Security Solution P1 Telecom Fuzzer (PTF)

© 2014 – P1 Security, All Rights Reserved – 0113.1.2 1

Security Solution

P1 Telecom Fuzzer (PTF)

SS7, LTE, CDMA, GTP, Proprietary OAM, Megaco, ...


P1 Telecom Fuzzer

• A Fuzzer specific to Telecom protocols

• Goes deeper into telco layers E.g. fuzzing HLR request IMSI with correct underlying layers (M3UA, SCCP, TCAP)

E.g. fuzzing SCCP parameters offsets depending of SCCP message type

E.g. aware of protocol state machines

• Compatible with a wide range of Network Elements from multiple vendors

• Discovered numerous vulnerabilities already in Critical Core Network Elements

E.g. SIGTRAN


Overview


Tested Network Elements

Network Element Type Brand / Model

HLR/HSS

NSN NT-HLR, Apertio OneHLR/OneNDS Ericsson HLR

MSC, MSS, MGW

Huawei MSoftX3000, Huawei UMG8900 Ericsson MSS R5.0, R5.1

STP NSN HiS700, Huawei SG7000 Tekelek Eagle, Cisco ITP

MME Cisco

eNodeB Huawei

SGW/PGW Cisco

OSS NSN

AGW, AGCF Huawei, NSN


• PTF directly interconnects to the Network Element you are auditing

• Or it can be interconnected through an STP / IP Router

Interconnection


PTF Deployment: Virtual Appliance

• VM based

– Oracle Virtualbox or VMware

– Deployed as operator private cloud

• Wiring of network interfaces

– Done on physical host • Signaling link (IP, SCTP, SIGTRAN) to the audited NE

• OAM link for management


Demo


Running the fuzzer


Fuzzing options


Fuzzing options (PTF corpus)


Fuzzing options (User PCAP)


Fuzzing options (User payload)


Fuzzing in progress


Fuzzing Report


Fuzzing Report > Results


Fuzzing Report > Results details


Sample of vulnerabilities

• Discovered by PTF

• Analysed and evaluated by P1 Security Team

• Now in P1 Security VKB

Vulnerability description Risk P1 VID

Ulticom Signalware malformed M3UA log flooding Medium

P1VID#799

Diameter processing crashes on HSS High

P1VID#718

NSN Telecommunication Service Platform MAP bug High

P1VID#772

Ulticom Signalware SS7 SCCP stack vulnerability leads to DoS of all SIGTRAN interconnections

High

P1VID#773


Example: Ulticom Signalware SCCP stack bug, P1VID#773

Bug type NULL pointer dereference in userland binary

Details MSU decoding Signalware Kernel module forwards invalid SCCP message to userland.

Userland binary incorrectly checks the MSU, and attempts to access deeper in the payload. It dereferences a pointer that has been set to NULL in the IPC structure of kernel-userland communication.

Userland program crashes, and on NSN products it creates a Coredump in /TspCore/ if instrumentation correctly configured.

Impact After 2 crashes, Ulticom Signalware shutdowns and all SS7 links are dropped.

After 2 minutes the TSP framework restarts the interconnections.

Not exploitable to execute code remotely.

Total downtime of all SIGTRAN interconnections: 2 minutes, +- 1 min depending on the environnment.

If attack repeated, all interconnections will be down during the duration of the attack.


P1 Telecom Fuzzer

• Validate your Network Elements before deploying in production – Reduce downtime

• Evaluate impact of vendor updates – Know your infrastructure

• Unique Telecom specific robustness assessment – Made for validation of Telecom Network Elements

and Signaling stacks


P1 Telecom Fuzzer

Contact us to start your eval/pilot project

or Product Security Research

[email protected]

Security Solution P1 Telecom Fuzzer (PTF)

Documents

Transcript of Security Solution P1 Telecom Fuzzer (PTF)