rps/aps vulnerability in snom/yealink and others - slides
DESCRIPTION
Slides from http://www.youtube.com/watch?v=2yN_-g-0PAkTRANSCRIPT
• I am a programmer, not a security expert• This has been done using best practises for
responsible disclosure• POC code will not be disclosed (but can be easily
written in 30~ mins)
Disclaimer
• You found a vulnerability that allows malicious user to extract user creds remotely with no authentication
• Your supplier was shipping you vuln devices by default• Your provider did not fix the problem• The vendor did not fix the problem entirely• All your customers were affected• You were liable for any resulting toll-fraud• You had to explain this to your customers after
• This is the BS I had to deal with in June 2012
how would you feel if..
• YealinkDisclosed June 2012, patched Aug 2012, problem still exists
• Snom (disclosed today)Disclosed today
• ****.co.ukDisclosed 2012, problem still exists
• *****.co.ukNot disclosed
• Many, many othersincluding those with QSA accreditation from ITSPA
Companies affected
• 1) Redirection service at root authority (what is it?)http://www.888voip.com/rps-redirection-and-provisioning-service-by-yealink/
• 2) Redirection service at resellerSIP providers, hw wholesalers
• 3) Any external facing provisioning systemHTTP, TFTP etc
Known attack vectors
• V71 firmware– RPS not enabled by default– aes encryption optional for v71– Still vuln if provider does not implement properly
• V70 firmware– RPS enabled by default– No AES encryption required– Legacy services have not been disabled due to this
Yealink
• V71 fw cut using binwalk and yaffs2utils• V70 fw cut using binwalk and unsquashfs
Yealink
$ cat ./factory/Setting/autop.cfg [ autoprovision ]server_address = ?http://prov.yealink.co.uk/1/ap/
$ grep -R "server_address" ../factory/Setting/autop_code.cfg:server_address = ?http://prov.yealink.co.uk/1/ap./factory/Setting/autop_code.cfg:server_address = ?http://yealink.********
$ curl http://prov.yealink.co.uk/1/ap/0015651738ba.cfg[ autoprovision ]***
Jun 29 15:41:01 ap: http_client.c(712): UserAgent is yealink SIP-T20P 1.2.3.4 00:11:22:33:44:5fJun 29 15:41:01 ap: http_client.c(1292): query header: GET /tftp/00112233445f.cfg HTTP/1.0^M Host: 1.2.3.4^M User-Agent: yealink SIP-T20P 1.2.3.4 00:11:22:33:44:5f^M Accept: */*^M Connection: Keep-Alive^M ^M
• MAC range: 001565 XIAMEN YEALINK• 16^3 (16,581,375 MACs).• Single threaded, single IP scan, 30 reqs/sec• Can easily write a scanner in ~30 mins
Yealink
[2013-10-22 12:56:32,463] [scan-yealink-rps.py:131] HIT 001565****** - endpoint is http://*************/***/001565******.cfg[2013-10-22 12:56:32,627] [scan-yealink-rps.py:119] MISS on 001565******[2013-10-22 12:56:32,792] [scan-yealink-rps.py:119] MISS on 001565******
• FW cut using binwalk and jffs- http://www.kutukupret.com/2010/09/16/mounting-a-jffs2-filesystem-in-linux/- http://pauldotcom.com/wiki/index.php/Reverse_Engineering_Firmware_Primer
Snom
DEFAULTVALUEhttp://provisioning.snom.com/snomXXX/snomXXX.php?mac={mac}
snomXXX = {snom300, snom320, snom360, snom370, snom710, snom720, snom760, snom820, snom820, snom870, snom m9}
python pnpserv.py -u http://url.of.the/settings.xml?mac={mac}
python pnpserv.py -u w/o argument defaults tohttp://provisioning.snom.com/snom3x0/snom3x0.php?mac={mac}
http://provisioning.snom.com/snom300/snom300.php?mac=00041337C200
• Requires model number in MAC URL.• This increases scan time right??• NOPE.
http://wiki.snom.com/Settings/mac
• Could easily write a scanner in 30~ mins
Snom
SNIPPET:Snom300 ---- 00041325XXXX, 00041328XXXX, 0004132DXXXX, 0004132FXXXX, 00041334XXXX, 0004133687F0-00041336FFFF, 00041337XXXX, 0004133BXXXX, 00041350XXXXsnom320 ---- 00041324XXXX, 00041327XXXX, 0004132CXXXX, 00041331XXXX, 00041335XXXX, 00041338XXXX, 00041351XXXX
[2013-10-22 14:47:50,047] [scan-snom-aps.py:22] Scanning MAC range 00-04-13-25-XX-XX to 00-04-13-25-XX-XX (total 7)[2013-10-22 14:47:50,276] [scan-snom-aps.py:54] MISS on 00041325XXXX[2013-10-22 14:47:50,276] [scan-snom-aps.py:66] HIT 00041325XXXX - endpoint is http://*******/**/***.php?mac=00041325XXXX
• Majority of auto prov servers do not have brute protection• Majority of sys admins don’t check auto prov server logs• Significant number of well known UK providers are vuln to this• Lol 3cx
• Almost every handset is vulnerable to this (encryption is not always enforced by default)
• Almost every provisioning server is vulnerable to this• At least one big UK company is exposing thousands of details
because of this
Generic auto prov servers
• Scanner speed can be significantly increased using coroutines• Request throughput can be increased using proxies from public lists• Easily reach 1000 requests/sec using 200 lines of python code• The majority of servers would crash and burn if URL is hitting
dynamic code (PHP) instead of plain text
• I have not implemented any of these, as this code is for proof of concept, not a hit-and-run tool to be used maliciously
Dirty tricks
• Implement protections using L7 rules (nginx reverse prox, ZXTM etc)• Rate limit based on MAC+IP combo (default 10 MACs/IP/24h)• Enforce user agent checks/validation (not 100%, but helps protect
against chancers)• Track IPs which access provisioning info, check for fraud patterns
(access from different countries etc)• Automatically block IP if any protections are triggered• Remove/modify on a case-by-case basis
• This only slows down brute force attacks, it is does NOT prevent them, nor does it protect against targeted attacks
• Be smart
Immediate protections(for non encrypted configs)
• Haven’t had chance to review these yet• Snom/Yealink will be chiming in with their two cents on
protections
Immediate protections(for encrypted configs)
• Vendors are struggling to make phones secure to auto provisioning out of the factory, relies on providers doing things correctly.
• Could you not enforce request validation using a one-time-use key generated from a unique string embedded into that phone? (perhaps serial no?). This combined with encryption gives two layers of security – still not perfect is the SN is leaked
• Got ideas? Share them! The only way this will change is if we all do our bit to help
Out of the factory protection
• Many other vendors are vulnerable, I don’t have enough time to check them all
• Got a phone that supports zero touch/auto prov? Give this a try!
• Simple pcap/syslog analysis will usually give up secrets• FW cutting only needed if you want to dig a bit deeper• Most providers/vendors are not implementing encrypted
config by default• Yealink have partially fixed by adding encrypted config (but it’s
not enforced!)• Test as many different makes/firmware as possible!!!!
how you can help
• Auto provisioning flaws are only the tip of the ice berg
• Poke around, you will be shocked at what you find
This is only the beginning
• Discovered FS after becoming fed up with incompetent providers
• Met some amazing people in this community• Learnt a lot of new skills• Cudatel isn't vulnerable since they ship
firmwares with RPS off by default
its not all doom and gloom
• William King aka quentusrex from CudaTelHelped with finding ways to protect customers, much appreciated!
• Ken Rice aka SwK from FreeSWITCHAssistance with broadcasting and arranging this conference, thank you!
• FreeSWITCH community
• Anyone who’s URL I have linked to
• People who took time to write up on fw dissection, it saved me literally days of work
Acknowledgements
Worried about this?
Reach out [email protected]
there are freeswitch consultants who can help setup secure remote provisioning
Hint doc namesA31008-M2212-R910-3-7643_en_Internat.pdfA31008-M2212-R910-3-7643_en_Internat_2.pdfA31008-M2212-R910-3-7643_en_Internat_3.pdfA31008-M2212-R910-5-7643.pdfAuto Provision Manual version 2.0.4.pdfAuto Provision Manual version 2.0.4_2.pdfCategory_HowTo_XMLRPC Redirection - Snom User Wiki.pdfChangelog-YUK-V60FW-03012012.pdfSiemensC450IPConfiguration.pdfTerms_and_Conditions_for_use_of_snom_redirection_services.pdfuts.pdfV70UpgradingManual-21540749528.pdfVoip_einrichten_eng.pdfYealink Auto Provisioning User Guide.pdfYealink SIP Phone Release Note of Version 71.pdfYealinkConfigurationConversionToolUserGuide-21535047441.pdfYealinkRedirectionandProvisioningService(RPS)UserManualV10ENG-04371557705.pdfYealinkXMLAPIforRPS-V1.3-ENG (2).pdfYealinkXMLAPIforRPS-V1.3-ENG.pdf