PBX Security

From: Razvan (bugtraq@risc.ro)
Date: Wed Feb 05 2003 - 02:51:15 EST

• Next message: nobody: "Symantec A/V - netscan password in registry"
• Previous message: Iñigo González Ponce: "Re: Routes that are susceptible to SNMP"
• Next in thread: Rob Shein: "RE: PBX Security"
• Reply: Rob Shein: "RE: PBX Security"
• Maybe reply: Martin Walker: "RE: PBX Security"
• Reply: Fabio Pietrosanti (naif): "Re: PBX Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all,

As promised, I return with the reasons I freaked when I saw what a PBX
can become if used unwisely.

First of all, there is the Call Fowarding - I Am Here feature, which
allows you (whoever you might be) to redirect any extension to the phone
you have physical access to (this is just a real life case I met.. not
ANY extension, and not just any user can do that, with proper
configuration). That is a very evil feature. Redirection of modem pools
to my extension and the old "Login failed X 3 && cancel redirect" trick
worked like a charm. Domain admin passwords were retrieved this way. Not
to mention more elaborated social engineering attacks on the business
processes of the company that are possible because of this.

Second of all, and the most scary, I believe, is the lack of
cryptographic controls on software updates for a PBX. AFAIK, there is
absolutely no way the PBX can identify if changes were brought to the
software update in transit, not digital signature, not even a hash (this
is information confirmed upon repeated ocasions by the manufacturer's
representative). This opens a door to a very dark room. We're not only
talking about the usual hidden admin account, but imagine thousands of
software updates being tampered with to automatically assign an
extension to DISA with no authentication, bypassing the SMDR.

This seems to be the case with one manufacturer, Mitel. Please tell me
that I'm wrong, and please tell me that at least other manufacturers
provide controls on their software updates.

Also, I feel unable to come up with any sort of relevant advice on this
matter. What's actually scary is the fact a PBX owner has practically no
control over such an issue. He can have the most secure configuration, a
relevant and enforced security policy, security conscious users, etc and
he's still vulnerable. Or is he?

Waiting your thoughts on this.

Razvan Teslaru
Romanian IT Security Company

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: nobody: "Symantec A/V - netscan password in registry"
• Previous message: Iñigo González Ponce: "Re: Routes that are susceptible to SNMP"
• Next in thread: Rob Shein: "RE: PBX Security"
• Reply: Rob Shein: "RE: PBX Security"
• Maybe reply: Martin Walker: "RE: PBX Security"
• Reply: Fabio Pietrosanti (naif): "Re: PBX Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT