OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=> : -`- -`- OoO=o=oOO=o=O=> ; _|_--oOO--(_)--OOo--_|_ OoO=o=oOO=o=O=OoO=o=oOO=o=O=> | ¡ K-1ine Zine ! | OoO=o=oOO=o=O=> ! issue 9, volume 4 ¡ OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ---------O^O---- OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ;. |__|__| OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> || || OoO=o=oOO=o=O=OoO=o=oOO=o=O=OoO=o=oOO=o=O=> ooO Ooo OoO=o=oOO=o=O= OoO=o=oOO=o=O=OoO=o=oOO=o=O=> OoO=o=oOO=o=O=OoO=o=oOO=o=O= OoO=o=oOO=o=O=OoO=o=> ¡ November 2000 ¡ "Controlled Developments" _____________________________________________________________________________ [Words from the Editor] | | | *: [-] Introduction .......................................... The Clone :* *: (-) Contact Information ................................... The Clone :* ____________________________________________________________________________ [Docs] | | | *: (x) 'Common security problems with the UBB'................ Term :* *: (x) 'RIM; Research In Motion' ............................. Magma :* *: (x) 'Security Team #4' .................................... Miklos :* *: (x) 'Security For Private Branch Exchange Systems' ........ Richard Kuhn :* *: (x) 'Millennium Payphone - Power Out Exploit' ............. PsychoSpy :* *: (x) 'Telus Call Director; Unsupervised Line Exploit' ...... The Clone :* ______________________________________________________________________________ [Conclusion] | | | *: [-] Credits ............................................... The Clone :* *: [-] Shouts ................................................ The Clone :* _______________________________________________________________________________ -- Introduction You are now reading K-1ine issue 9 (volume 4) because you are either a regular reader or a curious newcomer... whatever your reason is is irrelevant. This month's issue is of course packed with only the newest hacking and phreaking information available from Hack Canada and Nettwerked, making for an interesting and mind advancing read for all who wish to lay their eyes on my zine. Did you write something that you feel would be perfectly situated on K-1ine? If so, send in your text (.txt) article via e-mail and I'll be sure to review it and let you know if it's been accepted. Enjoy the issue! - -- Contact Information Contact Information; Comments/Questions/Submissions: theclone@haxordogs.net On IRC: haxordogs.net, #cpu (key required) and #haxordogs Shoot me an ICQ message: (UIN) 79198218 Check out my site: (Nettwerked) http://www.nettwerked.net - Common security problems with the Ultimate Bulletin Board Term - termREMOVETHIS@boxnet.dhs.org Boxnet Research Labs http://boxnet.dhs.org The methods and problems described in this paper were found and applied to the Ultimate Bulletin Board, but could be applied to other bulletin boards with similar problems. Issue 1: The Ultimate Bulletin Board creates it's data files and member files, world writable, and also insures that they are world writable by changing the permissions to world writable each time the files are edited. On multi-user servers, this is of course a bad idea, and allows multiple entry points for an attack. Either to directly edit the settings files, or to view the member files, retrieve the password of a user with administrational access and edit the settings through the actual web interface used to properly administrate the UBB. Even if ftp access is chroot'd, if the attack had webspace that allowed cgi programs to be run, the attack could still craft a cgi script in their own directory to obtain a password from the members directory. Fix: If you do not have root on the machine that your UBB is hosted on, you could ask the administrators of the hosting machine to do some of the things requiring root access. Make sure that the files that are set world writeable are owned by the group that the webserver runs under. Some of these files are: (In the UBB cgi directory) Styles.file UltBB.setup forums.cgi mods.file Every cgi file in the Members directory (in the ubb cgi directory) Next, you need to edit the executable cgi files, in the ubb cgi directory so that they do not set data files 777 or 666, but instead set them 770 or 660. This can be done by simply using grep to find the files that set the data files 777 and 666, and then editing them using a text editor that has a find and replace function. Issue 2: When at the Ultimate Bulletin Boards control panel (usually cp.html in the non cgi directory) and a wrong password is entered, the wrong password attempt is not logged. A simple brute force utility for cracking other sites (such as hotmail) could easily be modified to brute force the password to an administrative account. Fix: These are just my suggestions, I'm sure alot of other solutions could be implmented. Log all login attempts (successful or not) to the control panel, and prevent more than 3 bad logins at a time, ie. 3 bad login attempts would prevent another login attempt from the same ip for 5 minutes. (Preventing a specific ip from logging in for another 5 minutes prevents someone purposely sending bad login attempts to the control panel and preventing actual administrators from logging in.) Note: these would require modification to the UBB's code. A simple fix, without modifying the code would be to have a nice long password, using letters and numbers. - I lub j00 I lub joo too - [What is RIM?] RIM is Research In Motion, based out of Waterloo Ontario, just meters from the University of Waterloo they have become the world leader in wireless handheld devices. Their products have all the wonders of a Palm but along with that there is instant email. As their slogan goes; Always on, Always Connected. Basicly it's an interactive pager, the following is a look behind the scenes - how it works. The BlackBerry Handheld unit includes: · Powerful e-mail, calendar, address book and task list applications · 32-bit Intel 386 processor with 2 MB flash memory plus 304 KB RAM · Integrated RIM wireless modem · Optimized keyboard and display · Thumb-operated trackwheel (operates similar to a PC mouse) · Docking cradle (included) · Selectable alerts: vibrate, tone, silent · Search functionality · Auto text · Clock, alarm, auto on/off, radio on/off · Intuitive menu-driven interface · Password protection [Mobitex Technology] The Mobitex network technology was developed in the early 1980's by the Swedish telecommunication R&D company, Eritel, as Sweden's National Voice and Data wireless network. Designed to provide a secure, reliable, and cost effective way to use the limited resource of radio frequencies for data communication , it was fully operational in Sweden by 1987. In recent years, Ericsson has continued to advance the Mobitex standard and has introduced a continuously improving network infrastructure. Today, Mobitex is available through network operators in countries around the world. Mobitex is a secure, reliable, two-way digital wireless packet switching network ideal for a variety of data communication applications. This network has the capacity to handle large amounts of data traffic. The radio spectrum is a scarce resource. Therefore it is essential that the system makes optimal use of the allocated frequency. Mobitex uses packet switching to deliver an 8 kbp/s bit rate over a single 12.5 kHz channel, meaning that an end-user can send an email and get a reply in just a few seconds. In the system, switching intelligence is present at all levels of the network creating minimum overhead. Even base stations are capable of routing traffic within their coverage area, thus eliminating unnecessary traffic at higher network levels. There is an open attitude, allowing equipment manufacturers to develop inter-operable products which adhere to standard protocols. The network provides automatic error detection and correction to ensure the data integrity. It is a complete mobile data network based on digital cellular technology. Like a mobile telephone system, coverage in Mobitex is provided by overlapping radio cells. Unlike other cellular systems, however, Mobitex is a dedicated data network that uses packet switching for maximum efficiency. This means that the network is always and instantly accessible and that the customer is billed for the number of packets transmitted, not connection time. Mobitex is an international standard for two-way wireless packet switched data communication, currently operational in countries around the world. [Mobitex Access Number] To connect to a Mobitex network, all radio modems and fixed terminals (FSTs), such as hosts and gateways, must have an active Mobitex Access Number (MAN). A MAN is assigned to every user subscribing to the Mobitex network; it is analogous to a phone number on a telephone network. The MAN for a mobile user is stored in the mobile's radio modem, just as a telephone number is stored inside a cellular phone. Every network has a different range of MANs. For example, in the US, MAN numbers are in the 15,000,000 to 16,999,999 range; in Canada, the MANs are in the 5,000,000 to 5,999,999 range. [Mobitex Protocols] MCP/1 MCP/1 (for Mobitex Compression Protocol 1) is a set of optional compression protocols used by the radio modem to enhance throughput and reduce network costs. MTP/1 MTP/1 (for Mobitex Transport Protocol 1) is a tested and standardized transport protocol that ensures packets are transmitted over Mobitex in order, and without loss. It is authorized by the Mobitex Operator's Association, and is publicly available for implementation. MPAK Data to be transmitted over Mobitex is broken up into MPAKs (for Mobitex Packet). Packets of data are assembled and transmitted with leading information as to the sender, addressee, and the type of data. The header contains this initial data. The body contains the application data to be sent or received. The maximum size of any packet is 512 bytes. To improve speed and reduce the cost of communication, the radio modem may compress the packet data before transmission. Applications can also provide a means of reducing packet charges by attempting to maximize the amount of data placed in each packet. [Circuit-Switched] Analogous to land-based telephone systems or dial-up Internet connections, circuit-switched communications require the establishment of a dedicated connection to be made between two parties prior to any data transfer. Once this connection has been made, the circuit (or frequency in the case of wireless communication) is tied up for the duration of the session. Circuit-switched communication is ideal for large data transfer, since users typically pay for the connection time. [Packet-Switched] Analogous to land-based Ethernet connections, a packet-switched wireless network involves the sharing of a single frequency between many users. Only one user may transmit or receive at any one given instant. Since only small packets of data are typically being transmitted however, this scheme is ideal for many applications, this is what the Blackberry uses. Unlike circuit-switched systems, the packet-switched technique also allows all devices on the network to remain continuously connected, making instantaneous access and two-way paging possible. [BRU3 Networks] Many companies are taking the Blackberry into thework place, such areas like warehouses and shipyards have an incredible amount of area, the Blackberry provides them with the service they need - the BRU3 is how it's done The Base Radio Unit, BRU3, is a new single channel mini base station for Mobitex networks. BRU3 brings base radio stations to a new technical turning point, due to size, environmental functionality and simplicity of service. Prime characteristics of the BRU3: o Supported outdoor and indoor installation o Small size and low weight o Designed for high performance even under severe weather conditions o Simple installation o Integrated site-specific functions such as line modem and battery backup o Mountable directly on antenna mast for minimal feeder loss o High receiver sensitivity allows balanced link-budget for low power mobiles o Built-in functions for automatic supervision of the base radio station When planning system coverage of portable radio modems (low power) in a Mobitex system, the BRU3 is the natural choice. The operator will achieve cost-effective indoor coverage within dedicated areas as well as low-cost coverage for initial service. The BRU3 is also very well suited to achieve temporary coverage demands for new traffic situations such as at trade shows, sport events etc. Functionality As a Mobitex base station, the BRU3 is able to handle a large number of terminals and provides a wide range of functionality. The BRU3 is equipped with one full duplex radio channel. Service, Maintenance and Installation The BRU3 has been designed to minimize on-site maintenance. The base radio unit will support at least one year of operation without on-site visits for maintenance purposes. BRU3 can be installed close to the radio antenna in a tower, on a pole or attached directly to a wall. New software may be loaded either via the network without service interruption or on-site from a portable PC. Environmental requirements For normal use, the BRU3 operates in a temperature range of -33°C up to +55°C and a relative air humidity within the range of 10% to 100%. The BRU3 Base Radio Unit is designed to operate in extreme indoor and outdoor conditions. Capacity that not even flat-rate pricing will overload Mobitex is designed for demanding users who use the network services extensively. A capacity of more than 1,500 users per base station ensures that there will be no bottlenecks despite high utilization. In a Mobitex network, end-users can send an email in just a few seconds, transmit vehicle positions in less than two seconds, verify a credit card transaction in less than five [Security] Triple DES is simply another mode of DES operation. It takes three 64-bit keys, for an overall key length of 192 bits. In Stealth, you simply type in the entire 192-bit (24 character) key rather than entering each of the three keys individually. The Triple DES DLL then breaks the user provided key into three subkeys, padding the keys if necessary so they are each 64 bits long. The procedure for encryption is exactly the same as regular DES, but it is repeated three times. Hence the name Triple DES. The data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the third key. Plain Text | | DES Encryption <----- Key One | DES Encryption <----- Key Two | DES Encryption <----- Key Three | | Ciphertext Consequently, Triple DES runs three times slower than standard DES, but is much more secure if used properly. The procedure for decrypting something is the same as the procedure for encryption, except it is executed in reverse. Well, that's it for now - future updates of this file will come as more information is learned. - Magma@SunOS.com 11/08/00 Email - Magma@SunOS.com ICQ - 5652209 URL - www.haxordogs.net/ghu - FUCK YOU CLONER BONER! I CAN TAKE YOU! NOT SO TOUGH! NOT SO TOUGH! FUCKIN' 0WN YER ASS! - Saturday, October 22nd - Security Team #4 --------------------------------------------- On Friday night Magma paged me, so I gave him a call. Through our conversation Magma brought up that our local hospital was doing some re-construction for a future cancer center. He then asked if I want to go out and check it out. Naturally, I said "yes" and in a few hours we parked a bit off the hospital, and made our way to entrance of the construction site. The cancer center is located right beside the main hospital, and will be a seperate building. The previous building is being teared down a the moment, and is the building we want to check out. As we got closer, we saw to nurses on their break. There was a bench that we must have sat on for 15 minutes and we could still hear the nurses still taking (slackers ;). So, we decided to go back home and come back the next day. It's saturday night now, and we're back to where we started, the entrance. Magma and I had decided that it's best for one of us to explore, and the other keep watch on surroundings. We each have 2-way radios with good range (3 miles) so we managed to keep contact with those. I opted to be the explorer tonight, and walked on crushed cement blocks towards the building. I entered the building, and hit the stairs. After a few flights I was stopped with cement blocks that I was not ready to climb over top of, so I stayed on that floor, and entered the hallway. Each room on that floor was the same: Empty room with a pipe sticking out from the ceiling. When I reached the other end of the hall, I was completely blocked off by cement blocks. I radio'ed back to Magma, and told him I was coming back to see him because I forgot a flashlight. Sadly, when I said this Magma said he had to shut off, cause he spotted 2 security guards. They drove a white Cavalier that had "#4" painted on the door with brakes that made a chirping sound. The fencing that blocks off the construction has wired windows, that I was able to peek through to see what's going on. Magma has disappeared and the white security car is parked in front of the construction site. For some reason I decided to just leave the construction site. I climbed over the fence and walked towards Magmas car. The security guys watched this, and I thought "I don't care, as long as I can leave now". Of course, when I got to the car, there was no sign of Magma. I then returned to the construction site where a bench was located and sat there waiting for Magma. About 10 minutes later Magma comes back, and he told me that the security car is circling the hospital. Magma said we should probably leave, but I didn't want to leave yet. We talked for a bit, and concluded to go to the backside of the construction site away from security. The otherside to the hospital was pretty cool. A very poorly constructed chain-link fence with an opening of about a foot and a half from the ground was enough space for me to slide underneath. Magma walked up the street, and with the 2-way radio, told me when no cars were in sight. I got through the fence fine, and made my way back to the ruined building. I took a few cool pictures, and radio'ed Magma to see what was up. No response. Click, click, click, and then radio went dead! (Dead batteries.) At this point I was fed up, and decided to just go and wait for Magma at the car. I looked out the broken window of the ruined building and the security car was parked right in front of the fence where I entered. Immediately, I thought, I'll leave on the otherside. I started walking to the otherside and got close to an exit. I again took a look through the little windows on the fence, and saw a police car? Surely, they're not here for us I thought. However, I paniced anyway, and looked for another way out of this place. Nothing. The fencing was just too high for me to climb over. So, I took a bunch of skids (peices of wood) and used them as a stepping stool to get over the fence. Bad mistake. As I got one leg over the fence I looked out to see the security car coming right by me. I leaped off the fence, and sat there, hoping to hear the car drive by. The chirping sound of the car got closer until a point where it was constant. I heard the door of the car being opened, and then I just ran. I made it to the otherside of the construction site, scrambled under the fencing, and ran 2 blocks not looking back for a single second. In fact, I had tripped in the construction site on cement blocks (they were everywhere) so I knew the security guards heard me, and thought I was running for it. I ran 2 blocks, and made a left. I still lost contact with Magma, and so I made my way back to the hospital, and to Magma's car. As I walked back I hit a stop light. From out of nowhere, Magma's car stops at the light, and I just walked up to it, got in, and we took off. As we drove off, Magma told me that a police car was in fact circling the hospital, following him. We laughed having thought we somehow managed to get out of this place without even a talking to the security guards and/or police. Whew! - if i was homosexual clone i think i will be in love with you - SECURITY FOR PRIVATE BRANCH EXCHANGE SYSTEMS By Richard Kuhn Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Hacker attacks on computer networks are well known, but Private Branch Exchange (PBX) systems are also vulnerable. In one case, a hacker penetrated the Private Branch Exchange (PBX) system operated by a hospital in Escondido, California. For nearly two years, on various occasions, he blocked calls to and from the hospital, connected hospital operators to spurious numbers (including the county jail), and placed bogus emergency calls that appeared to be coming from inside the hospital. Unfortunately, the hospital's experience is not unique. Failure to secure a PBX system can result in exposing an organization to toll fraud, theft of proprietary, personal, and confidential information, loss of revenue, or legal entanglements. Depending on how the organization's network is configured and administered, information leading to intrusions of data networks may be compromised as well. A PBX is a sophisticated computer-based switch that can be thought of as ess- entially a small, in-house phone company for the organization that operates it. Protection of the PBX is thus a high priority. This bulletin introduces some of the vulnerabilities of PBX switches and describes some countermeasures that can be used to increase the security of your PBX. For a more detailed treatment of these issues, see NIST Special Publication (SP) 800-24, PBX Vulnerability Analysis (see http://csrc.nist.gov). INTRODUCTION Digital PBXs are widespread throughout government and industry, having replaced their analog predecessors. Today, even the most basic PBX systems have a wide range of capabilities that were previously available only in large-scale switches. These new features have opened up many new opportunities for an adversary to attempt to exploit the PBX, particularly by using the features for a purpose that was never intended. The threats to PBX telephone systems are many, depending on the goals of attackers. Threats include: - Theft of service – i.e., toll fraud, probably the most common of motives for attackers. - Disclosure of information - data disclosed without authorization, either by deliberate action or by accident. Examples include both eavesdropping on conversations and unauthorized access to routing and address data. - Data modification - data altered in some meaningful way by reordering, deleting, or modifying it. For example, an intruder may change billing information or modify system tables to gain additional services. - Unauthorized access - actions that permit an unauthorized user to gain access to system resources or privileges. - Denial of service - actions that prevent the system from functioning in accordance with its intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a degraded state; time-dependent operations may be delayed. - Traffic analysis - a form of passive attack in which an intruder observes information about calls (although not necessarily the contents of the messages) and makes inferences, e.g., from the source and destination numbers or frequency and length of the messages. For example, an intruder observes a high volume of calls between a company's legal department and the Patent Office and concludes that a patent is being filed. PBX CHARACTERISTICS PBXs are sophisticated computer systems, and many of the threats and vulnerabilities associated with operating systems are shared by PBXs. There are two important ways, however, in which PBX security is different from conventional operating system security: - External access/control. Like larger telephone switches, PBXs typically require remote maintenance by the vendor. Instead of relying on local administrators to make operating system updates and patches, organizations normally have updates installed remotely by the switch manufacturer. This of course requires remote maintenance ports and access to the switch by a potentially large pool of outside parties. - Feature richness. The wide variety of features available on PBXs, particularly administrative features and conference functions, provides the possibility of unexpected attacks. An attacker may use a feature in a manner that was not intended by its designers. Features may also interact in unpredictable ways, even when implemented correctly, leading to system compromise even if each component of the system conforms to its security requirements and the system is operated and administrated correctly. MAINTENANCE Maintenance procedures are among the most commonly exploited functions in networked systems. The problem is even more acute with PBXs because PBX maintenance frequently requires the involvement of outside personnel. Ways in which an adversary could exploit vulnerabilities in maintenance features to gain unwanted access to the switch follow. Special Manufacturer's Features There may be features that the manufacturer will rely on in the event a customer's PBX becomes disabled to such a point that on-site maintenance personnel cannot resolve the problems. The manufacturer could instruct the maintenance personnel to configure and connect a modem to the maintenance port. The manufacturer may then be able to dial in and use certain special features to resolve the problems without sending a representative to the customer's location. The potential cost savings is a primary reason for adding such special features. A switch manufacturer would not want the special features to be well known because of their potential for misuse. These types of features may be accessible via login IDs and passwords held privately by the manufacturer. Some possible special features are listed below: - Database upload/download utility: Such a utility allows the manufacturer to download the database from a system that is malfunctioning and examine it at their location to try to determine the cause of the malfunction. It would also allow the manufacturer to upload a new database to a PBX in the event that the database became so corrupted that the system became inoperable. Compromise of such a utility could allow an adversary to download a system's database, insert a Trojan horse, or otherwise modify it to allow special features to be made available to the adversary, and upload the modified database back into the system. - Database examine/modify utility: Such a utility allows the manufacturer to remotely examine and modify a system's database to repair damage caused by incorrect configuration, design bugs, or tampering. This utility could also provide an adversary with the ability to modify the database to gain access to special features. - Software debugger/update utility: This type of utility gives the manufacturer the ability to remotely debug a malfunctioning system. It also allows the manufacturer to remotely update systems with bug fixes and software upgrades. Such a utility could grant an adversary the same abilities. This is perhaps the most dangerous vulnerability because access to the software would give an adversary virtually unlimited access to the PBX and its associated instruments. Dial-Back Modem Vulnerabilities Unattended remote access to a switch clearly represents a vulnerability. Many organizations have employed dial-back modems to control access to remote maintenance facilities. This access control method works by identifying the incoming call, disconnecting the circuit, and dialing the identified person or computer at a predetermined telephone number. Although helpful, this form of access control is weak because methods of defeating many dial-back modems are well known. Countermeasures - Ensure that remote maintenance access is normally blocked unless unattended access is required. Whenever possible, require some involvement of local personnel in opening remote maintenance ports. - Install two-factor (i.e., two different mechanisms) strrong authentication on remote maintenance ports. Smart card-based systems or one-time password tokens, in addition to conventional login/password functions, make it much more difficult for attackers to breach your system's security. - Keep maintenance terminals in a locked, restricted area. - Turn off maintenance features when not needed, if possible. ADMINISTRATIVE DATABASES Administrative databases represent "the keys to the kingdom" for a PBX. Among the most critical security tasks for PBX owners are administration of the PBX, the creation and modification of its user databases, and the operating software controlling the switch. Passwords Most PBXs grant administrative access to the system database through an Attendant Console or a generic dumb terminal. Username/password combinations are often used to protect the system from unwanted changes to the database. If remote access to the maintenance features is available, some form of password protection usually restricts it. There may be a single fixed maintenance account, multiple fixed maintenance accounts, or general user-defined maintenance accounts. The documentation provided with the PBX should state what type of maintenance access is available. Passwords may also be set to factory default values that can be changed by the user. Default values are typically published in the documentation provided with the PBX. If there are multiple maintenance accounts and maintenance personnel use only one, the others may remain at their published factory settings. Anyone who knew the factory default settings could then gain access to the switch. Physical Security Physical access to the PBX hardware grants access to the software, the configuration database, and all calls going in and out of the PBX. With access to the PBX, an adversary could exploit practically any conceivable vulnerability. The type of media on which the software and databases are stored is important to a PBX's physical security. If these are stored on ROM-type devices or on an internal hard disk, it is more difficult to gain access to them than if they are stored on floppy disks or CD-ROM. ROM devices are mounted on circuit boards and may be soldered rather than socketed, making removal and replacement difficult. Likewise, an internal hard disk is probably mounted internally and bolted to the chassis, making removal and replacement difficult. However, floppy disks are easily removable and replaceable. An adversary with access to the floppy disks could easily conceal a disk containing modified software/databases, gain access to the PBX, and replace the original disk with the modified disk. Similarly, CD-ROMs can be easily removed and replaced. Since equipment for creating CD-ROMs is readily available, an adversary may find it equally easy to copy and modify a CD-ROM-based system. If the PBX supports configuration and maintenance via a dumb terminal, the terminal may be located near the PBX. If the terminal is not at the same location as the PBX, the terminal port is still available and could be used by an adversary with a PC acting as a terminal. Some PBXs may be configured as a central system unit with peripheral units at remote locations. The remote peripheral units may also support configuration/maintenance via a dumb terminal and therefore have the same vulnerabilities as the system unit's terminal. Also, all calls routed through a particular peripheral unit are accessible to someone with physical access to the peripheral unit. Attendant Consoles may offer access to PBX maintenance and configuration software. Special features may also be available to Attendant Consoles such as Override, Forwarding, and Conferencing. If any of these features are available to the user of an Attendant Console, physical access to it should be restricted to prevent giving an adversary access to these features. Most PBXs have an attached system printer. Various information may be output to the printer including source and destination of calls that are made or received (possibly every call), access codes used to access certain features, account or authorization codes used for making special calls, etc. Access to these printouts could provide information enabling toll fraud or other compromises. Remote Access A very useful but potentially vulnerable feature of many PBXs is remote administrative access. The PBX may allow an administrator to make changes to the system configuration database through an Attendant Console or from a terminal that is not physically located near the PBX, perhaps over a dial-in line with a modem. - Remote Access via an Attendant Console The degree of the vulnerability created by remote access via an Attendant Console is determined by several factors: password access, physical connection of the Attendant Console to the PBX, and availability of administrative features through the Attendant Console. - Remote Access via a Terminal If a standard dumb terminal can be used for access to the administrative features, more opportunities become available for an adversary to gain unwanted access. A modem could be connected to a terminal port and an outside dial-in line allowing easy access for the PBX administrator to do remote configuration and maintenance. Unfortunately, it also gives easy remote access to an adversary. By setting up remote access in this manner, a poor password protection system, the existence of "backdoors" (e.g., a special key sequence that would bypass required authorization levels), or the use of easy-to-guess passwords would seriously undermine the security of the system. Software Loading and Update Tampering When software is initially loaded onto a PBX and when any software updates/patches are loaded, the PBX is particularly vulnerable to software tampering. An adversary could intercept a software update sent to a PBX administrator. The update could be modified to allow special access or special features to the adversary. The modified update would then be sent to the PBX administrator who would install the update and unknowingly give the adversary unwanted access to the PBX. Countermeasures - Perhaps the most important task for password security is to make passwords resistant to cracking by automated tools. A password generator that creates random passwords can go a long way in defeating password crackers. Both free and commercial random password generation tools are available. Commercial products are available that can generate passwords of user-selectable length that are very resistant to cracking. - Many software packages use error detection codes to protect against transmission or disk copying errors. Conventional error detection codes such as checksums or cyclical redundancy checks (CRC) are not sufficient to ensure tamper detection. Strong error detection based on cryptography must be used. These methods use cryptographic algorithms that guarantee detection of even a single bit modification. - Because of the potential for exploitation by intruders, PBX boot disks and utilities must be given more protection than usually afforded typical office software such as word processing packages. Strong physical security should be provided for PBX software. Audit reports from the PBX should be shredded or destroyed in the same way as sensitive memos or financial information. - To ensure the security of printouts, they must be shredded when discarded. USER FEATURES An adversary may be able to exploit vulnerabilities in a system's features and the way in which features can interact. As with many aspects of information technology, the proliferation of features that make PBXs easy to configure and use has led to an expansion of vulnerabilities. Many of these are inherent in the features themselves or arise out of feature interactions, making them difficult to avoid. This discussion illustrates some of these vulnerabilities so that administrators will be able to weigh the risks of features against their benefits. Attendant Console Attendant Consoles typically have more function keys and a larger alphanumeric display than standard instruments to support the extra features available to the Attendant Console. The Attendant Console may be used for access to maintenance and administrative functions, but there are potential vulnerabilities of the Attendant Console with respect to maintenance and administration. Some typical features available with an Attendant Console are Override, Forwarding, and Conferencing. - Attendant Override Attendant Override is intended to allow the Attendant to break into a busy line to inform a user of an important incoming call. An adversary with access to an Attendant Console could use this feature to eavesdrop on conversations. The PBX should provide for some protection against such uses of Override by providing visual and/or audible warnings that an Override is in progress. - Attendant Forwarding A common feature granted to the Attendant is the ability to control forwarding of other instruments. An adversary with access to the Attendant Console could use this feature to forward any instrument's incoming calls to a long-distance number. The adversary could then call the target instrument and be forwarded to the long-distance number, thereby gaining free long-distance access. - Attendant Conferencing Attendants may also have the ability to initiate a conference or join into an existing conference. If this feature is available, the potential exists for an adversary logged in as an attendant to eavesdrop on a conversation or add an additional party to a conference without the knowledge of the other parties. Automatic Call Distribution (ACD) ACD allows a PBX to be configured so that incoming calls are distributed to the next available agent (e.g., reservation clerk) or placed on hold until an agent becomes available. Agents may be grouped together with each group having a supervisor. The group of supervisors may then even have a higher-level supervisor. The number of supervisors and number of levels of supervisors is dependent on the type of PBX being used. Most ACD systems grant a supervisor the ability to monitor the calls of the group they are supervising. Because of this feature, ACD systems are a potential vulnerability to the users of PBX. If an adversary could gain access to the configuration tools or the system database, they could become an ACD supervisor and set up an ACD group. The supervisor could then monitor the calls of any of the users in the group. Account Codes/Authorization Codes Account Codes are normally used for tracking calls made by certain people or projects so that bills can be charged appropriately. For example, a user may be required to enter an Account Code prior to placing a long-distance call. Depending on the configuration of the PBX, the Account Code may have to be on a list of approved codes for the call to be successful. If this is the case, the Account Code may be considered an Authorization Code because the user must dial a specific Account Code that is authorized for making long-distance calls. Another important use for Access Codes is for Dial In System Access (DISA). DISA typically allows a user to dial in to the PBX system from an outside line and gain access to the normal features of the PBX, almost as if they were a subscriber on the PBX instead of an outside caller. This feature is typically used to allow employees to make long-distance calls from the corporate PBX while out of the office by dialing in to the switch, then entering a code to make long-distance calls. It is easily abused by anyone with the authorization code, possibly leading to large fraudulent long-distance charges. Certain Account Codes may also be allocated for changing a user's Class of Service (COS). When the COS is changed, the user may have access to a different set of features. For example, most instruments may be assigned a COS that does not permit the use of an Override feature, but a special COS that is only accessible by using an Account Code may be created that does permit the use of Override. By using the Account Code, an adversary could then gain access to the Override feature. Since the Account Codes are used for billing, there are records kept of the calls that are made for the various Account Codes. These records generally include the source, destination, Account Code, and time/date of the call. The records may be stored as files on one of the system's disks or they may be printed out on a system printer. If the records are printed, an adversary who is able to gain access to the printer will have access not only to traffic information, but also to the printed Account Codes. Once the codes are known, the adversary will be able to use the codes for toll fraud, additional feature access, etc. Override (Intrude) An Override or Intrude feature is common to many PBXs. Due to its potential vulnerability, it is commonly selectable as a feature that can be allowed/disallowed on a single instrument or a group of instruments. Override is intended to allow one user (perhaps a supervisor) to break into a busy line to inform another user (perhaps a subordinate) of an important message. This feature could be used by an adversary with access to any instrument permitted to use the Override feature to eavesdrop on conversations. The PBX should provide for some protection against such uses of Override by providing visual and/or audible warnings that an Override is in progress. Diagnostics In addition to the major diagnostic features available at a maintenance terminal or Attendant Console, many PBXs provide diagnostics that can be initiated from any instrument. These diagnostic features may permit a user to make connections through the PBX by bypassing normal call processing restrictions. An adversary with access to these diagnostic features may be able to deny service or make undetected connections allowing for the monitoring of other calls. Feature Interactions With the advent of the digital PBX and its wealth of features, the interaction between features presents a significant possibility for vulnerabilities. For example, in some systems the return-call and camp-on features can be manipulated to defeat caller-ID blocking. With the large number of features available in modern PBXs, it becomes difficult for the manufacturer to consider all of the ways in which different features may interact. Because of this, vulnerabilities may exist that were undetected by the manufacturer that allow an adversary unwanted access to the PBX and its instruments. Since the actual Feature Interaction vulnerabilities found on a specific system depend heavily on the particular implementation of the features, it would be nearly impossible to describe every possibility for a generic system. NIST SP 800-24 includes detailed examples of some feature interactions. Countermeasures - Vulnerabilities can be minimized if the Attendant Console connects to the PBX with a different physical connection than that of the telephone instruments. - If the Attendant console connects to the PBX in the same manner as the telephone instruments, vulnerabilities can be reduced by having some sort of line configuration feature. Such a feature could reduce vulnerabilities by requiring that a line be specifically configured for use with an Attendant Console. With such a configuration requirement, a telephone instrument could not be easily replaced with an Attendant Console to gain access to the administrative features. - When implementing a Class of Service, feature interaction should be given much thought. Many of the feature vulnerabilities discussed involve Feature Interaction since several COS items or system options may have to be enabled/disabled to allow them to occur. - Because the vulnerabilities described in this section are inherent in feature implementation, they are difficult to defend against. The most effective strategy is to ensure that only essential features are activated. COMPUTER TELEPHONY One of the biggest new developments in telecommunications is the advent of computer-based telephony systems (CT). As microprocessor speeds have increased and memory prices dropped, it has become possible to implement a PBX on little more than a high-end PC. A CT system typically requires only the addition of specialized voice processing boards to an ordinary office PC with 64 MB of memory, a 3 GB disk, and a 300 MHz processor. Some CT systems use specialized real-time operating systems, but the trend is toward commercial off-the-shelf systems such as Windows, Linux, or other versions of UNIX. This development has brought great reductions in the cost of PBX systems, but means the possibility of enormously increased security risks. Two factors in particular can increase exposure: greatly expanded integration of telephony with the computer network and implementation of PBX functions over operating systems with widely known vulnerabilities. Some of the features appearing in new CT systems include: - Voice over IP, - Browser-based call handling and administration, - Integration of IP PBX with legacy PBXs and voicemail systems, - Integration of wireless networks with office network systems, and - Virtual private networks. A complete exposition of the risks of CT systems is beyond the scope of this document. The safest course of action is to assume that most or all of the vulnerabilities described here apply to CT systems as well as traditional PBXs. CT systems may also have added vulnerabilities resulting from well-known weaknesses of PC operating systems. Future NIST publications may address CT security issues in more depth. RECOMMENDATIONS Not all of the security measures described in this bulletin will be applicable to every organization. The first step in improving PBX security is to assess the organization's current telephony applications. This bulletin describes important areas to consider. Following this assessment, NIST SP 800-24 can be used in conducting a detailed evaluation. SP 800-24 also includes a set of baseline security considerations for PBXs and a more complete set of countermeasures for common vulnerabilities. REFERENCES NIST SP 800-24, PBX Vulnerability Analysis, National Institute of Standards and Technology, 2000. Online resources: - NIST Computer Security Resource Clearinghouse: http://csrc.nist.gov - DISA Information Assurance: http://www.disa.mil/infosec/iaweb/default.html - you're gonna take that from a FOURTEEN year old are ya clone?? Jawa01 was kicked off #CPU by theclone (you fucking teenie bopper) - Millennium Payphone - Power Out Exploit - By PsychoSpy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Intro/Story.... Recently while carousing the halls at my local educational facility, I noticed that the LCD Displays on the phone had gone completely blank. I couldn't believe my eyes! The power on the phones had gone out! Can we say damn lucky?!? I then walked up to the phone and picked it up, as I put my ear to the slightly chilly earpiece, I heard the distinct noise of the dial tone. You may say "Well hey! What else do you expect to hear when you pick up the phone?!? You forgot something you psycho! The millennium dial-tones are all pre-recorded." Well, that's right, the dial-tones ARE pre-recorded, however, with the power out, the recorded dial-tone isn't played due to lack of power. In fact, you can hear the physical switch inside the Millennium switch over. This my friend is a REAL DIAL TONE!! WOOO!! I then proceeded to try to dial a well known number (Clones pager). The damn payphone wouldn't let me though. It turns out that when the power goes out, the payphone initializes a failsafe mode which dissables the dialing of ANY numbers on the key pad until the 1 and 8 have been pressed first. This is meant to make it so that you cannot dial any numbers other than 800, which you could do when the power was on anyways. Onto the exploits.... First what you have to do is either cut the power to the Millennium, or find one with the power out. The first option is the most likely of the two. It was out of pure luck that I found the payphones with the power out. Just be VERY VERY careful when snipping the power. Make sure you've got rubber gloves, the wire cutters have rubber handles etc. If you fry yourself because of this, IT'S YOUR OWN DAMN FAULT!! DON'T COME CRYING TO ME!! Now for the real exploit stuff.... The numbers are only dissabled on the physical key pad. This means that we can pull out our trusty tone dialer, and dial away any number we please. I actually didn't have a tone dialer with me, so I used a mini-audio recorder. To use the audio recorder, you just dial 18 and then press record, and dial the rest of the numbers with the mic up to the ear piece. Then, hang up, and play the tones back into the phone. NOTE: The tones must be played as fast as possible. This is due to the dial-tone going dead in around 10 to 15 seconds. The second exploit is based on the line seizing exploit on the Protel's which The Clone found awhile back. With the power out, the Millennium no longer protects against this attack. This means that you can dial a 800 number that will drop you to a dial-tone, and will be able to use it. You can also try phoning up the operator and pissing her off so much that she hangs up, therefor giving you an unlimited dial-tone once again. Once you get this dial-tone, you can dial any number your little heart desires. Outro/Shouts/To Come.... Well, that's it kiddies! Have fun! This is only the FIRST of MANY files to come in the near future on the Millennium Pay- phones which have spread across Canada like a technological plague. Kinda interesting new frontier of phones though. The Telcos are actually getting somewhat smarter. Who'd of ever thought?!!? Shouts out to The Clone, Cyb0rg/asm, Semtex, and Niteshade. -- PsychoSpy psychospy@hushmail.com ICQ#: 5057653 11/05/00 - when im like a grandpa im gonna get aids for shits and giggles and smoke myself even stupider WHILE im senile - #`; 'Telus Call Director; Unsupervised Line Exploit' -[Date: 11/07/00]- -[Handle: The Clone]- -[Type: Telus Advisory]- -[EMAIL: theclone@hackcanada.com]- -[URL: http://www.nettwerked.net]- (notes: This particular exploit has been verified several times by the Canadian Phreakers Union [#cpu/haxordogs.net]; it has worked on many occasions however we've found that sometimes it doesn't work which completely boggles the mind. We've had greater success when the TCD subscriber picks up after the first or second ring.) Enter the phone number of someone who is subscribed to TCD (Telus Call Director) who you know will be on the Internet at the same time you place the call. 1. Call up a phone number and be sure you're connected. 2. Do a quick Flash hang-up or push the Link/3-way button on your CID display phone... this will initiate the 3-way chain and will drop you to a dial-tone. 3. Now enter the phone number of someone is subscribed to TCD who you know will be on the Internet at the same time you call them. 4. When the TCD subscriber picks up the telephone you will then be connected to both parties. The 'sploit? -- On Telus (Mobility) cellular/landline $20 a month plans, the phone bills give a specific list of every long-distance number you called (including duration) from the time after you received your previous months' last bill. Right, so that direct/3-way call you made to the TCD subscriber was not logged, meaning Telus' billing-equipment didn't recognize that particular call essentially giving you direct access to an unsupervised line. [ed note; looks as if Telus' recent upgrade to (former) BCTEL's "newer" billing system is not without its share of serious glitches... so Telus, was that multi-billion dollar merger with BC-TEL simply because they had more advanced equipment really worth it? ;-] The Possibilities -- 1. Chatting on an unrestricted line that completely ignores all Telus Call Director subscribers via a direct call or three-way chain can be used as a virtual "get out of jail free card" for both parties who may be suspected of criminal activity (drug dealing, extortion, etc.), and therefore have their calls logged and put into a "suspect database" run by Telus - police accessible. The 3-way-to-TCD billing-exploit will be completely feasible in this particular situation making customer monitoring a little more difficult to perform and subject to countless inaccuracies. -- Emergency Interrupt Avoidance; Q: "Okay, just what is Emergency Interrupt?" A: Lets say you have an appointment with a friend and you call her only to find that her phone is busy and you get blasted with an annoying busy signal. No use in complaining about why she isn't subscribed to call-waiting; so you call up the operator and ask them to test the line, which they do by using a process called BLV (Busy Line Verification) to check if the line is busy. From there the operator will ask you if you'd like to send a message to the particular subscriber, which of course you do and the operator sends the message through to your friend. This is where the BLV process becomes a bit more complex; with the line busy how is she going to break into the call and send the message? Using the Emergency Interrupt option she will automatically utilize the NTT (No Test Trunk) which basically tests a line without breaking into it like Emergency Interrupt is programmed to do. At this point you're probably thinking that the operator just breaks into the line and alerts your friend... wrong. See, what telephony companies did was added an encryption feature into the TSPS/OSPS (the operators) console which made it impossible for an operator to be able to just tap into a conversation without firstly causing the subscribers line to beep before coming on to the line; a nice implementation if I do say so myself. -- 2. By performing the Telus Call Director exploit, you could avoid all attempts by the Telus operator to perform Emergency Interrupt because on their TSPS/OSPS screen they will see that your line is not even in use. From there they will alert the person that is trying to contact you that your line is free and there is no need for them to bother initializing the Emergency Interrupt command. You will be an invisible void within those copper veins of Mah-Bell. ;) - yellowdot/#cpu sings, "I think I'm a clone now..." theclone blinks --- Conclusion; As you can see, the enormous of the growing the telecommunications-industry is not without its share of security vulnerabilities. Before finish this paper, I would personally like to thank two other people who have helped me with the testing of this exploit; Alan and Phlux - thanks a lot for your help guys. For further information on other Telus Call Director exploits, please refer to Phlux's 'Owning Telus Internet Call Director' http://www.nettwerked.net/icd.zip ;`# -- Credits Without the following contributions this zine issue would be fairly delayed or not released, so thank you to the following people: Magma, Miklos, PsychoSpy, Richard Kuhn, Term, and myself The Clone =p - -- Shouts: Hack Canada, #CPU, k-rad-bob @ b0g, Blackened @ Damage Inc., The Grasshopper Unit, Pyrofreak, Yellowdot and lastly to everyone and anyone who contributes to the Canadian H/P scene. ;. .;.. ; ;. ;.. ;.. .;..; .;.; .;; ;.. .;..;. .;..; .;.;...; ;..;.. .;. A .;. .;. ;.. N E T T W E R K E D ;.. ;..;.. P R O D U C T ;..;.. .;..; ;..;.. ; .;..;.;.. .; . .;. ..;.. .;.. . .; ..;..;..;.. .; ;..;. .;.. . .;.. .;.;. ..;. ..;.. .;. ;.;..;;..;.; ;.;;..;.. ;.;.; .; . ;.;..;. .;. ;.;:.;. ,;....;. .;.;. .;.; .;.;.; .;.; ;..;. .;.; ;.; .;. ..; ;. > > > *poof*