Cisco 7940 HTTP File Error, Cookies and Laravel

The legacy 7940’s have not had SCCP firmware released in a good number of years, and recently I’ve come across a bug in latest version.

When running a custom XML service hosted on an external webserver, such as a weather script or similar, the phone will display HTTP File Error if you push any cookie to it.

In my specific scenario my Laravel 5.3 was returning both a laravel_session and a XSRF-TOKEN cookie for every HTTP GET. Every time the phone would request the service with these cookies would be returned and the phone would display the error. Interestingly, newer model phones like the 8945 and 9951’s don’t have an issue at all.

These cookies are very much needed for modern web security, however for a simple XML page, these are definitely not needed. There are provisions built into Laravel 5 for disabling CSRF protection in the VerifyCsrfToken middleware, however, these only stop the verification of CSRF tokens, not the setting of the XSRF token – as can be seen here: https://laracasts.com/discuss/channels/laravel/excluding-uri-from-csfr-protection-not-working?page=1

After a lot of trial and error manipulating different parts of the middlewear kernel, routegroups, drivers etc, I’ve settled on this modification to the VerifyCsrfToken middlewear. This modification now means that any request that matches the URI defined in the $except array is excepted from CSRF checks, does not set the laravel_session cookie nor the XSRF-TOKEN cookie. Anything that does not match the URI gets the XSRF-TOKEN generated and continues with the default driver, meaning that the laravel_sesison cookie gets built. The only thing that I do not like about this method is that I had to copy the Cookie() functionality from addCookieToResponse from the original VerifyCsrfToken in vendor/laravel/framework/scr/Illuminate/Foundation/Http/Middlewear. This carries the possibility that the logic behind creating the cookie will be changed in the future and that my function won’t be up to date – but for now it works well. Below is my VerifyCsrfToken code.


<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
use Illuminate\Support\Str;
use Symfony\Component\HttpFoundation\Cookie;
use Carbon\Carbon;

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'services/phone/ip'
    ];

    protected function addCookieToResponse($request, $response)
    {
        $config = config('session');

        foreach ($this->except as $except) {
            if (Str::is($except, $request->path())) {
                \Config::set('session.driver', 'array');
                return $response;
            } else {
                $response->headers->setCookie(
                    new Cookie(
                        'XSRF-TOKEN', $request->session()->token(), Carbon::now()->getTimestamp() + 60 * $config['lifetime'],
                        $config['path'], $config['domain'], $config['secure'], false
                    )
                );
                return $response;
            }
        }
    }
}


If anyone knows of a better way to include the cookie generation inside of the middlewear hit me up! For reference these links provided lots of insight.

https://laracasts.com/discuss/channels/laravel/excluding-uri-from-csfr-protection-not-working?page=1

https://laracasts.com/discuss/channels/laravel/verifycsrftoken-except-subdomain?page=1

https://laracasts.com/discuss/channels/general-discussion/l5-disable-csrf-middleware-on-certain-routes?page=1

https://laracasts.com/discuss/channels/general-discussion/l5-avoiding-csrf-middleware-on-api-post-routes?page=2

https://stackoverflow.com/questions/28624807/disable-cookie-header-when-responding-json

 

Set Default Startup MC Directories

I use unRAID to manage my datasets at home and constantly need to move files around. MC is definitely the easiest to work with with unRAID however it is very annoying to have to navigate through to your directories every time you launch the app.

I couldn’t find an option to set this in the options so added this to my bash_profile instead. A bit hackish but works perfectly.

nano /root/.bash_profile
alias mc="/usr/bin/mc /mnt/user/YOURLEFTPANELDIRECTORY /mnt/user/YOURRIGHTPANELDIRECTORY"

Save this then log out of your SSH session and back in 🙂

CCM9 RIS WSDL in PHP

I recently spent a lot of time trying to pull out the IP address of a handset registered to a CUCM9 cluster via AXL. It turns out the standard AXL response doesn’t include this information as it’s handled by the RIS service.

I had some luck with getting the RisPort wsdl working inside PHP but couldn’t return specific queries, everything I tried returned the first 1000 devices listed on the cluster.

I came across some varying info from Cisco regarding RIS.

From: https://developer.cisco.com/site/sxml/documents/api-reference/risport/#overview

The RisPort WSDL is deprecated. Use the RisPort70 WSDL.

I tried to use the RisPort70 from my CCM’s RIS page but PHP complained that it wasn’t able to interpret the WSDL. Then I came across this stating that the WSDL RPC’s were being deprecated and being replaced with doc/literal http://solutionpartnerdashboard.cisco.com/web/sxml-developer/get-wsdl

Beginning in 9.0, the Serviceability XML WSDLs are available in both remote procedure call (RPC) encoded and doc/literal style formats.

Developers should migrate to the doc/literal style WSDL as soon as possible. Cisco plans to deprecate the rpc-encoded WSDL in Unified CM 11.0(1).

It stated that the RisPort70 RPC could be found at: https://servername:8443/realtimeservice/services/RisPort70?wsdl whilst the RisPort70 doc/literal could be found at https://ServerName:8443/realtimeservice2/services/RISService70?wsdl. I could hit the RISService70 even though the RIS page on my CCM didn’t list it. There was no small menu like in normal RIS – the page just returned the WSDL. Good enough for me.

After hacking around with the RISService70 and trying different approaches in CCM I finally got my PHP working. My PHP script now searches all clusters for a device registered with an IP address that I specify and returns the structure in an array that I can parse manually with PHP and then operate on.

$soapClientRIS70 = new SoapClient(“https://YOURCCMHERE:8443/realtimeservice2/services/RISService70?wsdl”,
array(‘trace’=>true,
‘exceptions’=>true,
‘location’=>”https://YOURCCMHERE:8443/realtimeservice2/services/RISService70?wsdl”,
‘login’=>’youruserhere’,
‘password’=>’yourpwdhere’,
));

$soap_response = $soapClientRIS70->SelectCmDevice(array(“StateInfo”=>””, “CmSelectionCriteria”=>array(“NodeName”=>””, “Status”=>”Registered”, “SelectBy”=>”IPV4Address”, “SelectItems”=>array(“item”=>array(“Item”=>”DEVICEIPADDRESSHERE”)))));

print_r($soap_response);

From there the Cisco RIS API documentation should provide you with everything else you need: https://developer.cisco.com/site/sxml/documents/api-reference/risport/#overview

I hope that this will be portable into CCM11 but I’m guessing that the WSDL will be updated – hopefully no structure will change, but some better error responses would be nice.

I hope that this serves to save someone the time that I spent trying to work this out…

A Busy Few Days in InfoSec

It has been a busy few days in the infosec environment with a number of different articles and patches. This is just the latest collision in societies ever challenging ecology of digital information ownership.

OpenSSL

OpenSSL have pushed 7 new patches to different versions of their packages from Low to Moderate severities in their Security Advisory 11/6. For anyone up to date (you did patch for Heartbleed right?) with the OpenSSL packages, the latest 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg contain the majority of the fixes.

https://www.openssl.org/news/secadv_20150611.txt

Kaspersky

Kaspersky have released information at a press conference detailing that their network was attacked by what they have dubbed Duqu 2.0. As Eugene stated:

“It’s almost a mix of Alien, Terminator and Predator, in terms of Hollywood,”

Duqu 2.0 looks to be the next generation Duqu which had clear ties to 2010’s Stuxnet and we all know the outcome of that story. It used 3 zero days to gain entry and once the machines were compromised resided completely in RAM and wrote no files to the disk or registry. Machines that were powered off were reinfected once they were booted by other machines that were also compromised.

“To get rid of [the] malware, it’s very simple — turn off all computers in network for half an hour, then the system will be clean.”

http://www.tomsguide.com/us/kaspersky-hack-israel-nsa,news-21084.html

Westnet

Westnet was an Australian ISP that was bought by iiNet in 2008. iiNet is now one of Australia’s largest ISP’s and has a steady growing userbase. A legacy Westnet system was owned with the hacker claiming access to 30,827 customer details.

http://www.watoday.com.au/digital-life/consumer-security/more-than-30000-iinet-customer-passwords-hacked-20150609-ghjmo2

Australia Set To Block Websites

Continuing with news from .au, a bipartisan report into proposed legislation to force Australian ISP’s to block access to websites linked with piracy recommends the bill be passed. This paves the way for the parliament to pass the bill into law.

The bill will allow copyright holders to apply for a federal court order that will force ISP’s to block customers accessing international websites serving pirated material.

http://www.computerworld.com.au/article/577223/bill-block-pirate-websites-gets-tick-approval/

This is adding to the story in Australia where there is a lot of movement in piracy and the protection of customers privacy rights.

http://www.smh.com.au/federal-politics/political-opinion/conroy-will-be-censoring-people-not-the-internet-20091217-kzxl.html

http://www.abc.net.au/news/2012-11-09/government-abandons-plans-for-internet-filter/4362354

http://blog.iinet.net.au/iinet-wins-copyright-battle/

http://www.theaustralian.com.au/business/latest/iinet-embroiled-in-fresh-piracy-court-battle/story-e6frg90f-1227099582270

http://www.afr.com/business/legal/dallas-buyers-club-wins-first-round-in-iinet-case-20150407-1mfqi1

UK Stingray Towers

Sky News has come across 20 rogue IMSI Stingray mobile towers around London that can be used to eavesdrop on mobile users. There’s a bit of toing and froing with the government departments in “I can neither confirm nor deny” type statements.

However, the most interesting thing from the article is:

“Some of what we would like to talk about to get the debate informed and logical, we can’t, because it would defeat the purpose of having the tactics in the first place. Frankly, some of what we need to do is intrusive, it is uncomfortable, and the important thing is we set that out openly and recognise there are difficult choices to be made.”

This seems to be the trend at the minute with society wanting to know more about their privacy rights in specific scenarios but departments not able to divulge information as it negates the premise of intelligence gathering. We are left in this awkward space of needing to trust government agencies, oversight committees or the government itself. Which brings us to the next article.

http://www.independent.co.uk/news/uk/home-news/fake-mobile-phone-towers-found-to-be-actively-listening-in-on-calls-in-uk-10311525.html

White House Legally Requests FISA Ignore Ruling Making Bulk Surveillance Illegal

  1. The Second Circuit Court of Appeals ruled bulk collection of telephone metadata is unlawful. – http://www.wired.com/2015/05/breaking-news-federal-court-rules-nsa-bulk-data-collection-illegal/
  2. The Obama Administration makes a legal request to the Foreign Intelligence Surveillance court (FIS) to ignore the ruling.http://www.theguardian.com/world/2015/jun/09/obama-fisa-court-surveillance-phone-records

There are a lot of moving parts with this issue including that the FIS isn’t mount by the Second Circuit’s ruling and that the Administration claims it’s doing so to easily move towards the beginning USA Freedom Act.

In any case it gives an indication (especially in policy) to the struggles with privacy rights and the gathering of information.

Please Don’t Compromise Our Encryption

Two different industry bodies (The Information Technology Industry Council and the Software and Information Industry Association) which represent a number of big players including Apple, Google, Facebook, IBM and Microsoft have directed a letter to President Obama and the FBI Director stating that they “are opposed to any policy actions or measures that would undermine encryption as an available and effective tool.”

This comes after debates over whether Congress will pass legislation to allow law enforcement to bypass encryption methods.

http://www.reuters.com/article/2015/06/09/us-cybersecurity-usa-encryption-idUSKBN0OP09R20150609

 

A New Change

Well, I’ve noticed over the last while that blog is suffering from some major attrition from real life. Information and network security is so fast moving and requires a lot of technical depth and time spent on it that I don’t have the time to continually post things here. In fact the trend of recent posts has not been security focused but more of a general IT focus.

The time has come for a change where I will include anything IRL or !IRL for my own amusement.

The Most Redundant Error In The World

Whilst trying to upgrade from Cisco VSM 7.0 to 7.2 via the VSMC yesterday I received this error code.

File upload failed..{“status”:{“errorType”:”SUCCESS”}}

Well done Cisco, well done. You have created the most redundant error code in the history of your shitty output.

As a note for anyone who comes across this, you only see this error whilst trying to upgrade via Chrome, the upgrade works perfectly from IE.

Fixing ISPConfig3 MySQL Backup

I have been playing with ISPConfig3 for the last few months. Apart from being highly surprised by such a complete free offering, the MySQL backup has never worked for me. Web backup would work but the sql.gz would show 0 or a very small number bytes resulting in no backup.

After playing with the script in /usr/local/ispconfig/server/cron_daily.php I found that the script sanitizes input from /usr/local/ispconfig/server/lib/mysql_clientdb.conf before passing the details over to mysqldump.

The script sanitizes input with the PHP function escapeshellcmd: http://php.net/manual/en/function.escapeshellcmd.php

From the manual, the function will escape all input with #&;`|*?~<>^()[]{}$\, \x0A, \xFF and unpaired ‘ and “. This means that if we have any of these characters in our username or password the script will sanitize the input before throwing it to commandline which essentially breaks our backup process.

This sanitization is fine if your expecting input from an end user, but this is our root password using a string stored in a text file. Apart from some type of remote rewrite of the file and waiting for cron_daily.php to be executed hoping for a break on the commandline, I’m pretty sure this file is ok to edit.

The line is at 892 of /usr/local/ispconfig/server/cron_daily.php and reads

$command = "mysqldump -h '".escapeshellcmd($clientdb_host)."' -u '".escapeshellcmd($clientdb_user)."' -p'".escapeshellcmd($clientdb_password)."' -c --add-drop-table --create-options --quick --result-file='".$db_backup_dir.'/'.$db_backup_file."' '".$db_name."'";

For me it was my password that was causing problems for the function in which the mysqldump would fail resulting in a gz file of nothing.

Once the file was edited to the below everything started working again as expected.

$command = "mysqldump -h '".escapeshellcmd($clientdb_host)."' -u '".escapeshellcmd($clientdb_user)."' -p'".$clientdb_password."' -c --add-drop-table --create-options --quick --result-file='".$db_backup_dir.'/'.$db_backup_file."' '".$db_name."'";

I hope this helps!

Cisco Call Manager 9.0 and 9.1 in VirtualBox Guide

As mentioned, I can confirm that Cisco Call Manager 9 (CCM9 ) does work in VirtualBox and can be installed in a similar manner to CCM7. I have had both 9.0.1 and 9.1.1 have been installed with all services running perfectly.

As we did with CCM7, CCM9 must first be installed in VMware and then moved over to VirtualBox. CCM9 is now 100% supported in VMware, so the install process should be flawless. Keep in mind though that VirtualBox is definitely not officially supported, so you will get no help from TAC. This should only be used in a lab environment.

The minimum requirements for CCM9 are the same as they were in CCM7, 1x 80GB SCSI disk with 2048MB RAM. The CUC prerequisites have changed slightly and if you use 80GB/2048MB you won’t be able to install CUC. I haven’t been bothered to find the minimum requirements for CUC but I’ll post them up when I get some time.

I’ve used VMware Workstation 8.0, but you should be able to use any version of VMware to build the initial machine. All we need to do is to have the install complete and boot successfully, all other finer details can be changed once we move over to VirtualBox.

Continue Reading…