HITB2009 – Dubai: Conference Agenda & Noteworthy Presentations
March 13, 2009
The agenda for HITBSecConf2009 - Dubai is now online along with details on both the conference keynote sessions. There are still another 4 more weeks to grab your seats to the GCC's premier network security event!
Keynote 1 - Philippe Langlois (Founder, Qualys / Intrinsec / TSTF) "From Hacking, Startups to HackLabs: Global Perspective and New Fields"
Keynote 2 - Mark Curphey (Director CISG, Microsoft Corp) "Security Cogs and Levers"
Other noteworthy papers:
# Cross Domain Leakiness: Divulging Sensitive Information and Attacking SSL Sessions - Chris Evans and Billy Rios
# VBootKit 2.0 - Attacking Windows 7 via Boot Sectors - Vipin & Nitin Kumar
# The Reverse Engineering Intermediate Language REIL and its Applications - Sebastian Porst
# Pickpocketing mWallets: A Guide to Looting Mobile Financial Services - The Grugq
# Psychotronica: Exposure, Control, and Deceit - Nitesh Dhanjani
# NKill - The Internet Killboard - Anthony 'kugutsumen' Zboralski
This is a new tool which gives attackers the ability to discover interesting relationships between seemingly unrelated hosts and companies and to pull vulnerable hosts for a specific domain, company or even an entire country!
Remote Crash Vulnerability in SIP channel driver
March 10, 2009
Asterisk Project Security Advisory - AST-2009-002
+------------------------------------------------------------------------+
| Product | Asterisk |
|---------------------+--------------------------------------------------|
| Summary | Remote Crash Vulnerability in SIP channel driver |
|---------------------+--------------------------------------------------|
| Nature of Advisory | Denial of Service |
|---------------------+--------------------------------------------------|
| Susceptibility | Remote Authenticated Sessions |
|---------------------+--------------------------------------------------|
| Severity | Moderate |
|---------------------+--------------------------------------------------|
| Exploits Known | No |
|---------------------+--------------------------------------------------|
| Reported On | February 6, 2009 |
|---------------------+--------------------------------------------------|
| Reported By | bugs.digium.com user klaus3000 |
|---------------------+--------------------------------------------------|
| Posted On | March 10, 2009 |
|---------------------+--------------------------------------------------|
| Last Updated On | March 10, 2009 |
|---------------------+--------------------------------------------------|
| Advisory Contact | Joshua Colp
|---------------------+--------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | When configured with pedantic=yes the SIP channel driver |
| | performs extra request URI checking on an INVITE |
| | received as a result of a SIP spiral. As part of this |
| | extra checking the headers from the outgoing SIP INVITE |
| | sent and the received SIP INVITE are compared. The code |
| | incorrectly assumes that the string for each header |
| | passed in will be non-NULL in all cases. This is |
| | incorrect because if no headers are present the value |
| | passed in will be NULL. |
| | |
| | The values passed into the code are now checked to be |
| | non-NULL before being compared. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to revision 174082 of the 1.4 branch, 174085 of |
| | the 1.6.0 branch, 174086 of the 1.6.1 branch, or one of |
| | the releases noted below. |
| | |
| | The pedantic option in the SIP channel driver can also be |
| | turned off to prevent this issue from occurring. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | Versions 1.4.22, 1.4.23, |
| | | 1.4.23.1 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to 1.6.0.6 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.1.x | All versions prior to |
| | | 1.6.1.0-rc2 |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.2.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.6.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | A.x.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | B.x.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | C.x.x | Only version C.2.3 |
|----------------------------+---------+---------------------------------|
| s800i (Asterisk Appliance) | 1.2.x | Not affected |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|-------------------------------------------+----------------------------|
| Asterisk Open Source | 1.4.23.2 |
|-------------------------------------------+----------------------------|
| Asterisk Open Source | 1.6.0.6 |
|-------------------------------------------+----------------------------|
| Asterisk Open Source | 1.6.1.0-rc2 |
|-------------------------------------------+----------------------------|
| Asterisk Business Edition | C.2.3.2 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| URL |Branch|
|-----------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-002-1.4.diff |1.4 |
|-----------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-002-1.6.0.diff |1.6.0 |
|-----------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-002-1.6.1.diff |1.6.1 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | http://bugs.digium.com/view.php?id=14417 |
| | |
| | http://bugs.digium.com/view.php?id=13547 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-002.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-002.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|------------------+--------------------+--------------------------------|
| 2009-03-10 | Joshua Colp | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2009-002
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Efficient and Legal War Dialers for Asterisk and Unix/Linux
March 9, 2009
It's been a while since we posted about anything important. Sorry about that guys, some other stuff is taking off and haven't had much time to devote to this site. Today we present you with a little article about war dialing.
If you're not familiar with war dialing, it's a term from the BBS era, when we'd use things like Toneloc, and Bluebeep to search for modems that answered. This would give us huge lists of BBS's, banks, government offices and all sorts of cool things we could try to login to, or just share with friends.
Fast forward about a decade and a half, and now we have VOIP. You didn't think people wouldn't use war dialers with VOIP too did you, because you're wrong if you did. VOIP is a tremendously easy and fast way to use war dialers, both for finding dialup modems and for many other uses (pretty much anything you can think of).
Today we have a couple war dialers that we've found out there on the tubes;
iWAR - The war dialer your mother told you not to play with. This war dialer is completely free, and is written in C for Unix (will work on Linux, FreeBSD, OpenBSD, NetBSD, etc). Might even work with some trickery on windows with an emulator though we have not tried. This software has been around for a while and has an extensive feature list available. To name just a few of the highlights;
- Full and normal logging
- Ascii flat file and MySQL Logging
- Random or sequential dialing
- Remote System Identification
- Supports regular modems or IAX2
- Much much more
iWAR has been around for a while, and we've even posted about it before. If you're looking for something to test out your systems (legally only of course!) or to test your clients system this is a great way to do it, especially with the modem and IAX support it has.iWAR is affiliated with the wicked cool Telephreak.org one of the neatest "greyhat" VOIP sites and services around. Check them out when you can.
We've also come across one other VOIP based war dialer.
WarVOX - Is a new suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders. WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.
WarVOX is a great tool for finding all sorts of interesting numbers or systems out there, not to mention it's great for securing your onsite, or client VOIP installations. Go ahead and give WarVOX a try.
And finally we come to the last War Dialer, this one created in Python
PAW/PAWS Wardialer - PAW / PAWS is a wardialing software in python. It is designed to scan for ISDN (PAWS only) and "modern" analog modems (running at 9.6kbit/s or higher). Wardialing tools are - despite their martialic naming - used to find nonauthorized modems so one can disable those and as result make access to the internal network harder.
Obviously, PAWS doesn't have much use in North America (but it does have some!) - it's more geared towards European testing and analysis. Give it a try and let us know what you think.
If you need some DID's to do your testing from, don't forget to check out Link2Voip for cheap rates and cheap DIDs!
Know of any other cool war dialers? Let us know in the comments!
Infiltrated.net releases simple Asterisk based toll fraud prevention script and thoughts.
February 8, 2009
Posted over the weekend to the -users list for all to enjoy.
A Simple Asterisk Based Toll Fraud Prevention Script http://www.infiltrated.net/asterisk-ips.html
Ramblings for admins/engineers to think about. Doesn't have to cost you umteen thousand dollars for stuff like IPS/IDS. Although a little on the crude side, quite effective. If you care to dabble with MySQL you can create quite an impressive hosts based IPS that is custom tailored to your infrastructure.
Anyhow, was bored (ADHD) and wanted to ramble on for a little while.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
Videos from HITBSecConf2008 – Malaysia released!
January 20, 2009
The videos from HITBSecConf2008 - Malaysia are now available for download!
Day 1
http://thepiratebay.org/torrent/4654588/HITBSecConf2008_-_Malaysia_Videos___Day_1
Keynote Address 1:
The Art of Click-Jacking - Jeremiah Grossman Keynote Address 2: Cyberwar is Bullshit - Marcus Ranum
Presentations:
- Delivering Identity Management 2.0 by Leveraging OPSS
- Bluepilling the Xen Hypervisor
- Pass the Hash Toolkit for Windows
- Internet Explorer 8 - Trustworthy Engineering and Browsing
- Full Process Reconsitution from Memory
- Hacking Internet Kiosks
- Analysis and Visualization of Common Packers
- A Fox in the Hen House - UPnP IGD
- MoocherHunting
- Browser Exploits: A New Model for Browser Security
- Time for a Free Hardware Foundation?
- Mac OS Xploitation
- Hacking a Bird in The Sky 2.0
- How the Leopard Hides His Spots - OS X Anti-Forensics Techniques
Day 2
http://thepiratebay.org/torrent/4654974/HITBSecConf2008_-_Malaysia_Videos___Day_2
Keynote Address 3:
Dissolving an Industry as a Hobby - THE PIRATE BAY
Presentations:
- Pushing the Camel Through the Eye of a Needle
- An Effective Methodology to Enable Security Evaluation at RTL Level
- Remote Code Execution Through Intel CPU Bugs
- Next Generation Reverse Shell
- Build Your Own Password Cracker with a Disassembler and VM Magic
- Decompilers and Beyond
- Cracking into Embedded Devices and Beyond!
- Client-side Security
- Top 10 Web 2.0 Attacks
On a related note, the registration for HITBSecConf2009 - Dubai (20th - 23rd April) is now open!
http://conference.hitb.org/hitbsecconf2009dubai/
The Call for Papers (CFP) for HITBSecConf2009 - Malaysia (October 5th -8th) will open in March 2009.
A belated Happy New Year from all of us at Hack in The Box and may all your exploits result in root shell! :)
The HITB Team.
Information leak in Asterisk IAX2 authentication fixed
January 8, 2009
Asterisk Project Security Advisory - AST-2009-001
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | Information leak in IAX2 authentication |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Unauthorized data disclosure |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+-------------------------------------------------|
| Severity | Minor |
|----------------------+-------------------------------------------------|
| Exploits Known | Yes |
|----------------------+-------------------------------------------------|
| Reported On | October 15, 2008 |
|----------------------+-------------------------------------------------|
| Reported By | http://www.unprotectedhex.com |
|----------------------+-------------------------------------------------|
| Posted On | January 7, 2009 |
|----------------------+-------------------------------------------------|
| Last Updated On | January 7, 2009 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|----------------------+-------------------------------------------------|
| CVE Name | CVE-2009-0041 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | IAX2 provides a different response during authentication |
| | when a user does not exist, as compared to when the |
| | password is merely wrong. This allows an attacker to |
| | scan a host to find specific users on which to |
| | concentrate password cracking attempts. |
| | |
| | The workaround involves sending back responses that are |
| | valid for that particular site. For example, if it were |
| | known that a site only uses RSA authentication, then |
| | sending back an MD5 authentication request would |
| | similarly identify the user as not existing. The |
| | opposite is also true. So the solution is always to send |
| | back an authentication response that corresponds to a |
| | known frequency with which real authentication responses |
| | are returned, when the user does not exist. This makes |
| | it very difficult for an attacker to guess whether a |
| | user exists or not, based upon this particular |
| | mechanism. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to revision 167259 of the 1.2 branch or 167260 of |
| | the 1.4 branch or one of the releases noted below. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | All version prior to 1.2.31 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.23-rc4 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.x | All versions prior to |
| | | 1.6.0.3-rc2 |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.2.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Addons | 1.6.x | Not affected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to B.2.5.7 |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | C.1.x.x | All versions prior to C.1.10.4 |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | C.2.x.x | All versions prior to C.2.1.2.1 |
|----------------------------+---------+---------------------------------|
| AsteriskNOW | 1.5 | Not affected |
|----------------------------+---------+---------------------------------|
| s800i (Asterisk Appliance) | 1.2.x | All versions prior to 1.3.0 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|--------------------------------------------+---------------------------|
| Asterisk Open Source | 1.2.31 |
|--------------------------------------------+---------------------------|
| Asterisk Open Source | 1.4.22.1 |
|--------------------------------------------+---------------------------|
| Asterisk Open Source | 1.6.0.3 |
|--------------------------------------------+---------------------------|
| Asterisk Business Edition | B.2.5.7 |
|--------------------------------------------+---------------------------|
| Asterisk Business Edition | C.1.10.4 |
|--------------------------------------------+---------------------------|
| Asterisk Business Edition | C.2.1.2.1 |
|--------------------------------------------+---------------------------|
| s800i (Asterisk Appliance) | 1.3.0 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| URL |Branch|
|-----------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-001-1.2.diff |1.2 |
|-----------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-001-1.4.diff |1.4 |
|-----------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-001-1.6.0.diff |1.6.0 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | http://code.google.com/p/iaxscan/ |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-001.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+------------------------+-----------------------------|
| 2009-01-07 | Tilghman Lesher | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2009-001
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Asterisk 1.2.30.4 released, fixing iax2 security bug.
December 10, 2008
The Asterisk.org development team has released Asterisk version 1.2.30.4.
This release is available for immediate download from http://downloads.digium.com/.
This update for Asterisk includes a security fix for chan_iax2. Please see the associated security advisory for more details:
http://downloads.digium.com/pub/security/AST-2008-012.pdf .
This security issue affects only the 1.2 series.
Thank you for your continued support of Asterisk!
