Outstanding Communications Solutions. Root Canal. A new class of SS7 vulnerabilities

Similar documents
Effective SS7 protection ITU Workshop on SS7 Security, June 29 th 2016

Configuring attack detection and prevention 1

Configuring attack detection and prevention 1

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Network Security. Thierry Sans

Taking Over Telecom Networks

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Computer Security and Privacy

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Cyber Security Threats to Telecom Networks. Rosalia D Alessandro Hardik Mehta Loay Abdelrazek

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Trojans in SS7 - how they bypass all security measures

Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

CSC 574 Computer and Network Security. TCP/IP Security

CTS2134 Introduction to Networking. Module 08: Network Security

20-CS Cyber Defense Overview Fall, Network Basics

Ghost Telephonist. Link Hijack Exploitations in 4G LTE CS Fallback. Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI

Analysis of MS Multiple Excel Vulnerabilities

C and C++ Secure Coding 4-day course. Syllabus

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Bypassing Web Application Firewalls

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Secure Telephony Enabled Middle-box (STEM)

CSC Network Security

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

CSCI 680: Computer & Network Security

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

let your network blossom Orchid One Security Features

CSE 565 Computer Security Fall 2018

Ghost Telephonist. Link Hijack Exploitations in 4G LTE CS Fallback. Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Hacking Terminology. Mark R. Adams, CISSP KPMG LLP

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

CyberFence Protection for DNP3

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Mobile operators vs. Hackers: new security measures for new bypassing techniques

THREATS TO PACKET CORE SECURITY OF 4G NETWORK

Hackveda Training - Ethical Hacking, Networking & Security

Real-time Communications Security and SDN

Signaling System 7 (SS7) By : Ali Mustafa

Malware and Vulnerability Check Point. 1. Find Problems 2. Tell Vendors 3. Share with Community

GPRS security. Helsinki University of Technology S Security of Communication Protocols

Basic Concepts in Intrusion Detection

GSMK. Cryptography Network Security. GSMK Oversight SS7 Firewall and Intrusion Detection System

Endpoint Security - what-if analysis 1

Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Mobile Security Fall 2013

Grandstream Networks, Inc. UCM6100 Security Manual

18-642: Security Mitigation & Validation

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Black Hat Europe 2009

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Recommendations for Device Provisioning Security

A (sample) computerized system for publishing the daily currency exchange rates

CSE 565 Computer Security Fall 2018

White Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection

Internet Security: Firewall

Position of IP and other network-layer protocols in TCP/IP protocol suite

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Buffer overflow background

IP Access List Overview

Competitive Analysis. Version 1.0. February 2017

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

In-Memory Fuzzing in JAVA

Gladiator Incident Alert

Office 365 Buyers Guide: Best Practices for Securing Office 365

GSM security country report: Estonia

9. Security. Safeguard Engine. Safeguard Engine Settings

Industrial Control System Security white paper

IP Named Access Control Lists

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

History Page. Barracuda NextGen Firewall F

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Application Inspection and Control for SMTP

Smart Attacks require Smart Defence Moving Target Defence

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

CSE 565 Computer Security Fall 2018

Cisco IP Fragmentation and PMTUD

Transport of (Legacy) Signaling over IP. Summary of course scope

Attacks on WLAN Alessandro Redondi

Configuring Access Rules

Remotely crashing HLR Why it took telecom industry 20 years to recognize the problems with SS7. Philippe Langlois, P1 Security

Are You Fully Prepared to Withstand DNS Attacks?

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Computer Network Vulnerabilities

Network Control, Con t

Simple and Powerful Security for PCI DSS

CISNTWK-440. Chapter 5 Network Defenses

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

WHITE PAPER. Session Border Controllers: Helping keep enterprise networks safe TABLE OF CONTENTS. Starting Points

Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line

Scribe Notes -- October 31st, 2017

Infecting the Embedded Supply Chain

Transcription:

Outstanding Communications Solutions Root Canal A new class of SS7 vulnerabilities

Agenda SS7 Vulnerable by design Acknowledged signalling vulnerabilities The root problem Mitigation The signaling band-aid A new class of SS7 vulnerabilities Malformed Packets Prerequisites Attacking and Tunneling Multi stage exploit Proposed mitigation and limits 2

Introduction Presenter Fredrik Söderlund Symsoft Software and Systems Security Advisor Background in Reverse engineering Debug tools development Telecom security Security researcher and contributor to the GSMA CVD program Worked on multiple SS7 firewall designs both for SMS and full spectrum SS7 3

Introduction Symsoft CLX Communications Communications Solutions for Operators 75+ Mobile Operator Customers 1000+ Enterprise Customers IoT and MVNO Platforms Fraud & Security Real-Time BSS Value Added Services 4

SS7 Vulnerable by design Signaling Vulnerabilities 5

Acknowledged vulnerabilities Signaling based attacks Location tracking ATI, PSI Spying on subscribers or VIPs Profile manipulation ISD, registerss Fraud, call redirection or denial of service Subscriber hijacking, DoS UL, DSD Eavesdropping, fraud or denial of service 6

Acknowledged vulnerabilities Yes they are dangerous, costly and indicates the network is vulnerable But they are also perfectly normal and the expected functionality of an SS7 network The network is doing exactly what is intended Attacks or misuse? These attacks have been known for a long time and were easy to predict. 7

Acknowledged vulnerabilities The root problem is always the same Subscriber tracking Lack of authentication (who is reading?) Profile manipulation Lack of authentication (who is writing?) Location update Lack of authentication (who is moving?) 8

The root problem Everyone trusts everyone If you re on the network you re a friend Anyone can impersonate anyone If you re on the network we assume you are who you say you are 9

Mitigation - The signaling band-aid The obvious answer to signaling problems: Introduce authentication! Let s not do that Instead we will: Cat 1 - Filter network edge for unexpected or unwanted operations Cat 2 - Verify fields across stack layers without 1:1 match of components (CC+NNGT : MCC+MNC) Cat 3 - Verify subscriber location by last known location or plausibility of movement 10

Mitigation - The signaling band-aid In addition to filtering we can also configure our networks better Whitelist roaming partners, known nodes/peers Introduce home routing Whitelist exceptions based on origin and opcode The result is a reasonably secure network The Signaling band-aid works pretty good 11

Mitigation - The signaling band-aid So what is the problem? 12

A new class of SS7 vulnerabilities Malformed Packets 13

Well formed Packet 14

Malformed Packet 15

Malformed Packets Non signaling based attacks in malformed packets Routable attacks using malformed ASN.1 or SCCP layer data Crafted payloads targeting known firmware vulnerable to encoding based attacks Sophisticated attacks most likely using hijacked infrastructure Potential attackers include APTs such as nation states or criminal networks 16

Malformed Packets Denial of Service Aim is to crash the targeted network element either to influence network performance or steer traffic to alternative links where attacker may have better visibility Methods include for example: buffer overflows, null pointers, stack depletion, memory corruption, infinite nesting Remote Code Execution Aims to take control of the targeted network element in order to exfiltrate data, scan network, generate traffic, commit fraud or eavesdrop on network traffic or subscribers Methods include the same as Denial of Service attacks but with the goal of executing code via controllable crash. Once code execution has been achieved the attacker is likely to proceed with privilege escalation and full compromise of the network element 17

Malformed Packets Compare a normal packet to a letter A letter flows by country, city, street and finally reaches a person In a malformed packet the attacker attempts to interrupt this flow or even trap it in an infinite loop & ultimately crash the application 18

Malformed Packets Malformed data can also point to sections of code or data outside the actual packet Such pointers can redirect the flow and introduce a predictable and reproduceable crash of the application 19

Malformed Packets Most dangerous is Remote Code Execution The predictable crash is exploited to run code The code installs a Command & Control server Attacker can scan and control the network Worst case - The attack is totally transparent 20

A new class of SS7 vulnerabilities Prerequisites 21

Prerequisites What we need to launch this attack A vulnerable ASN.1 parser in the target node Some type of UE registered in the target network To act as a known recipient in the target network The ability to send a routable SCCP packet carrying a 500 byte payload 22

Prerequisites A vulnerable ASN.1 parser, does it exist? 23

Prerequisites Get a handset into the target network should be doable 24

Prerequisites Sending a 500 byte payload over SS7 Over M3UA it seems that most nodes accept payloads above 500 byte size without question Over MTP3 there is a physical limit of 272 bytes This limitation may carry over to M2PA This could be a bottleneck... 25

Prerequisites Full length or concatenated SMS are larger than 272 bytes They usually consist of an empty TCAP Begin followed by the payload in a TCAP Continue Payloads larger than 272 bytes can be sent divided into multiple parts This means that also SS7 has ways of passing larger packets to the application layer 26

Prerequisites SCCP UDT (Unitdata) has a size limitation (still however well above what an attacker needs) If a packet however exceeds the size limit of 272 bytes it may be transported over XUDT to accommodate the legacy size limit SCCP XUDT (Extended Unitdata) offers fragmentation and can therefore encapsulate larger packets also over MTP3 and M2PA Fragmented packets are reassembled on arrival and passed in original form to the application 27

Prerequisites We have a method of delivery Regular SCCP UDT over M3UA appears to be widely accepted with larger packets sizes XUDT over MTP3/M2PA offers a fragmented alternative to overcome physical barrier of legacy technology 28

A new class of SS7 vulnerabilities Attacking and Tunneling 29

Attacking and Tunneling Crafting the attack We are still subject to some limits with regards to size of the attacks. No hard cap, but an attacker needs to limit size of initial infection for better chance of success This means crafting a multi stage attack Characteristics of the ideal MAP operation for initial infection: Spoofable (we don t need the returnresult) Variable size Optional parameters 30

Attacking and Tunneling MAP reset Fits the description Spoofable and contains a variable size hlr-list of IMSI:s as optional parameter 31

Multi stage exploit Primary infection: 500 bytes carried in the optional list parameter of MAP reset Trigger vulnerability, start execution Allocate space for hook procedures Adjust memory protection of 1 page of code Patch recv function and install hook 1 Hook 1 filters all incoming SMS traffic towards the attacker UE registered in the target network Chunks of executable code are delivered and assembled into second stage of infection When all chunks have been delivered, hook 1 is replaced by hook 2 32

Multi stage exploit Secondary infection: 2000 bytes of PoC code Does not need to connect back to original attacker GT - The Primary infection may be spoofed Offers the ability to execute commands on target Has the ability to report back to attacker Data is tunneled to target using MT SMS Data is tunneled from target using MO SMS Infection is transparent to target node and leaves no stains on the file system. 33

Call Flow Multiple stage attack using MAP reset and MT SMS Delivers exploit, installs Command & Control (C2) Attacker can proceed to control network remotely Scan, cross infect, commit fraud, deny service 34

Call Flow First stage attacks encoding at ASN.1 or SCCP Crashes the MSC in a predictable way Installs hook procedure to filter incoming MT SMS Returns control to application and starts filtering 35

Call Flow Second Stage is built using MT SMS MT SMS contain code for C2 in TPDU User-Data Hook detects incoming MT SMS by known UE IMSI Reassembles MT SMS chunks to build C2 server 36

Call Flow C2 server acts as attacker inside network Attacker send commands using MT SMS C2 executes attacker commands C2 functionality can be extended if required 37

Multi stage exploit Alternative methods Using SMS leaves CDR records Is it possible to build a stealth version to avoid or limit CDR records? And what about evading SS7 Firewalls? 38

Multi stage exploit (stealth ver) extensioncontainers privateextensionlist Encoding can be vendor specific 39

Multi stage exploit (stealth ver) A sophisticated attacker could use extensioncontainers both for primary attack and tunneling Could use fake UL from hook to trigger stream of ISD from attacker ISD can carry extensioncontainers This could be very difficult to detect Vendor specific encoding must either be ignored by SS7 Firewall or blocked by default. So extensions may actually pass through firewalls unfiltered 40

Multi stage exploit (stealth ver) An attacker could also create virtual subscribers on the hijacked MSC to obfuscate and hide tunneled data further Generate UL to simulate an inbound roamer registering with the network This could also leave limited or no information in CDRs especially if virtual subscribers are created at random by the attacker 41

Multi stage exploit (SMS vs PE) MT SMS +Easy tunneling, simple encoding and exchange +Control network node without SS7 connectivity (after initial hook all other things can be done from a phone) -All communications logged in CDRs Unless attacker wipes them, if possible Private Extensions +Possibly better stealth capability +May pass through SS7 Firewalls as it relies on propriety data structures -More complex encoding and exchange -Less bandwidth than SMS tunneling 42

A new class of SS7 vulnerabilities Proposed Mitigation and Limits 43

Proposed mitigation and limits Denial of Service Protection Mechanisms Validation of encoding and packet structure ASN.1 Validation for TCAP, MAP, CAP layers Validation of packet size, pointers, nesting levels, adherence to specification Parameter validation for SCCP Parameter size/position Flags, bitmasks and format of data, such as invalid structure of parameters or pointers reaching outside the SCCP packet 44

Proposed mitigation and limits Remote Code Execution - Protection Mechanisms Payload size monitoring For an attacker to successfully perform an encoding based attack the initial attack must contain both an exploit part and actual code. Some specific SS7 Operations, such as MAP reset, can be monitored specifically for abnormal size Fragmentation checks XUDT/XUDTS Generally fragmented traffic is very rare and occur if traffic has passed through E1/TDM type networks or potentially M2PA links Monitor fragmented traffic, if there are spikes it could be an indication that attack testing is being conducted towards receiving network 45

Proposed mitigation and limits There are limits to what can be protected The initial attack could be delivered over any interface that accept packets above 500 bytes in size That could be almost any interface Initial attack could arrive over OAM, SIP, HTTP, Charging or any proprietary interface on the target SS7 node. As long as the vulnerability is known it can switch to SS7 tunneling after hook 1 is installed. 46

Proposed mitigation and limits Reasonable protection can be achieved Main responsibility sits with vendors Encourage development of secure parsers Ask the right questions Don t assume another node will deal with the problem. The edge/firewall/security GW needs to handle it. 47

General Recommendations Enforcing ASLR While not a perfectly reliable protection, Address Space Layout Randomization does make certain attacks more difficult Process privilege levels Ensure only required privileges are granted Vendors should be required to perform fuzz tests of critical code Fuzz any code that manage data generated either directly or indirectly from processing signaling traffic Fuzz network stack and parsers at any routable layer (SCCP and above). Monitoring of outbound traffic can help detect if a network element has been compromised Consider blocking of private extension containers since they can contain vendor specific proprietary data structures that an SS7 Firewall may be unable to inspect 48

Proof of Concept Demo attack Vulnerable MSC attack simulation 49

Real World Bonus Content Please memset 50

SS7 vs ASLR The following capture is from a production environment Network specific details have been blacked out Illustrates how poorly written encoders can leak information 51

SS7 vs ASLR THREE SLIDES FROM THE ORIGINAL PRESENTATION HAVE INTENTIONALLY BEEN REMOVED. THEY ILLUSTRATE BROKEN ENCODER LEAKING STACK INFORMATION VIA BADLY IMPLEMENTED PADDING OF SCCP LAYER 52

SS7 vs ASLR Poorly written encoder Leaves scraps from local variables in the padding Can give hints about where modules are loaded Can expose base address of stack Attacker can simply ask for ASLR details Send an invoke to get returnresult or trigger ISD Answer contains fragments of local variables Suddenly ASLR isn t R at all 53

Questions 54

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback