Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for...

38
Hunting PBX For Vulnerabilities

Transcript of Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for...

Page 1: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX

For Vulnerabilities

Page 2: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Sachin WaghSecurity Analyst

Security Intelligence Team @ Symantec

Speaker at Hakon and Geek Street - Infosecurity Europe

Bug Hunter | Penetration Tester

Security Blogger

@tiger_tigerboy

Page 3: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Himanshu MehtaSenior Threat Analysis Engineer

Security Intelligence Team @ Symantec

Speaker at National Cyber Security Conference, Hakon & Geek Street - Infosecurity Europe

Advisory Board Member @EC-Council & Convetit

Bug Hunter | Penetration Tester

@LionHeartRoxx

Page 4: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Content

• What is PBX

• Features

• Searching

• Softphone

• Vulnerabilities

• Mitigations

Hunting PBX for Vulnerabilities

Page 5: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Private Branch Exchange

Hunting PBX for Vulnerabilities

Source:

http://www.cealcomz.co.za

Page 6: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Features

Hunting PBX for Vulnerabilities

• Call Forwarding• Call Transfer• Conference Calls• Automatic Call Delivery (ACD)• Voice Messaging• Call Queue ..etc

Page 7: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Searching

Hunting PBX for Vulnerabilities

Page 8: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Shodan:

Hunting PBX for Vulnerabilities

"NCH Software Axon Virtual PBX“

Page 9: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Call Details Records

Hunting PBX for Vulnerabilities

Page 10: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Censys:

Hunting PBX for Vulnerabilities

"FreePBX Administration“

Page 11: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Censys:

Hunting PBX for Vulnerabilities

"FreePBX Administration“

Page 12: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX for Vulnerabilities

Page 13: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Shodan:

Hunting PBX for Vulnerabilities

“polycom+command+shell“

Page 14: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

File Transfer Protocol (FTP)

Hunting PBX for Vulnerabilities

Page 15: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Call Details Records

Hunting PBX for Vulnerabilities

Page 16: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Server Message Block (smb)

Hunting PBX for Vulnerabilities

Page 17: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Server Message Block (smb)

Hunting PBX for Vulnerabilities

Page 18: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Shodan:

Hunting PBX for Vulnerabilities

“port:23 console gateway -password“

Page 19: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Softphone

Hunting PBX for Vulnerabilities

Page 20: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Vulnerabilities

Hunting PBX for Vulnerabilities

Page 21: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

TRIXBOX

Hunting PBX for Vulnerabilities

Page 22: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Blind OS Command Injection

Hunting PBX for Vulnerabilities

I AM NOT BLIND I’VE JUST SEEN ENOUGH

Page 23: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX for Vulnerabilities

Page 24: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Blind OS Command Injection [DEMO]

Hunting PBX for Vulnerabilities CVE-2017-14535

Page 25: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Path Traversal

Hunting PBX for Vulnerabilities

Page 26: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX for Vulnerabilities

Path Traversal [DEMO]

CVE-2017-14537

Page 27: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX for Vulnerabilities

Path Traversal [DEMO]

CVE-2017-14537

Page 28: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Cross-site Scripting

Hunting PBX for Vulnerabilities

source:gif-finder.com

Page 29: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX for Vulnerabilities

Cross-site Scripting [DEMO]

CVE-2017-14536

Page 30: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

AXON

Hunting PBX for Vulnerabilities

Page 31: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX for Vulnerabilities

Cross-site Scripting [DEMO]

CVE-2018-11552

Page 32: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Local Code Execution

Hunting PBX for Vulnerabilities

Page 33: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX for Vulnerabilities

Local Code Execution [DEMO]

CVE-2018-11551

Page 34: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX for Vulnerabilities

Page 35: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX for Vulnerabilities

Local Code Execution [DEMO]

CVE-2018-11551

Page 36: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Hunting PBX for Vulnerabilities

Page 37: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Mitigations

POLICIES AND PROCEDURES :

SECURITY TRAINING

PASSWORD POLICY

INCIDENT RESPONSE PROCEDURE

OS LEVEL SECURITY :

PATCHES

APPLICATIONS AND SERVICES

PRIVILEGES

Hunting PBX for Vulnerabilities

Page 38: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities

Thank

You

Hunting PBX for Vulnerabilities


Hadoop safari: Hunting for vulnerabilities · Hadoop and Big Data environments overview "Hadoop is an open-source framework that allows for the distributed processing of large data

Hadoop safari: Hunting for vulnerabilities · Hadoop and Big Data environments overview "Hadoop is an open-source framework that allows for the distributed processing of large data

IP PBX appliances & Virtual PBX by Xorcom

IP PBX appliances & Virtual PBX by Xorcom

PBX tradicional PBX IP

PBX tradicional PBX IP

What Should You Choose: Traditional PBX or Hosted PBX?

What Should You Choose: Traditional PBX or Hosted PBX?

Source port vulnerabilities in .JP - static ... - DNS-OARC · Vulnerabilities suspected Heavy user exists. Vulnerabilities suspected Heavy user exists. Vulnerabilities suspected 25

Source port vulnerabilities in .JP - static ... - DNS-OARC · Vulnerabilities suspected Heavy user exists. Vulnerabilities suspected Heavy user exists. Vulnerabilities suspected 25

Hosted pbx, cloud pbx, hosted ippbx service provide

Hosted pbx, cloud pbx, hosted ippbx service provide

PBX PRODUCT CATALOG PBX with Superior Technology, Features ...tngonline.ca/downloads/product-catalogue/PBX... · Defence PBX PBX-KTS Application Areas Matrix PBXs and Key Phone Systems

PBX PRODUCT CATALOG PBX with Superior Technology, Features ...tngonline.ca/downloads/product-catalogue/PBX... · Defence PBX PBX-KTS Application Areas Matrix PBXs and Key Phone Systems

Finding Network Vulnerabilities. 2 Objectives Define vulnerabilities Name the common categories of vulnerabilities Discuss common system and network vulnerabilities.

Finding Network Vulnerabilities. 2 Objectives Define vulnerabilities Name the common categories of vulnerabilities Discuss common system and network vulnerabilities.

PBX Vulnerability Analysistscm.com/NISTsp800-24pbx.pdfComputer based telephony systems and new techniques such as voice over IP (VOIP) present an entirely new collection of vulnerabilities

PBX Vulnerability Analysistscm.com/NISTsp800-24pbx.pdfComputer based telephony systems and new techniques such as voice over IP (VOIP) present an entirely new collection of vulnerabilities

SENTINEL POINT SERVICES · SECURITY AUDIT The Security Audit is a consultative and in-depth report that analyzes the programming of your PBX and looks for any security vulnerabilities.

SENTINEL POINT SERVICES · SECURITY AUDIT The Security Audit is a consultative and in-depth report that analyzes the programming of your PBX and looks for any security vulnerabilities.

PBX TO PBX - Volans본사발신내선설정 ①이름: PBX 관리이름 패턴: 본사내선번호패턴입력 - 발신을하기위해본사내선번호패턴입력 ②설정내용을저장하기위해우측하단

PBX TO PBX - Volans본사발신내선설정 ①이름: PBX 관리이름 패턴: 본사내선번호패턴입력 - 발신을하기위해본사내선번호패턴입력 ②설정내용을저장하기위해우측하단

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS … · SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS ff2017fl Contents ... SECURITY TRENDS & VULNERABILITIES

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS … · SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS ff2017fl Contents ... SECURITY TRENDS & VULNERABILITIES

802.16 Vulnerabilities

802.16 Vulnerabilities

Hosted PBX: A Viable IP PBX Alternative?

Hosted PBX: A Viable IP PBX Alternative?

Multiple vulnerabilities in Vectra Cognito Security advisory · Overview Cognito platform Cognito is the ultimate AI-powered cyberattack-detection and threat-hunting platform The

Multiple vulnerabilities in Vectra Cognito Security advisory · Overview Cognito platform Cognito is the ultimate AI-powered cyberattack-detection and threat-hunting platform The

HUNTING FOR VULNERABILITIES IN SIGNAL - HITB · HUNTING FOR VULNERABILITIES IN SIGNAL - HITBSECCONF2017 AMSTERDAM JP Aumasson & Markus Vervier 1. WHOIS ... IMPACT OF INVALID KEYS

HUNTING FOR VULNERABILITIES IN SIGNAL - HITB · HUNTING FOR VULNERABILITIES IN SIGNAL - HITBSECCONF2017 AMSTERDAM JP Aumasson & Markus Vervier 1. WHOIS ... IMPACT OF INVALID KEYS

OVERCOMING VULNERABILITIES, ACHIEVING SUSTAINABILITY - … · 2019. 11. 14. · 7 Overcoming Vulnerabilities, Achieving Sustainability Socioeconomic Vulnerabilities of Former Yugoslav

OVERCOMING VULNERABILITIES, ACHIEVING SUSTAINABILITY - … · 2019. 11. 14. · 7 Overcoming Vulnerabilities, Achieving Sustainability Socioeconomic Vulnerabilities of Former Yugoslav

Hadoop safari : Hunting for vulnerabilities · Hadoop security model - Authorization and Auditing Every single component of the cluster has its own authorization model, hence adding

Hadoop safari : Hunting for vulnerabilities · Hadoop security model - Authorization and Auditing Every single component of the cluster has its own authorization model, hence adding

Hosted VoIP PBX PBX › ... › 2015 › ...PBX-Overview2013-1.pdf · Hosted PBX ˜exibility and scalability Converged voice and data IP PBX functionality that is customizable with

Hosted VoIP PBX PBX › ... › 2015 › ...PBX-Overview2013-1.pdf · Hosted PBX ˜exibility and scalability Converged voice and data IP PBX functionality that is customizable with

On-Premise PBX vs Hosted PBX

On-Premise PBX vs Hosted PBX