View RSS Feed

Fb1h2s aka Rahul Sasi's Blog

Fuzzing DTMF Detection Algorithms .

Rating: 16 votes, 4.81 average.
My ekoparty.org [Argentina] and NU[Delhi] talk and also Ruxcon [Australia] and BlackHat [Abhudabi] which I could't make it .
Name:  mqdefault.jpg
Views: 5625
Size:  6.0 KB


What is this paper about:

Input validation attacks and memory corruption attacks are common, and the
criticality of finding a DOS attack on a service like HTTP is consider a lot critical
considering the attack surface and easiness of attack. Even if we could trigger an
exception in an Apache Web server and crash them, that would be a huge loss
for corporates and individuals hosting critical applications on these systems.


This paper is on DTMF input processing algorithms [DSP], that are often
embed into PBX, IVR, Telephone routers and other devices that process DTMF
input. PBX and IVR servers are often deployed for running Phone Banking App
Servers, Call Center Application and other systems that uses phone to interact
with them. If an attacker could trigger exception in DTMF processing algorithms, then they could crash the entire application server making a single phone call, causing the entire Phone banking in accessible, or no calls to the costumer service goes through. One such denial of Service could cause a lot of panic and the amount of damage would be pretty huge.



History of this research:

I did two presentations last year, one explaining security vulnerabilities in IVR applications , mainly explaining logic flaws in CXML|VXML codes , and was not specific to any IVR's. These issues were related to coding flaws in CXML|VXML so any buggy IVR applications|IVR servers would be affected by those issues.

You can view the research experiments here :
http://www.garage4hackers.com/blogs/...ations%5D-310/

Well for the VXML attacks , finding bugs the best option is source code auditing, else you will have to do a lot of trail and error to exploit these systems .So with out source code the success rate is very poor.
Most of the Test were done on Voxeo IVR , since it was easy to install and manage .

The second paper which we recently demonstrated in Ekoparty was in the Core DTMF processing algorithms and it's implementations, any application that process DTMF and could be interacted directly could possibly be vulnerable to these attacks.

So let me refer the first attack as VXML attacks and second one as DTMF attack.

And for DTMF attack, If the system handles DTMF tones and you can interact with it directly , you would be able to perform the below mention attacks on it.

Fuzzing DTMF Detection Algorithms:
Name:  dtmf1.jpg
Views: 2035
Size:  22.5 KB


Applications of DTMF:

There are a lot of application that we use in our day to day life that usese DTMF tones as input.
The following are few applications:

IVR :
Costumer Care Applications
Phone Banking Applications

PBX [Private Branch exchange]:
Telecom Systems
Voice Mails
VOIP

Conference Bridges:
Telephone Routers

Attachment 564

For example the following CXML code will enable support for DTMF inputs in an IVR application.
Extreme Docs
Code:
<!-- This grammar is specifically for recognizing DTMF. -->
<grammar xml:lang="en-US" root = "MYRULE" mode="dtmf">
Input is Evil
The input to these application that we control is DTMF , and there got be a module that converts these tones back to it's numeric format. So if we could find bug in those modules then technically we would be remotely able to:

[Crash] Shut down Costumer Service Apps
Shut down a Phone Banking
Shut down a telephone router handling millions of calls.

And having this much power is priceless .

DTFM: Dual Tone Multi Frequency


Original Source : DTMF Explained

DTMF stands for Dual Tone - Multi Frequency and it is the basis for your telephone system. DTMF is actually the generic term for Touch-Tone (touch-tone is a registered trademark of ATT). Your touch-tone phone is technically a DTMF generator that produces DTMF tones as you press the buttons.


It's called [Dual Tone Multi] because it is a combination of multi frequency [2], a High and Low Frequency .

DTFM Generation and DTMF Detection

DTMF Generation:


When you press the digit 1 on the keypad, you generate the tones 1209 Hz and 697 Hz.

Pressing the digit 2 will generate the tones 1336 Hz and 697 Hz.

It take two tones to make a digit and the decoding equipment knows the difference between the 1209 Hz that would complete the digit 1, and a 1336 Hz that completes a digit 2.

Name:  Slide08.jpg
Views: 2451
Size:  62.1 KB
Code:
So the following code would be how it's done, we will get back to this in the Fuzzing part later.

Code:
key = {'1','2','3','4','5','6','7','8','9','*','0','#'};
low_frequency = [697 770 852 941]; % Low frequency group
high_frequency = [1209 1336 1477];  % High frequency group
frequency_pair  = [];
for column=1:4,
    for row=1:3,
        frequency_pair = [ frequency_pair[lfg(column);hfg(row)] ];
    end
end
frequency =8khz
play frequency_pair
sampling frequency

Here are couple of implementation of a DTMF generato in PHP and Java:
PHP dtmf generator - Old Skool Phreaking - Binary Revolution Forums
http://aggemam.dk/scripts/dtmf.phps

So DTMF generation is fairly easy to understand and to code. Remember, all these tone genration were done using oscillators at hardware level, but these days u hardly see any hardware implementation and the bug we are referring to all are at software level.


DTMF Detection

The input signals need to be processed for the production of DTMF codes, there are around 320 samples presented as the
minimum duration of a DTMF signal defined by the ITU standard is 40 ms in frequency of 8ms [0.04 x 8000] = 320 samples.And from these the tones need to be detected.

The solution for this would be to use a Discrete-Time Fourier Transform. Detection could be done by using a bank of filters or using a bank of filters using DFT. In this Goertzel algorithm is the mostly used DTMF detection algorithm .It computes a sequence using DFT , 16 samples of DFT are computed for 16 tones.For the implementation ogf goertzel the following equations are necessary.


[Equation]
Name:  eq_.jpg
Views: 1885
Size:  13.5 KB
Name:  converted-151eddc8.jpg
Views: 1900
Size:  21.0 KB


In the above equation we need to calculate the constant, k.
The value "k" determines the tone we are trying to detect and is given by:

Code:
K =N * fton/fs
Where: ftone = frequency of the tone.
fs = sampling frequency.
N is set to 205.
Now we can calculate the value of the coefficient 2cos(2**k/N).


Name:  Slide13.jpg
Views: 1911
Size:  57.3 KB
[Content credits: Dr NaimDahnoum briston University ]


Pseudo Code:
Code:
standard_frequency =output_frequency/sample_rate;
 coeff = 2*cos(2pi*standard_frequency);
 for each sample, x[n],
 s= x[n] + coeff*s_prev -s_prev2;
 s_prev2 = s_prev;
 s_prev+ s;
 end power = S-prev2*s_prev2 + s_prev*s_prev - coeff*s_prev*s_prev2
A better read on the algorithm could be found here:
https://sites.google.com/site/hobbyd...dtmf-detection

DTMF Detection:



As u must have noticed there need to be a good amount of computation process that is undergone for detecting the tones. And aalmost all of the systems that detects DTMF have one or the other form of above algorithm embedded into it. Now that we know the algorithm and the input, it would be a just a matter of time to fuzz one such application.

Input is Evil:

Fuzzing What We Controll

1) The Frequency[ftone]
2) The Amplitude
3) Sample Rate [fs]
4) Sample Length
5) Sample Duration
6) Higher Frequency
7) Lower Frequency

The frequency is set to 8ms as per standards, but we can vary this +-1/2.
And our fuzzer work by varying these controlled values. The orginal code was written by Christian Schmidt. a DTMF generator , and we modified the code to build our fuzzer.

Code:
//samples per second
$sample_rate = isset($sample_rate) ? intval($sample_rate) : 8000; 

//signal length in milliseconds
$signal_length = isset($signal_length) ? intval($signal_length) : 100; 

//break between signals in milliseconds
$break_length = isset($break_length) ? intval($break_length) : 100;

//pause length in milliseconds - pause character is ','
$pause_length = isset($pause_length) ? intval($pause_length) : 500; 

//amplitude of wave file in the range 0-64
$amplitude = isset($amplitude) ? intval($amplitude) : 64;
Test Case 1:

The example video shows a huge amount of CPU usage by the detection program when attached to our Fuzzer . Note, the input is via the input audio source [mic].
We tested the fuzzer on the following program and the below video is of that one . http://www.phrack.org/issues.html?issue=50&id=13

And for some reason there was an issue with the audio


No image the many applications that has got am implementation of this algorithm , since we have a user controlled input I believe it would be fairly easy to attack these devices .

I have had a remote crash as well [not exploitable], the mod-security of this server is not allowing me to add code here, I will later make a GIT repo and add the Fuzzer there.
Cheers.

CXML/VXML Auditing for IVR Pentesters:



Fuzzing DTMF Detection Algorithm Nullcon Delhi:References
Video from Nullcon Delhi:

Dual-Tone Multi-Frequency (DTMF) Signal Detection - MATLAB & Simulink Example - MathWorks India
https://docs.google.com/viewer?a=v&q...VttTswK3G0Y5-w
Dual Tone Multi-Frequency (DTMF) Detection
PHP dtmf generator - Old Skool Phreaking - Binary Revolution Forums

C
ouple of DTMF Decoder codes for testing:
https://docs.google.com/viewer?a=v&p...OGY5NWJmYmYyZA
http://www.codeforge.com/article/77096
http://www.phrack.org/issues.html?issue=50&id=13
Attached Thumbnails Attached Images   

Comments

  1. sean's Avatar
    Hi Rahul,

    Really enjoyed your paper, "How I DOS'ed My Bank." My understanding of DTMF and DTMF decoding engines is very limited but I am interested in learning more about DTMF and IVR technologies. The idea of controlling software by transmitting sounds really appeals to my musical side!

    I read that it was possible to send binary data via DTMF signals (Dual-tone multi-frequency signaling - Wikipedia, the free encyclopedia) where each key on the touchpad would represent a nibble of data.

    For instance:
    (DTMF Signal)"5C 78 64 65" -> (Hex Representation)"\xDE"
    (DTMF Signal)"5C 78 41 64" -> (Hex Representation)"\xAD"
    (DTMF Signal)"5C 78 42 65" -> (Hex Representation)"\xBE"
    (DTMF Signal)"5C 78 65 66" -> (Hex Representation)"\xEF"

    Based on your research, does transmitting a stream of nibbles in the form of DTMF signals seem like a feasible avenue towards remote code execution on a vulnerable IVR system?

    -Sean
  2. fb1h2s's Avatar
    @sean that was very helpful, will look into this and update sometime soon.

    Cheers

Trackbacks

Total Trackbacks 0
Trackback URL: