Re: [PEN-TEST] PBX Security

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

Okay... A little clarification on this...

I've been asked multiple times, to disclose this one all the way.

I will happily show you how to get to "the door", but I don't feel
right about giving everyone the "key".  Read the rest to find out
why...

The specific undocumented backdoor lives within the way that StarTalk
Flash (Voice Mail Module) interacts with a NorStar KSU (PBX Core).

In order for joe bob to get his voice mail from his phone, he needs to
dial an extension.  Usually the system coordinator gives this extension
number a hot-key on the phone.  StarTalk Flash, when installed, adds a
few "Feature" codes to the system.  The NorStar phones have a "feature"
button on them, and a user can use the features to set up ring tones,
Volume, listen to the hold music, whatever.  The system administrator
can use this to gain access to the administrative functions.

There are 2 Sides to the system when StarTalk is installed on the PBX:

The phone administrative functions, and the Voice Mail administrative
functions.  They both have separate methods of accessing the system, and
there are usually separate passwords for both (even by default).

By Default, the StarTalk module creates a set of feature codes... [Feature]
followed by 980 through 986.  Feature 981 is the code to access v-mail
administration (Add mailbox, del mailbox, change mailbox passwd, change mail
box name, etc).  By Default, [Feature] 985 will tell the user what extension
to dial to access the voice-mail for the phone they are at.  It's the same
for everyone on the system, but it may differ from system to system.

It will display something like:  "485"  and you have one option: "OK".  If
you hit "OK", the phone will exit back into normal mode.  If you hit a
NUMBER
however, it will say "Invalid Key", unless the number you press is "9"...

If you press "9", then you are prompted for a password.  When entered
correctly, this will put the Voice-mail admin password back to default
(which
can be found in the installer's guides, and varies depending on installation
settings).  The String of digits that need to be entered is 11 digits long,
and brute-forcing it is probably not practical.  This has to be done from a
digital NorStar phone on your PBX, so it's not something a "kiddie" could do
to you from a remote site.

Once the password has been reset, anyone who knows the default password can
delete/add/edit voice mail boxes, change people's messages and passwords,
etc.

The reason that I don't just give out the code is because I can't find it
anywhere on the net... I looked for it for weeks after I got the document,
and never found it... even typing in the direct string of digits didn't
return any results.  It's my guess that this backdoor is used as a
last-ditch
effort by nortel techs if a PBX admin leaves or something.  Aside from this
backdoor, if the default voice-mail admin passwords are changed, StarTalk
Flash is really quite secure.  Not even the KSU admin can change the
password
to the Voice Mail Admin's account...

--Noah Dunker

-----Original Message-----
From: Gallicchio, Florindo (2282)
[mailto:florindo.gallicchio () ESAVIO COM]
Sent: Wednesday, October 04, 2000 11:14 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: PBX Security


Noah:

I realize that as a consulting company you expended resources to obtain the
information you mentioned in your post.  In keeping with the open-exchange
spirit of the Pen-Test list, would you consider sharing that information
with the members of the list?  Or, do you know of a Web site on which we
could find that information?

Florindo

-----Original Message-----
From: Dunker, Noah
To: PEN-TEST () SECURITYFOCUS COM
Sent: 10/4/00 11:44 AM
Subject: Re: [PEN-TEST] PBX Security

I've only audited Meridian systems... but from my experience... you can
get
some pretty good information to start with.

This is how I got the info I did:

1) Got installation manuals for the whole system.
2) Got copies of The system Coordinator Guides.  For a Meridian Norstar
PBX,
These Books are called "Norstar Modular DR5 System Coordinator Guide",
"Norstar Modular DR5 Installer Guide", and I got the Installation Guide
for
the voice-Mail system (which happened to be StarTalk Flash).  I know
I've
seen a DR5.1 of these same manuals...

I then called up a company that installs the systems, and acted like I
was
interested.  Yes, this is social engineering a third party, but it was
necessary for what I was doing.  I asked to talk specifically to one of
their installation and troubleshooting engineers because "one of my guys
had
some really technical questions".  I took him out to lunch, drank some
beer,
and in the end, I got him to give me photocopies of some "undocumented"
feature codes, including one which can reset the administrator PIN.

I learned the default passwords for the PBX, and a whole ton of feature
codes just from reading the manuals.  With all the resources I got, any
meridian norstar PBX is 100% open to me.

It's unfair to use a known back-door when pen-testing.  The back-door on
Norstar is pretty hard to stumble across, but it is nice to know the
default
passcodes, and test for things like that.  Good luck!

-----Original Message-----
From: Joe Traietta [mailto:JTraietta () ASAHIBANKNY COM]
Sent: Wednesday, October 04, 2000 9:07 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: PBX Security


I have been asked to perform a security review on the PBX system (NEC
NEAX
2000 IVS) at my company.  I have virtually no PBX experience, so I was
hoping somebody could point me to a good resource, or pass along some
personal experience about reviewing / auditing a PBX system.

Thank you.

Joseph Traietta
Data Security Officer
Asahi Bank, New York Branch