Slide 1
Slide 1
Slide 1
Slide 1
Slide 1
Slide 1

PRESENTATION MATERIALS

PHOTOS / VIDEOS

Official conference photos and HD videos will be made available in the next 2-3 weeks. Please follow @hitbsecconf on Twitter for links or join our Facebook Group

Rahul Sasi (Info Security Researcher, iSIGHT Partners)

PRESENTATION TITLE: CXML/VXML Auditing for IVR Pentesters and PCI/DSS Consultants

PRESENTATION ABSTRACT:

CXML and VXML languages are used to power IVR applications. IVR systems are often seen in Phone Banking , Call Center applications, and other auto attendent systems. These devices are connected to internal networks and data bases. The input to these devices are via DTMF and Voice inputs, and all the processed data are read out by the system. So any sort of errors triggered by an attacker internally would be read out by these machines and there are a lot of possible attacks on these systems leading to Internal Network security compromise. The easiest way to find these bugs are by doing a source code audit on these applications. This talk will demonstrate buggy CXML and VXML programs and security issues.

IVR (Interactive Voice Response) System:

IVR systems allow a computer to interact with a human via voice and DTMF keypad Inputs. IVR allows a customer to interact with a company database via keypad or by speech recognition. The procedure is simple, the customer dials in a number via his phone, and he gets connected to the IVR system which is running on the company server. Based on the customers input via keypad (DTMF) and Voice response the IVR system performs the operations. IVR systems are capable from querying the InternalData base to Performing OS related task and many other based on the implementations.

Interactive Voice response systems are implemented in various places like Phone Banking, Tele Voting,Voice Mail, Customer Support, Automobile hands free operation etc. The paper would address security Issues concerning IVR machine in common using Phone Banking implementation for demo exploitation purpose.

Hacking IVR Systems

These systems are considered secured because they are not connected to Internet and as they use a Peer to Peer GSM, CDMA, Wired Telephone line for transactions. And even though these systems come under the scope of security audits, no relevant tool is there for auditing. These systems have access to internal database and stuff, but no firewall is out there capable of monitoring this “telephone line” traffic. We came across many security issues including Input validation and Logic flaws in IVR systems.

Input Validation Attacks

Input validation attacks would be the one class of Remote attacks we would be demonstrating on these systems, but the issue is that since DTMF keypad tones are the input source to these device and that DTMF signals could only carry 0-9, A-D and +#* characters many input validation attacks would flop.There comes the chance of attacking these machines using Voice Data, since we would be able to convert our payload into voice data and transmit it over to the machine thereby overcoming DTMF limitation. So we would be able to launch attacks via telephone lines using the above methodologies.

Logical Flows in Implementations

Many systems we came across depend on spoof-able sources like caller ID and didn’t have protection against automated attacks. There were a serious of other bugs; possible occurred by misassumption of programmers likely considering IVR systems to be untampered. We will be demonstrating a real world Scenario of a responsibly disclosed Phone Banking bug that made it possible to extract Bank Users ATM pin and account balance information.

ABOUT RAHUL SASI

Rahul is working as an Info Security Researcher for iSIGHT partners. He has responsibly disclosed vulnerabilities/Bugs to Google, Apache, Banking sectors and many IT giants. Rahul has topped many CTF contests and speaker conducted by Verisign, HITB, NUll, OWASP, and has talked and authored articles at BlackHat EU(2012), Nullcon(2011,2012),C0c0n(2011),Clubhack etc. His work could be found at www.Garage4Hackers.com

Okura Hotel Amsterdam
Ferdinand Bolstraat 333, 1072 LH Amsterdam,
The Netherlands

1-Day Intensive Training Sessions – 21st of May / 0900 – 1800

 

SPECIAL OPS 1  - WIRELESS SECURITY KUNGF00

SPECIAL OPS 2  – THE ART OF EXPLOITING SQL INJECTION FLAWS

SPECIAL OPS 3 – MOBILE APPLICATION HACKING – ATTACK & DEFENSE



2-Day Hands on Training Sessions – 22nd – 23rd of May / 0900 – 1800

TECH TRAINING 1  – HUNTING WEB ATTACKERS

TECH TRAINING 2  – ADVANCED LINUX EXPLOITATION METHODS

TECH TRAINING 3  - ADVANCED APPLICATION HACKING – ATTACKS, EXPLOITS & DEFENSE

 

 



3-Day Hands on Training Sessions – 21st, 22nd & 23rd of May / 0900 – 1800

TECH TRAINING 4  – THE EXPLOIT LABORATORY: ADVANCED EDITION




QUAD TRACK CONFERENCE – 24th & 25th of May / 0900 – 1800

Featuring keynotes by BRUCE SCHNEIER and ANDY ELLIS



EVENT ORGANIZER

LOCAL PARTNER

PLATINUM SPONSORS

GOLD SPONSORS

TITANIUM SPONSOR (POST CONFERENCE RECEPTION + SPEAKER RECEPTION)

SILVER SPONSOR

HACKWEEKDAY SPONSOR

ALCO_PWN SPONSOR (POST CONFERENCE RECEPTION)

HITB LAB / SIGINT SPONSOR

NETWORK SPONSORS AND UPLINK

ADDITIONAL SUPPORT BY

SUPPORTING MEDIA

FRIENDS OF HITB

Copyright © 2012 Hack In The Box | http://www.hackinthebox.org

( / 10 )