PRI/Asterisk Security

[blake at remoteorigin.com (blake at remoteorigin.com)]

Hi Vincent,

There is an attack that not only would work against certain configurations of Asterisk but other PBX's as well.  

Its not exactly a PRI based attack but I feel this method is still worth mentioning to the group.

Its basically as follows.

Loopback Signaling Inter-PBX Forced Dial-Tone Attack:  An attacker calls a PBX and has the call transferred to an 
adjacent PBX within the same organization.  Since loopback signaling has no notion of "hand up detection" it is 
possible to have the receiving party (on the second PBX) hang up the phone while the attacker stays on the line.  If 
this inter-PBX link uses Loopback signaling then the first PBX "can" bump the attacker into a dial tone upon disconnect 
with the second PBX.  You can then make free phone calls.

Solution: use signaling that supports hangup detection (which is pretty much the rest of them).

Its simpler then it sounds.  Its rare that a specific system/configuration is vulnerable yet I've had some fun/success 
using this technique myself.

This attack is beyond brute forcing extensions, VM codes or the similar via IVR systems.  That would be another 
conversation.

Let me know if you have any questions regarding.

Cheers,

Blake Cornell




Vincent,

It really depends on the driver set and the asterisk system's
configuration.  If there is an exploitable bug in libpri or the driver
for the specific card you maybe able to attack it by tapping into the
line and issuing malformed framing, encoding or d-channel information,
but that would require either an existing exploit or fuzzing drivers
and/or libraries by the interested party.  On the other hand if they
have some sort of automated menu system that is connected to the PBX
via the PSTN you can attack it like you would any other PBX via weak
passcodes and other information.   Taking either of these approaches
can tie up resources on the system however by eating up a single
b-channel in the case of attempting to go after a menu interface or an
entire circuit in the case of a PRI which if monitored should be
readily apparent to the administrator of the system.

Please be fuzzing from telco gear may or may not be in violation of
one or more federal and state law and tapping a PRI in the US in most
fashions is a Felony without a wiretap warrant so doing so should be
done with extreme caution and permission as well as legal research in
advance.



On Wed, Jan 13, 2010 at 2:09 AM, Vincent Lape <vlape at me.com> wrote:
> Is anyone in the group knowledgeable enough about asteresk and PRI lines to 
offer opinion of the feasibility of attacking an asteresk server via a PRI 
line?
> > Do we know of anyone knowledgeable enough about asterisk and PRI lines
> to
> > offer opinion of the feasibility of attacking an asterisk server via a
> PRI
> > line?
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com