Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Monthly Archives: January 2010

Vulnerability in FreePBX 2.5 and 2.6

The Exploit Database reports that FreePBX version 2.5 and 2.6 is vulnerable to Cross-Site Scripting (XSS).

An affected user may unintentionally execute scripts or actions written by
an attacker. In addition, an attacker may obtain authorization cookies
that would allow him to gain unauthorized access to the application.

This is just the beginning of vulnerabilities in different VoIP applications. Up until now, there has not been the need of vulnerabilities to exploit VoIP services. Too many IP PBXes has been configured insecure, and easy to abuse.

The next wave will see more exploits beeing used towards IP PBXes. They are often based on same protocols and applications as any other server….


A great challenge awaits you!

Slightly interested in security?

Do you want to learn more about investigating attacks?

Here is your challenge!

The Honeynet Project has released this years first Scan of the Month challenge! It has many levels and now you can test if you are up to it!


And the VoIP scannings just keeps on coming

Mark Waters had his Asterisk scanned for extensions without passwords or easy passwords. Mark writes: “I have now set allowguest=no in /etc/asterisk/sip.conf and will monitor how this affects regular incoming calls and also the next ‘attack’”

If he really need his Asterisk available on port 5060, he could use SSH tunneling for the SIP signalling or a port knocking method to open port 5060 from his current IP when needed.

Will check what he does on the next attack.

Have you checked your logs lately?


More automatic VoIP attacks – 10 000 hits in minutes…

Over 10 000 hits on one single VoIP honeypot within minutes. This is becoming the norm.

How they do it:

  1. They use SIPVicious to scan with SIP OPTIONS messages.
  2. If they get a response, this scan followed up with SIP REGISTER on all extensions from 100 to 9999
  3. Then they pick an EXTENSION and do brute force password on it. (another load of REGISTER)

What does this have to do to you?

If you have a VoIP platform which handles REGISTER or INVITES on a public IP, you BETTER have good passwords! And you need to handle large loads if have no protection!

If you can lock it down based on access lists or with VPN, do so now!


Filter away those SIP attacks

Finally, an open-source solution to filter away those SIPVicious and other SIP attacks. SecSIP is Stateful SIP Protection Systemwhich analyses the SIP signalling on the fly and decides wether to forward it or not. It can throttle number of SIP messages (useful since one of mye VoIP honeypots was hit with 16 000 INVITES within 8 minutes..).

Great work and I’m looking forward to test it out live!

Number of VoIP scannings has exploded

If you have an IP PBX on a public IP, and you are not quite sure if it is secure enough, you should get to it now!

Scannings on port 5060 has exploded the lastest days. Previously it was a couple hits in the week, now it’s up to a 100 a day. This means that if your VoIP setup is not 100% secure, others will find it and abuse it!And you will get the telephony bill!

Get to it, secure your VoIP communication platform right now!

Check the following:

  • All users has strong passwords
  • Access Lists are updated and preferably both ways (both incoming and outgoing traffic on the server)
  • No unused services are enabled
  • Latest patches are on the server OS
  • Latest patches are on the application
  • Latest SECURE firmware on the hardware endpoints (phones etc.)
  • Other services on the plattform like Web servers, TFTP, FTP, SSH are locked down or VERY strong passwords
  • Encrypt the traffic from the user and into the server (to make eavesdropping harder)
  • Make the PCs accessing your platform secure. Any keycatchers or sniffers installed here?
  • Forgotten someting? Please comment