Penetration Testing mailing list archives
Re: [PEN-TEST] PBX Security
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Wed, 4 Oct 2000 13:58:03 -0500
Okay... A little clarification on this... I've been asked multiple times, to disclose this one all the way. I will happily show you how to get to "the door", but I don't feel right about giving everyone the "key". Read the rest to find out why... The specific undocumented backdoor lives within the way that StarTalk Flash (Voice Mail Module) interacts with a NorStar KSU (PBX Core). In order for joe bob to get his voice mail from his phone, he needs to dial an extension. Usually the system coordinator gives this extension number a hot-key on the phone. StarTalk Flash, when installed, adds a few "Feature" codes to the system. The NorStar phones have a "feature" button on them, and a user can use the features to set up ring tones, Volume, listen to the hold music, whatever. The system administrator can use this to gain access to the administrative functions. There are 2 Sides to the system when StarTalk is installed on the PBX: The phone administrative functions, and the Voice Mail administrative functions. They both have separate methods of accessing the system, and there are usually separate passwords for both (even by default). By Default, the StarTalk module creates a set of feature codes... [Feature] followed by 980 through 986. Feature 981 is the code to access v-mail administration (Add mailbox, del mailbox, change mailbox passwd, change mail box name, etc). By Default, [Feature] 985 will tell the user what extension to dial to access the voice-mail for the phone they are at. It's the same for everyone on the system, but it may differ from system to system. It will display something like: "485" and you have one option: "OK". If you hit "OK", the phone will exit back into normal mode. If you hit a NUMBER however, it will say "Invalid Key", unless the number you press is "9"... If you press "9", then you are prompted for a password. When entered correctly, this will put the Voice-mail admin password back to default (which can be found in the installer's guides, and varies depending on installation settings). The String of digits that need to be entered is 11 digits long, and brute-forcing it is probably not practical. This has to be done from a digital NorStar phone on your PBX, so it's not something a "kiddie" could do to you from a remote site. Once the password has been reset, anyone who knows the default password can delete/add/edit voice mail boxes, change people's messages and passwords, etc. The reason that I don't just give out the code is because I can't find it anywhere on the net... I looked for it for weeks after I got the document, and never found it... even typing in the direct string of digits didn't return any results. It's my guess that this backdoor is used as a last-ditch effort by nortel techs if a PBX admin leaves or something. Aside from this backdoor, if the default voice-mail admin passwords are changed, StarTalk Flash is really quite secure. Not even the KSU admin can change the password to the Voice Mail Admin's account... --Noah Dunker -----Original Message----- From: Gallicchio, Florindo (2282) [mailto:florindo.gallicchio () ESAVIO COM] Sent: Wednesday, October 04, 2000 11:14 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: PBX Security Noah: I realize that as a consulting company you expended resources to obtain the information you mentioned in your post. In keeping with the open-exchange spirit of the Pen-Test list, would you consider sharing that information with the members of the list? Or, do you know of a Web site on which we could find that information? Florindo -----Original Message----- From: Dunker, Noah To: PEN-TEST () SECURITYFOCUS COM Sent: 10/4/00 11:44 AM Subject: Re: [PEN-TEST] PBX Security I've only audited Meridian systems... but from my experience... you can get some pretty good information to start with. This is how I got the info I did: 1) Got installation manuals for the whole system. 2) Got copies of The system Coordinator Guides. For a Meridian Norstar PBX, These Books are called "Norstar Modular DR5 System Coordinator Guide", "Norstar Modular DR5 Installer Guide", and I got the Installation Guide for the voice-Mail system (which happened to be StarTalk Flash). I know I've seen a DR5.1 of these same manuals... I then called up a company that installs the systems, and acted like I was interested. Yes, this is social engineering a third party, but it was necessary for what I was doing. I asked to talk specifically to one of their installation and troubleshooting engineers because "one of my guys had some really technical questions". I took him out to lunch, drank some beer, and in the end, I got him to give me photocopies of some "undocumented" feature codes, including one which can reset the administrator PIN. I learned the default passwords for the PBX, and a whole ton of feature codes just from reading the manuals. With all the resources I got, any meridian norstar PBX is 100% open to me. It's unfair to use a known back-door when pen-testing. The back-door on Norstar is pretty hard to stumble across, but it is nice to know the default passcodes, and test for things like that. Good luck! -----Original Message----- From: Joe Traietta [mailto:JTraietta () ASAHIBANKNY COM] Sent: Wednesday, October 04, 2000 9:07 AM To: PEN-TEST () SECURITYFOCUS COM Subject: PBX Security I have been asked to perform a security review on the PBX system (NEC NEAX 2000 IVS) at my company. I have virtually no PBX experience, so I was hoping somebody could point me to a good resource, or pass along some personal experience about reviewing / auditing a PBX system. Thank you. Joseph Traietta Data Security Officer Asahi Bank, New York Branch
Current thread:
- Re: [PEN-TEST] PBX Security, (continued)
- Re: [PEN-TEST] PBX Security Talisker (Oct 04)
- Re: [PEN-TEST] PBX Security PRAYAGSING MUKESH (Oct 04)
- Re: [PEN-TEST] PBX Security Dunker, Noah (Oct 04)
- Re: [PEN-TEST] PBX Security David Alexander (Oct 04)
- Re: [PEN-TEST] PBX Security Gallicchio, Florindo (2282) (Oct 04)
- Re: [PEN-TEST] PBX Security Loschiavo, Dave (Oct 04)
- Re: [PEN-TEST] PBX Security Mark L. Jackson (Oct 05)
- Re: [PEN-TEST] PBX Security Curphey, Mark (ISS Atlanta) (Oct 04)
- Re: [PEN-TEST] PBX Security Fricke, Gregory D. (Oct 04)
- Re: [PEN-TEST] PBX Security Ben Grubin (Oct 04)
- Re: [PEN-TEST] PBX Security Dunker, Noah (Oct 04)
- Re: [PEN-TEST] PBX Security Davidson,Sam (Oct 04)
- Re: [PEN-TEST] PBX Security Alex Balayan (Oct 04)