![Page 1: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/1.jpg)
Hunting PBX
For Vulnerabilities
![Page 2: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/2.jpg)
Sachin WaghSecurity Analyst
Security Intelligence Team @ Symantec
Speaker at Hakon and Geek Street - Infosecurity Europe
Bug Hunter | Penetration Tester
Security Blogger
@tiger_tigerboy
![Page 3: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/3.jpg)
Himanshu MehtaSenior Threat Analysis Engineer
Security Intelligence Team @ Symantec
Speaker at National Cyber Security Conference, Hakon & Geek Street - Infosecurity Europe
Advisory Board Member @EC-Council & Convetit
Bug Hunter | Penetration Tester
@LionHeartRoxx
![Page 4: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/4.jpg)
Content
• What is PBX
• Features
• Searching
• Softphone
• Vulnerabilities
• Mitigations
Hunting PBX for Vulnerabilities
![Page 5: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/5.jpg)
Private Branch Exchange
Hunting PBX for Vulnerabilities
Source:
http://www.cealcomz.co.za
![Page 6: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/6.jpg)
Features
Hunting PBX for Vulnerabilities
• Call Forwarding• Call Transfer• Conference Calls• Automatic Call Delivery (ACD)• Voice Messaging• Call Queue ..etc
![Page 7: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/7.jpg)
Searching
Hunting PBX for Vulnerabilities
![Page 8: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/8.jpg)
Shodan:
Hunting PBX for Vulnerabilities
"NCH Software Axon Virtual PBX“
![Page 9: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/9.jpg)
Call Details Records
Hunting PBX for Vulnerabilities
![Page 10: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/10.jpg)
Censys:
Hunting PBX for Vulnerabilities
"FreePBX Administration“
![Page 11: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/11.jpg)
Censys:
Hunting PBX for Vulnerabilities
"FreePBX Administration“
![Page 12: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/12.jpg)
Hunting PBX for Vulnerabilities
![Page 13: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/13.jpg)
Shodan:
Hunting PBX for Vulnerabilities
“polycom+command+shell“
![Page 14: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/14.jpg)
File Transfer Protocol (FTP)
Hunting PBX for Vulnerabilities
![Page 15: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/15.jpg)
Call Details Records
Hunting PBX for Vulnerabilities
![Page 16: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/16.jpg)
Server Message Block (smb)
Hunting PBX for Vulnerabilities
![Page 17: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/17.jpg)
Server Message Block (smb)
Hunting PBX for Vulnerabilities
![Page 18: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/18.jpg)
Shodan:
Hunting PBX for Vulnerabilities
“port:23 console gateway -password“
![Page 19: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/19.jpg)
Softphone
Hunting PBX for Vulnerabilities
![Page 20: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/20.jpg)
Vulnerabilities
Hunting PBX for Vulnerabilities
![Page 21: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/21.jpg)
TRIXBOX
Hunting PBX for Vulnerabilities
![Page 22: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/22.jpg)
Blind OS Command Injection
Hunting PBX for Vulnerabilities
I AM NOT BLIND I’VE JUST SEEN ENOUGH
![Page 23: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/23.jpg)
Hunting PBX for Vulnerabilities
![Page 24: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/24.jpg)
Blind OS Command Injection [DEMO]
Hunting PBX for Vulnerabilities CVE-2017-14535
![Page 25: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/25.jpg)
Path Traversal
Hunting PBX for Vulnerabilities
![Page 26: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/26.jpg)
Hunting PBX for Vulnerabilities
Path Traversal [DEMO]
CVE-2017-14537
![Page 27: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/27.jpg)
Hunting PBX for Vulnerabilities
Path Traversal [DEMO]
CVE-2017-14537
![Page 28: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/28.jpg)
Cross-site Scripting
Hunting PBX for Vulnerabilities
source:gif-finder.com
![Page 29: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/29.jpg)
Hunting PBX for Vulnerabilities
Cross-site Scripting [DEMO]
CVE-2017-14536
![Page 30: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/30.jpg)
AXON
Hunting PBX for Vulnerabilities
![Page 31: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/31.jpg)
Hunting PBX for Vulnerabilities
Cross-site Scripting [DEMO]
CVE-2018-11552
![Page 32: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/32.jpg)
Local Code Execution
Hunting PBX for Vulnerabilities
![Page 33: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/33.jpg)
Hunting PBX for Vulnerabilities
Local Code Execution [DEMO]
CVE-2018-11551
![Page 34: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/34.jpg)
Hunting PBX for Vulnerabilities
![Page 35: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/35.jpg)
Hunting PBX for Vulnerabilities
Local Code Execution [DEMO]
CVE-2018-11551
![Page 36: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/36.jpg)
Hunting PBX for Vulnerabilities
![Page 37: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/37.jpg)
Mitigations
POLICIES AND PROCEDURES :
SECURITY TRAINING
PASSWORD POLICY
INCIDENT RESPONSE PROCEDURE
OS LEVEL SECURITY :
PATCHES
APPLICATIONS AND SERVICES
PRIVILEGES
Hunting PBX for Vulnerabilities
![Page 38: Hunting PBX For Vulnerabilities - Hack In Paris...Blind OS Command Injection Hunting PBX for Vulnerabilities I AM NOT BLIND I’VE JUST SEEN ENOUGH Hunting PBX for Vulnerabilities](https://reader033.vdocuments.mx/reader033/viewer/2022042804/5f55af23dbe37c478771eb77/html5/thumbnails/38.jpg)
Thank
You
Hunting PBX for Vulnerabilities