What is this paper about:
Input validation attacks and memory corruption attacks are common, and the
criticality of finding a DOS attack on a service like HTTP is consider a lot critical
considering the attack surface and easiness of attack. Even if we could trigger an
exception in an Apache Web server and crash them, that would be a huge loss
for corporates and individuals hosting critical applications on these systems.
This paper is on DTMF input processing algorithms [DSP], that are often
embed into PBX, IVR, Telephone routers and other devices that process DTMF
input. PBX and IVR servers are often deployed for running Phone Banking App
Servers, Call Center Application and other systems that uses phone to interact
with them. If an attacker could trigger exception in DTMF processing algorithms, then they could crash the entire application server making a single phone call, causing the entire Phone banking in accessible, or no calls to the costumer service goes through. One such denial of Service could cause a lot of panic and the amount of damage would be pretty huge.
History of this research:
I did two presentations last year, one explaining security vulnerabilities in IVR applications , mainly explaining logic flaws in CXML|VXML codes , and was not specific to any IVR's. These issues were related to coding flaws in CXML|VXML so any buggy IVR applications|IVR servers would be affected by those issues.
You can view the research experiments here :
http://www.garage4hackers.com/blogs/...ations%5D-310/
Well for the VXML attacks , finding bugs the best option is source code auditing, else you will have to do a lot of trail and error to exploit these systems .So with out source code the success rate is very poor.
Most of the Test were done on Voxeo IVR , since it was easy to install and manage .
The second paper which we recently demonstrated in Ekoparty was in the Core DTMF processing algorithms and it's implementations, any application that process DTMF and could be interacted directly could possibly be vulnerable to these attacks.
So let me refer the first attack as VXML attacks and second one as DTMF attack.
And for DTMF attack, If the system handles DTMF tones and you can interact with it directly , you would be able to perform the below mention attacks on it.
Fuzzing DTMF Detection Algorithms:
Applications of DTMF:
There are a lot of application that we use in our day to day life that usese DTMF tones as input.
The following are few applications:
IVR :
Costumer Care Applications
Phone Banking Applications
PBX [Private Branch exchange]:
Telecom Systems
Voice Mails
VOIP
Conference Bridges:
Telephone Routers
Attachment 564
For example the following CXML code will enable support for DTMF inputs in an IVR application.
Extreme Docs
Code:
<!-- This grammar is specifically for recognizing DTMF. --> <grammar xml:lang="en-US" root = "MYRULE" mode="dtmf">
The input to these application that we control is DTMF , and there got be a module that converts these tones back to it's numeric format. So if we could find bug in those modules then technically we would be remotely able to:
[Crash] Shut down Costumer Service Apps
Shut down a Phone Banking
Shut down a telephone router handling millions of calls.
And having this much power is priceless .
DTFM: Dual Tone Multi Frequency
Original Source : DTMF Explained
DTMF stands for Dual Tone - Multi Frequency and it is the basis for your telephone system. DTMF is actually the generic term for Touch-Tone (touch-tone is a registered trademark of ATT). Your touch-tone phone is technically a DTMF generator that produces DTMF tones as you press the buttons.
It's called [Dual Tone Multi] because it is a combination of multi frequency [2], a High and Low Frequency .
DTFM Generation and DTMF Detection
DTMF Generation:
When you press the digit 1 on the keypad, you generate the tones 1209 Hz and 697 Hz.
Pressing the digit 2 will generate the tones 1336 Hz and 697 Hz.
It take two tones to make a digit and the decoding equipment knows the difference between the 1209 Hz that would complete the digit 1, and a 1336 Hz that completes a digit 2.
Code:
So the following code would be how it's done, we will get back to this in the Fuzzing part later.
Code:
key = {'1','2','3','4','5','6','7','8','9','*','0','#'}; low_frequency = [697 770 852 941]; % Low frequency group high_frequency = [1209 1336 1477]; % High frequency group frequency_pair = []; for column=1:4, for row=1:3, frequency_pair = [ frequency_pair[lfg(column);hfg(row)] ]; end end frequency =8khz play frequency_pair
Here are couple of implementation of a DTMF generato in PHP and Java:
PHP dtmf generator - Old Skool Phreaking - Binary Revolution Forums
http://aggemam.dk/scripts/dtmf.phps
So DTMF generation is fairly easy to understand and to code. Remember, all these tone genration were done using oscillators at hardware level, but these days u hardly see any hardware implementation and the bug we are referring to all are at software level.
DTMF Detection
The input signals need to be processed for the production of DTMF codes, there are around 320 samples presented as the
minimum duration of a DTMF signal defined by the ITU standard is 40 ms in frequency of 8ms [0.04 x 8000] = 320 samples.And from these the tones need to be detected.
The solution for this would be to use a Discrete-Time Fourier Transform. Detection could be done by using a bank of filters or using a bank of filters using DFT. In this Goertzel algorithm is the mostly used DTMF detection algorithm .It computes a sequence using DFT , 16 samples of DFT are computed for 16 tones.For the implementation ogf goertzel the following equations are necessary.
[Equation]
In the above equation we need to calculate the constant, k.
The value "k" determines the tone we are trying to detect and is given by:
Code:
K =N * fton/fs
fs = sampling frequency.
N is set to 205.
Now we can calculate the value of the coefficient 2cos(2**k/N).
[Content credits: Dr NaimDahnoum briston University ]
Pseudo Code:
Code:
standard_frequency =output_frequency/sample_rate; coeff = 2*cos(2pi*standard_frequency); for each sample, x[n], s= x[n] + coeff*s_prev -s_prev2; s_prev2 = s_prev; s_prev+ s; end power = S-prev2*s_prev2 + s_prev*s_prev - coeff*s_prev*s_prev2
https://sites.google.com/site/hobbyd...dtmf-detection
DTMF Detection:
As u must have noticed there need to be a good amount of computation process that is undergone for detecting the tones. And aalmost all of the systems that detects DTMF have one or the other form of above algorithm embedded into it. Now that we know the algorithm and the input, it would be a just a matter of time to fuzz one such application.
Input is Evil:
Fuzzing What We Controll
1) The Frequency[ftone]
2) The Amplitude
3) Sample Rate [fs]
4) Sample Length
5) Sample Duration
6) Higher Frequency
7) Lower Frequency
The frequency is set to 8ms as per standards, but we can vary this +-1/2.
And our fuzzer work by varying these controlled values. The orginal code was written by Christian Schmidt. a DTMF generator , and we modified the code to build our fuzzer.
Code:
//samples per second $sample_rate = isset($sample_rate) ? intval($sample_rate) : 8000; //signal length in milliseconds $signal_length = isset($signal_length) ? intval($signal_length) : 100; //break between signals in milliseconds $break_length = isset($break_length) ? intval($break_length) : 100; //pause length in milliseconds - pause character is ',' $pause_length = isset($pause_length) ? intval($pause_length) : 500; //amplitude of wave file in the range 0-64 $amplitude = isset($amplitude) ? intval($amplitude) : 64;
The example video shows a huge amount of CPU usage by the detection program when attached to our Fuzzer . Note, the input is via the input audio source [mic].
We tested the fuzzer on the following program and the below video is of that one . http://www.phrack.org/issues.html?issue=50&id=13
And for some reason there was an issue with the audio
No image the many applications that has got am implementation of this algorithm , since we have a user controlled input I believe it would be fairly easy to attack these devices .
I have had a remote crash as well [not exploitable], the mod-security of this server is not allowing me to add code here, I will later make a GIT repo and add the Fuzzer there.
Cheers.
CXML/VXML Auditing for IVR Pentesters:
Fuzzing DTMF Detection Algorithm Nullcon Delhi:References
Video from Nullcon Delhi:
Dual-Tone Multi-Frequency (DTMF) Signal Detection - MATLAB & Simulink Example - MathWorks India
https://docs.google.com/viewer?a=v&q...VttTswK3G0Y5-w
Dual Tone Multi-Frequency (DTMF) Detection
PHP dtmf generator - Old Skool Phreaking - Binary Revolution Forums
Couple of DTMF Decoder codes for testing:
https://docs.google.com/viewer?a=v&p...OGY5NWJmYmYyZA
http://www.codeforge.com/article/77096
http://www.phrack.org/issues.html?issue=50&id=13
Rate this article