Hello everybody,
I'm really sorry for this late reply. I was kinda busy.
I've checked my notes with 4400 and here's a brief summary.
On 13th Feb. 2002, Irib of the security bugware team [
http://www.securitybugware.org] published an advisory titled "Playing around with Alcatel 4400". He pointed out several security issues of which I was very aware of about 2 years before this document came out. Not actually bugs, but mainly poor security settings on ChorusOS were discussed. Document included discussions about:
- default passwords on ChorusOS which allowed a remote root access
- bad file permissions
- etc.
Alcatel was notified about this and contacted all it's distributers around the globe to change the default passwords and maybe prepared some OS patches (I'm not aware of everything that was going on at that time).
Anyway, so much for the introduction. What I wanted to talk to you about is not ChorusOS bugs/exploits, because Sun released the source code for ChorusOS and everyone can examine the code now. However, I'm more interested in bugs that lie within 4400 itself.
One security issue that bothers me is the one which enables a remote caller to dial-out using company's phone line, without authorization. This
can be done by carelessnessly setting up a number to be used for external line seizure (for example, DSL trunk group seizure). Usually, that prefix number would be 0, or 9 or something that does not collide with the directory number shema. If this prefix is set as a number with the same number of digits as a regular directory number, that prefix number can be accessed for the outside line and therefore used to sieze the assigned trunk group. For example: directory shema is 212 555 4100 - 212 555 4599 (dir.no. 100-599). If the prefix for trunk group seize is set as 440, you're allowed to call up 212 555 4440 + <the calling number>. You will be connected to the calling party plus you get to hide your identy, because the company's identity will be transfered to the telco. I have tried this and I works on all systems I have access to in country I live, t.i. Slovenia. Numbering plan i used for the example was adjusted for NY, US.
If you look at this from the other point of view, you may ask: "And how can I find out if that number is even present in the system?". I have no good answer yet, besides the brute force attack. Anyway, it's a "feature" that should not exist I believe.
The other bug lies within the 4635, the voice mail system. When you call a party on the regular directory number from an outside line and a call gets forwarded to the voice mail system, caller's ID gets stored with the message you may leave in the voicemailbox. But if you call a voice mail system directly on it's assigned directory number, browse to you target voice mail box and leave a message, caller's ID is not identified, therefore marking it as an "outside call".
Let me repeat, written above qualifies for the country Slovenia and I allow a chance of being wrong and written above might be just a result of a poor system configuration.
I would love to get a feedback from you on this. Thank you!
arctus, SI
talk to you soon,
