktforschung_april2012
Dim geschäftsfeld marktforschung_april2012
Prof. Dr. Michael Bernecker
 
Main Street, Meet Mr Watson - Matt Coatney
Main Street, Meet Mr Watson - Matt CoatneyMain Street, Meet Mr Watson - Matt Coatney
Main Street, Meet Mr Watson - Matt Coatney
Matt Coatney
 

More Related Content

What's hot

The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly
 

What's hot (19)

Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 

Viewers also liked

Main Street, Meet Mr Watson - Matt Coatney
Main Street, Meet Mr Watson - Matt CoatneyMain Street, Meet Mr Watson - Matt Coatney
Main Street, Meet Mr Watson - Matt Coatney
Matt Coatney
 
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
Education_for_all_2015
 
Pressupostos 2013 - Ajuntament de Sagunt
Pressupostos 2013 - Ajuntament de SaguntPressupostos 2013 - Ajuntament de Sagunt
Pressupostos 2013 - Ajuntament de Sagunt
Compromís per Sagunt
 
Convocatoria%203 d%20alfacar
Convocatoria%203 d%20alfacarConvocatoria%203 d%20alfacar
Convocatoria%203 d%20alfacar
elarcoestandar
 
Presentacion Door09
Presentacion Door09Presentacion Door09
Presentacion Door09
maxife
 
Centaures
CentauresCentaures
Centaures
scholaindustrialis
 
Siemens Team Building Testimonial
Siemens Team Building TestimonialSiemens Team Building Testimonial
Siemens Team Building Testimonial
Scott Watson
 

Viewers also liked (20)

Open Design in a changing design practice
Open Design in a changing design practiceOpen Design in a changing design practice
Open Design in a changing design practice
 
Dim geschäftsfeld marktforschung_april2012
Dim geschäftsfeld marktforschung_april2012Dim geschäftsfeld marktforschung_april2012
Dim geschäftsfeld marktforschung_april2012
 
Main Street, Meet Mr Watson - Matt Coatney
Main Street, Meet Mr Watson - Matt CoatneyMain Street, Meet Mr Watson - Matt Coatney
Main Street, Meet Mr Watson - Matt Coatney
 
Desnutricion y malnutricion en españa
Desnutricion y malnutricion en españaDesnutricion y malnutricion en españa
Desnutricion y malnutricion en españa
 
4A Sessió de Sector Arquitectura: El Plus Ecològic
4A Sessió de Sector Arquitectura: El Plus Ecològic4A Sessió de Sector Arquitectura: El Plus Ecològic
4A Sessió de Sector Arquitectura: El Plus Ecològic
 
Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...
Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...
Social Media im Longtail Business I Dirk Ploss, CMO, Lecturio, auf dem 4. Soc...
 
Soluciones de seguridad informatica abaddon pos iicybersecurity
Soluciones de seguridad informatica abaddon pos iicybersecuritySoluciones de seguridad informatica abaddon pos iicybersecurity
Soluciones de seguridad informatica abaddon pos iicybersecurity
 
Indulgence 2010 Gourmet Tasting For Charity Official Proposol Final
Indulgence 2010 Gourmet Tasting For Charity Official Proposol FinalIndulgence 2010 Gourmet Tasting For Charity Official Proposol Final
Indulgence 2010 Gourmet Tasting For Charity Official Proposol Final
 
Brochure A5 Sept2010
Brochure A5 Sept2010Brochure A5 Sept2010
Brochure A5 Sept2010
 
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
150925 unesco iclc_bertelsmann-stiftung_noack_how-can-educational-monitoring-...
 
Pressupostos 2013 - Ajuntament de Sagunt
Pressupostos 2013 - Ajuntament de SaguntPressupostos 2013 - Ajuntament de Sagunt
Pressupostos 2013 - Ajuntament de Sagunt
 
Convocatoria%203 d%20alfacar
Convocatoria%203 d%20alfacarConvocatoria%203 d%20alfacar
Convocatoria%203 d%20alfacar
 
Alhuda CIBE - Islamic Finance & Investment Symposium by Sohail Jaffar
Alhuda CIBE - Islamic Finance & Investment Symposium by Sohail JaffarAlhuda CIBE - Islamic Finance & Investment Symposium by Sohail Jaffar
Alhuda CIBE - Islamic Finance & Investment Symposium by Sohail Jaffar
 
Presentacion Door09
Presentacion Door09Presentacion Door09
Presentacion Door09
 
Centaures
CentauresCentaures
Centaures
 
Lettre de motivation
Lettre de motivationLettre de motivation
Lettre de motivation
 
Siemens Team Building Testimonial
Siemens Team Building TestimonialSiemens Team Building Testimonial
Siemens Team Building Testimonial
 
Linking thoughts to flows Integrated modeling of Social Ecological Systems
Linking thoughts to flows Integrated modeling of Social Ecological SystemsLinking thoughts to flows Integrated modeling of Social Ecological Systems
Linking thoughts to flows Integrated modeling of Social Ecological Systems
 
Carta al papa Francisco- Rubén García Badillo
Carta al papa Francisco- Rubén García BadilloCarta al papa Francisco- Rubén García Badillo
Carta al papa Francisco- Rubén García Badillo
 
Cadena de-frio minsal
Cadena de-frio minsalCadena de-frio minsal
Cadena de-frio minsal
 

Similar to RPS/APS vulnerability in snom/yealink and others - slides

44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
North Texas Chapter of the ISSA
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
CODE BLUE
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 

Similar to RPS/APS vulnerability in snom/yealink and others - slides (20)

Provisioning Q and A
Provisioning Q and AProvisioning Q and A
Provisioning Q and A
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

RPS/APS vulnerability in snom/yealink and others - slides

  • 1. Auto provisioning sucks Cal Leeming cal.leeming@simplicitymedialtd.co.uk
  • 2. Disclaimer • I am a programmer, not a security expert • This has been done using best practises for responsible disclosure • POC code will not be disclosed (but can be easily written in 30~ mins)
  • 3. how would you feel if.. • You found a vulnerability that allows malicious user to extract user creds remotely with no authentication • Your supplier was shipping you vuln devices by default • Your provider did not fix the problem • The vendor did not fix the problem entirely • All your customers were affected • You were liable for any resulting toll-fraud • You had to explain this to your customers after • This is the BS I had to deal with in June 2012
  • 4. Companies affected • Yealink Disclosed June 2012, patched Aug 2012, problem still exists • Snom (disclosed today) Disclosed today • ****.co.uk Disclosed 2012, problem still exists • *****.co.uk Not disclosed • Many, many others including those with QSA accreditation from ITSPA
  • 5. Known attack vectors • 1) Redirection service at root authority (what is it?) http://www.888voip.com/rps-redirection-and-provisioning-service-by-yealink/ • 2) Redirection service at reseller SIP providers, hw wholesalers • 3) Any external facing provisioning system HTTP, TFTP etc
  • 6. Yealink • V71 firmware – RPS not enabled by default – aes encryption optional for v71 – Still vuln if provider does not implement properly • V70 firmware – RPS enabled by default – No AES encryption required – Legacy services have not been disabled due to this
  • 7. Yealink • V71 fw cut using binwalk and yaffs2utils • V70 fw cut using binwalk and unsquashfs $ cat ./factory/Setting/autop.cfg [ autoprovision ] server_address = ?http://prov.yealink.co.uk/1/ap/ $ grep -R "server_address" . ./factory/Setting/autop_code.cfg:server_address = ?http://prov.yealink.co.uk/1/ap ./factory/Setting/autop_code.cfg:server_address = ?http://yealink.******** $ curl http://prov.yealink.co.uk/1/ap/0015651738ba.cfg [ autoprovision ] *** Jun 29 15:41:01 ap: http_client.c(712): UserAgent is yealink SIP-T20P 1.2.3.4 00:11:22:33:44:5f Jun 29 15:41:01 ap: http_client.c(1292): query header: GET /tftp/00112233445f.cfg HTTP/1.0^M Host: 1.2.3.4^M User-Agent: yealink SIP-T20P 1.2.3.4 00:11:22:33:44:5f^M Accept: */*^M Connection: Keep-Alive^M ^M
  • 8. Yealink • • • • MAC range: 001565 XIAMEN YEALINK 16^3 (16,581,375 MACs). Single threaded, single IP scan, 30 reqs/sec Can easily write a scanner in ~30 mins [2013-10-22 12:56:32,463] [scan-yealink-rps.py:131] HIT 001565****** - endpoint is http://*************/***/001565******.cfg [2013-10-22 12:56:32,627] [scan-yealink-rps.py:119] MISS on 001565****** [2013-10-22 12:56:32,792] [scan-yealink-rps.py:119] MISS on 001565******
  • 9. Snom • FW cut using binwalk and jffs - http://www.kutukupret.com/2010/09/16/mounting-a-jffs2-filesystem-in-linux/ - http://pauldotcom.com/wiki/index.php/Reverse_Engineering_Firmware_Primer DEFAULTVALUE http://provisioning.snom.com/snomXXX/snomXXX.php?mac={mac} snomXXX = {snom300, snom320, snom360, snom370, snom710, snom720, snom760, snom820, snom820, snom87 0, snom m9} python pnpserv.py -u http://url.of.the/settings.xml?mac={mac} python pnpserv.py -u w/o argument defaults to http://provisioning.snom.com/snom3x0/snom3x0.php?mac={mac} http://provisioning.snom.com/snom300/snom300.php?mac=00041337C200
  • 10. Snom • Requires model number in MAC URL. • This increases scan time right?? • NOPE. http://wiki.snom.com/Settings/mac • Could easily write a scanner in 30~ mins SNIPPET: Snom300 ---- 00041325XXXX, 00041328XXXX, 0004132DXXXX, 0004132FXXXX, 00041334XXXX, 0004133687F000041336FFFF, 00041337XXXX, 0004133BXXXX, 00041350XXXX snom320 ---- 00041324XXXX, 00041327XXXX, 0004132CXXXX, 00041331XXXX, 00041335XXXX, 00041338XXXX, 00041351XXXX [2013-10-22 14:47:50,047] [scan-snom-aps.py:22] Scanning MAC range 00-04-13-25-XX-XX to 00-04-13-25-XX-XX (total 7) [2013-10-22 14:47:50,276] [scan-snom-aps.py:54] MISS on 00041325XXXX [2013-10-22 14:47:50,276] [scan-snom-aps.py:66] HIT 00041325XXXX - endpoint is http://*******/**/***.php?mac=00041325XXXX
  • 11. Generic auto prov servers • • • • Majority of auto prov servers do not have brute protection Majority of sys admins don’t check auto prov server logs Significant number of well known UK providers are vuln to this Lol 3cx • Almost every handset is vulnerable to this (encryption is not always enforced by default) • Almost every provisioning server is vulnerable to this • At least one big UK company is exposing thousands of details because of this
  • 12. Dirty tricks • • • • Scanner speed can be significantly increased using coroutines Request throughput can be increased using proxies from public lists Easily reach 1000 requests/sec using 200 lines of python code The majority of servers would crash and burn if URL is hitting dynamic code (PHP) instead of plain text • I have not implemented any of these, as this code is for proof of concept, not a hit-and-run tool to be used maliciously
  • 13. Immediate protections (for non encrypted configs) • Implement protections using L7 rules (nginx reverse prox, ZXTM etc) • Rate limit based on MAC+IP combo (default 10 MACs/IP/24h) • Enforce user agent checks/validation (not 100%, but helps protect against chancers) • Track IPs which access provisioning info, check for fraud patterns (access from different countries etc) • Automatically block IP if any protections are triggered • Remove/modify on a case-by-case basis • This only slows down brute force attacks, it is does NOT prevent them, nor does it protect against targeted attacks • Be smart
  • 14. Immediate protections (for encrypted configs) • Haven’t had chance to review these yet • Snom/Yealink will be chiming in with their two cents on protections
  • 15. Out of the factory protection • Vendors are struggling to make phones secure to auto provisioning out of the factory, relies on providers doing things correctly. • Could you not enforce request validation using a one-time-use key generated from a unique string embedded into that phone? (perhaps serial no?). This combined with encryption gives two layers of security – still not perfect is the SN is leaked • Got ideas? Share them! The only way this will change is if we all do our bit to help
  • 16. how you can help • Many other vendors are vulnerable, I don’t have enough time to check them all • Got a phone that supports zero touch/auto prov? Give this a try! • Simple pcap/syslog analysis will usually give up secrets • FW cutting only needed if you want to dig a bit deeper • Most providers/vendors are not implementing encrypted config by default • Yealink have partially fixed by adding encrypted config (but it’s not enforced!) • Test as many different makes/firmware as possible!!!!
  • 17. This is only the beginning • Auto provisioning flaws are only the tip of the ice berg • Poke around, you will be shocked at what you find
  • 18. its not all doom and gloom • Discovered FS after becoming fed up with incompetent providers • Met some amazing people in this community • Learnt a lot of new skills • Cudatel isn't vulnerable since they ship firmwares with RPS off by default
  • 19. Acknowledgements • William King aka quentusrex from CudaTel Helped with finding ways to protect customers, much appreciated! • Ken Rice aka SwK from FreeSWITCH Assistance with broadcasting and arranging this conference, thank you! • FreeSWITCH community • Anyone who’s URL I have linked to • People who took time to write up on fw dissection, it saved me literally days of work
  • 20. Worried about this? there are freeswitch consultants who can help setup secure remote provisioning Reach out to consulting@freeswitch.org
  • 21. Hint doc names A31008-M2212-R910-3-7643_en_Internat.pdf A31008-M2212-R910-3-7643_en_Internat_2.pdf A31008-M2212-R910-3-7643_en_Internat_3.pdf A31008-M2212-R910-5-7643.pdf Auto Provision Manual version 2.0.4.pdf Auto Provision Manual version 2.0.4_2.pdf Category_HowTo_XMLRPC Redirection - Snom User Wiki.pdf Changelog-YUK-V60FW-03012012.pdf SiemensC450IPConfiguration.pdf Terms_and_Conditions_for_use_of_snom_redirection_services.pdf uts.pdf V70UpgradingManual-21540749528.pdf Voip_einrichten_eng.pdf Yealink Auto Provisioning User Guide.pdf Yealink SIP Phone Release Note of Version 71.pdf YealinkConfigurationConversionToolUserGuide-21535047441.pdf YealinkRedirectionandProvisioningService(RPS)UserManualV10ENG-04371557705.pdf YealinkXMLAPIforRPS-V1.3-ENG (2).pdf YealinkXMLAPIforRPS-V1.3-ENG.pdf