PBX Security

From: Razvan (bugtraq@risc.ro)
Date: 02/05/03

  • Next message: nobody: "Symantec A/V - netscan password in registry" 
    From: "Razvan" <bugtraq@risc.ro>
To: <pen-test@securityfocus.com>
Date: Wed, 5 Feb 2003 09:51:15 +0200

    Hi all,

    As promised, I return with the reasons I freaked when I saw what a PBX
    can become if used unwisely.

    First of all, there is the Call Fowarding - I Am Here feature, which
    allows you (whoever you might be) to redirect any extension to the phone
    you have physical access to (this is just a real life case I met.. not
    ANY extension, and not just any user can do that, with proper
    configuration). That is a very evil feature. Redirection of modem pools
    to my extension and the old "Login failed X 3 && cancel redirect" trick
    worked like a charm. Domain admin passwords were retrieved this way. Not
    to mention more elaborated social engineering attacks on the business
    processes of the company that are possible because of this.

    Second of all, and the most scary, I believe, is the lack of
    cryptographic controls on software updates for a PBX. AFAIK, there is
    absolutely no way the PBX can identify if changes were brought to the
    software update in transit, not digital signature, not even a hash (this
    is information confirmed upon repeated ocasions by the manufacturer's
    representative). This opens a door to a very dark room. We're not only
    talking about the usual hidden admin account, but imagine thousands of
    software updates being tampered with to automatically assign an
    extension to DISA with no authentication, bypassing the SMDR.

    This seems to be the case with one manufacturer, Mitel. Please tell me
    that I'm wrong, and please tell me that at least other manufacturers
    provide controls on their software updates.

    Also, I feel unable to come up with any sort of relevant advice on this
    matter. What's actually scary is the fact a PBX owner has practically no
    control over such an issue. He can have the most secure configuration, a
    relevant and enforced security policy, security conscious users, etc and
    he's still vulnerable. Or is he?

    Waiting your thoughts on this.

    Razvan Teslaru
    Romanian IT Security Company

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/

    Relevant Pages

    • RE: PBX Security
      ... the access controls are, if the dial-up modem for remote admin of the PBX ... Software updates are rather hard to patch in transit, ... > Subject: PBX Security ...
      (Pen-Test)
    • RE: PBX Security
      ... Well unfortunately I'm seeing PBX security not that easily handled. ... is not just enough to restrict source IP addresses and control access to ... the management of the box. ...
      (Pen-Test)
    • Re: GP not applying for W2000 TS User
      ... Checked the security again and authenticated users have ... permission to apply the policy. ... >>>> extension Registry ... >>>> lists are the same. ...
      (microsoft.public.win2000.group_policy)
    • RE: PBX Security
      ... networks, and toll fraud is always an issue. ... Enterprise Security Practice. ... Subject: PBX Security ... is not just enough to restrict source IP addresses and control access to ...
      (Pen-Test)
    • Re: File extensions spoofable in MSIE download dialog
      ... File extensions spoofable in MSIE download dialog ... I don't have internet explorer to test but rfc 2616 describes some "security considerations". ... > extension without a sign of EXE, and issue no Security Warning dialog ...
      (Bugtraq)