Sunday, January 13, 2013

29C3 Cisco Phones Easy Hack

Hacking Cisco Phones
 Just because you are paranoid doesn't mean your phone isn't listening to everything you say


We discuss a set of 0-day kernel vulnerabilities in CNU (Cisco Native Unix), the operating system that powers all Cisco TNP IP phones. We demonstrate the reliable exploitation of all Cisco TNP phones via multiple vulnerabilities found in the CNU kernel. We demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels. We also demonstrate the worm-like propagation of our CNU malware, which can quickly compromise all vulnerable Cisco phones on the network. We discuss the feasibility of our attacks given physical access, internal network access and remote access across the internet. Lastly, we built on last year's presentation by discussing the feasibility of exploiting Cisco phones from compromised HP printers and vice versa.


Cisco PSIRT has assigned CVE Identifier CVE-2012-5445 to this issue.

IP Cisco Phones:
  • Cisco Unified IP Phone 7975G
  • Cisco Unified IP Phone 7971G-GE
  • Cisco Unified IP Phone 7970G
  • Cisco Unified IP Phone 7965G
  • Cisco Unified IP Phone 7962G
  • Cisco Unified IP Phone 7961G
  • Cisco Unified IP Phone 7961G-GE
  • Cisco Unified IP Phone 7945G
  • Cisco Unified IP Phone 7942G
  • Cisco Unified IP Phone 7941G
  • Cisco Unified IP Phone 7941G-GE
  • Cisco Unified IP Phone 7931G
  • Cisco Unified IP Phone 7911G
  • Cisco Unified IP Phone 7906

Presentation slides:


<Begin RNE Text>
Symptoms: Cisco Unified IP Phone 7900 series devices also referred to as Cisco TNP Phones contain an input validation vulnerability. A local, authenticated attacker with the ability to place a malicious binary on the phone could leverage this issue to elevate their privileges or take complete control of the device.
The issue is due to a failure to properly validate certain system calls made to the kernel of the device. This failure could allow the attacker to overwrite arbitrary portions of user or kernel space memory.
The following Cisco Unified IP Phone devices are affected: Cisco Unified IP Phone 7975G Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7965G Cisco Unified IP Phone 7962G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7945G Cisco Unified IP Phone 7942G Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7931G Cisco Unified IP Phone 7911G Cisco Unified IP Phone 7906
The following models have reached end-of-life (EOL) status (for hardware only): Cisco Unified IP Phone 7971G-GE Cisco Unified IP Phone 7970G Cisco Unified IP Phone 7961G Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7941G Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7906
Refer to the following link to determine what product upgrade and substitution options are available: http://www.cisco.com/en/US/products/hw/phones/ps379/prodeolnotices_list.html
Conditions: Cisco Unified IP Phones within the 7900 Series running a version of Cisco IP Phone software prior to 9.3.1-ES10 are affected. The fixed software release is expected to be available for customers mid-to-late November 2012.
Workaround: Restrict SSH and CLI access to trusted users only. Administrators may consider leveraging 802.1x device authentication to prevent unauthorized devices or systems from accessing the voice network.
Further Problem Description: This issue was reported to Cisco PSIRT by Ang Cui of Columbia University. Cisco PSIRT would like to thank Ang and his staff for working with Cisco to resolve this issue.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-5445 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/productssecurityvulnerability_policy.html
<End RNE Text>


source:  http://events.ccc.de/congress/2012/Fahrplan/events/5400.en.html

FIX for Oracle Java 7 Security Manager Bypass Vulnerability

Oracle launch  new version of Java for Oracle Java 7 Security Manager Bypass Vulnerability

Systems Affected

Any system using Oracle Java 7 (1.7, 1.7.0) including
  • Java Platform Standard Edition 7 (Java SE 7)
  • Java SE Development Kit (JDK 7)
  • Java SE Runtime Environment (JRE 7)
All versions of Java 7 through update 10 are affected.  Web browsers using the Java 7 plug-in are at high risk.

Overview

A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.

Description

A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a "drive-by download" attack).
Any web browser using the Java 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.
Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.
Further technical details are available in Vulnerability Note VU#625617.

Impact

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.

Solution

Install new version Java Runtime Environment 7 Update 11.


Source :  http://www.us-cert.gov/cas/techalerts/TA13-010A.html

Saturday, January 5, 2013

The consumer does not loose the obligatory 2-year warranty on the device just because the device is flashed

In Europe the consumer does not loose the obligatory 2-year warranty on the device just because the device is flashed.

  • FSFE Legal team has analysed this issue and the answer, if the consumer bought it inside the EU, is no.
  • The consumer does not loose the obligatory 2-year warranty on the device just because the device is flashed.
  • "A good test to see if it is the software’s fault is to flash it back with stock firmware/OS and see if the problem persists. If it does, it is not a software-caused problem. If it is not possible to revert it to stock software any more, it is also not a software-caused defect. There are very few hardware defects that are caused by software".

Directive 1999/44/CE dictates1 that any object meeting certain criteria (incl. telephones, computers, routers etc.) that is sold to a consumer2. inside the European Union, has to carry a warranty from the seller that the device will meet the quality that you would expect for such a device for a period of 2 years.

A telephone is an example of such a device and is an object that comprises many parts, from the case to the screen to the radio, to a mini-computer, to the battery, to the software that runs it. If any of these parts3 stop working in those 2 years, the seller has to fix or replace them. What is more these repairs should not cost the consumer a single cent — the seller has to cover the expenses (Directive 1999/44/CE, §3). If the seller has any expenses for returning it to the manufacturer, this is not your problem as a consumer.

If your device becomes defective in the first 6 months, it is presumed that the defect was there all along, so you should not need to prove anything.

If your device becomes defective after the first 6 months, but before 2 years run out, you are still covered. The difference is only that if the defect arises now, the seller can claim that the defect was caused by some action that was triggered by non-normal use of the device4. But in order to avoid needing to repair or replace your device, the seller has to prove that your action caused5 the defect. It is generally recognised by courts that unless there is a sign of abuse of the device, the defect is there because the device was faulty from the beginning. That is just common sense, after all.

So, we finally come to the question of rooting, flashing and changing the software. Unless the seller can prove that modifying the software, rooting your device or flashing it with some other OS or firmware was the cause for the defect, you are still covered for defects during those 2 years. A good test to see if it is the software’s fault is to flash it back with stock firmware/OS and see if the problem persists. If it does, it is not a software-caused problem. If it is not possible to revert it stock software any more, it is also not a software-caused defect. There are very few hardware defects that are caused by software — e.g. overriding the speaker volume above the safe level could blow the speaker.

Many manufacturers of consumer devices write into their warranties a paragraph that by changing the software or “rooting” your device, you void the warranty. You have to understand that in EU we have a “statutory warranty”, which is compulsory that the seller must offer by law (Directive 1999/44/CE, §7.1) and a “voluntary warranty” which the seller or manufacturer can, but does not need to, offer as an additional service to the consumer. Usually the “voluntary warranty” covers a longer period of time or additional accidents not covered by law6. If though the seller, the manufacturer or anyone else offers a “voluntary warranty”, he is bound to it as well!

So, even if, by any chance your “voluntary warranty” got voided, by European law, you should still have the 2 year “compulsory warranty” as it is described in the Directive and which is the topic of this article.

In case the seller refuses your right to repair or replace the device, you can sue him in a civil litigation and can report the incident to the national authority. In many European countries such action does not even require hiring a lawyer and is most of the time ensured by consumers associations.

The warranty under this Directive is only applicable inside the European Union and only if you bought the device as a consumer.

[1] EU member states must have by now imported the Directive 1999/44/CE into their national laws. So you should quote also your local law on that topic.

[2] A consumer is a natural person who acts for their own private purposes and not as a professional. .

[3] Batteries can be exempt of this and usually hold only 6 months warranty.

[4] E.g. a defect power button could be caused by spreading marmalade in it or hooking it onto a robot that would continuously press the button every second 24/7 — of course that is not normal or intended use.

[5] Note that correlation is not causation — the defect has to be proven to be caused by your action, not just correlate with it.

[6] E.g. if a device manufacturer guarantees the phone is water- and shock-proof or a car manufacturer offers 7 years of warranty against rust. 



Sources:
  •  http://forum.xda-developers.com/showthread.php?t=1998801 
  • http://fsfe.org/freesoftware/legal/flashingdevices.fr.html