Solution to VOIP Injects for Locked Shields 2014

In 2014, for the first time in Locked Shields history, VOIP topic was brought to the exercise. The task of Blue teams was to defend misconfigured VOIP systems that had been built by Green team and to solve two VOIP injects opened during the LS execution. The article that focus on describing VOIP scenario and problems connected with deployed VOIP systems can be found here. Another article explaining improper security configuration applied on Blue VOIP systems is here. And the article you are reading now discuss possible solutions to VOIP injects that the Blue challenged.

Note: For calls to Tallin land lines 06xxxxxx, to the emergency number 0112 and to paid service number 0999, a caller had to add add a prefix 0 to the dialed number. The prefix is  automatically removed by the called party transformations  settings configured under particular route pattern.

Note: x represents any digit.

1. VOIP Inject One - Prevent  Calls to Paid Service Number 0999

During the exercise the Blue were asked to configure their particular CUCMs in way that prevents to call paid service number 0999. The number was was configured on Green Cisco IP phone 7962. The Green team had created a route pattern 0.099x on each Blue CUCM in advance. Thie route pattern routed calls from Blue CUCM to Green CUCM connected via SIP trunk.

Solution provided by Green team consists from two steps:

a) Deleting the route pattern 0.099x
b) Modifying the route pattern 84xx -  deleting both Called Party Transform Mask and Prefix Digits (Outgoing Calls) under the route pattern  configuration

Deleting a route pattern 0099x that route calls to the number 0999 seems to be a fast and simple solution to stop calls to the  paid service number. However deleting the pattern is not sufficient as Blue CUCM configuration contains a pattern 84xx that diverts calls to number 0999. The pattern 84xx is one of the legitimate patterns 80xx, 81xx 82xx, 83xx, 84xx that had been configured by Green team and used for routing the calls to the Green team internal range 8[0-4]xx.


Picture 1 - Route Patterns

The idea behind separating a route pattern 8[0-4]xx to five separate patterns is straightforward. It is much easier to mask some additional "change of dialed number" configuration under the one of five route patterns than under the single pattern. Therefore we "placed" Called Party Transformations configuration under a route pattern 84xx . In fact, this Called party Transformations contains two called transformations - Called Party Transforms Mask XX which always strips the last two digits from the dialed number and prefix digit 09 transformation that adds digits 09 to the dialed number. For instance,  if someone called the number 8499, the called party transformation mask stripped the last digits 99 from called number 8499 and added prefix 09 to the digits 99. As a result the called number 8499 was changed to 0999 number.

It simply means that anyone could call paid service number by dialing the number 8499. For this reason White team did not accepted deleting the route pattern 0.099x as a sufficient solution even it was working. To complete this task, Called Party Transformations configuration had to be removed from route pattern 84xx in order to prevent calls to the paid service number 0999. For this reason no Blue team scored for this inject.


Picture 2 - Called Party Transforms Mask XX and Prefix Digits 09 Configured Under the Route Pattern 8499 

2. VOIP Inject Two - Secure Calls to Emergency Service 0112

The second VOIP inject assigned to Blue teams required to modify CUCM configuration in order to allow to make phone calls to the emergency number 0112. The number 0112 was configured on Green Cisco IP phone 7962. The Green team had created a route pattern 0.011[02] on each Blue CUCM that routed calls to H323 gateway with the IP address (Picture 1).  Although the IP address is a valid IP address of Green CUCM,  calls could not be accomplished as Green CUCM did not contained any H323 configuration. For this reason calls to the number 0112 were rejected in default configuration done by Green team.

Solution provided by Green team consists from two steps:

a) Editing the route pattern 0.011[02] and selecting the route list  Blue-RL-Green
b) Deleting the translation pattern 00112.

Editing the route pattern 0.011[02] and configuring the route list Blue-RL-Green that points calls to a valid SIP trunk seemed to be a simple solution that ensures  routing the calls to the number 0112. However each Blue CUCM had configure also a translation pattern 00112. that changed a dialed number 00112 to non-existing number 9551. The Called Party Transformation configured under the translation pattern 00112.  simply stripped digits before the dot and added prefix 9551.

The trick why the translation pattern 00112. was matched instead of the routing pattern 0.011[02] is hidden under fact how CUCM performs dialed digits analysis. CUCM selects such pattern for call routing that is better (more accurate) match of the called number. In our case the translation pattern 0112 represents a better match of the dialed number so the call is  diverted to non existing number 9551.

For this reason the Blue had to either delete the translation pattern or changed a route pattern 0.011[02] to the pattern 00112. As we could noticed studying the Blue CUCMs configuration, all the Blue selected the second option and changed the route pattern to 00112. In this case, the route pattern 00112 is the exact match of the called number 00112 and is always matched even the translation pattern 00112. remained in CUCM configuration. All the Blue teams that solved the inject two got the full score for their solution.


Leave a comment

Your email address will not be published. Required fields are marked *