[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Asterisk SDP DOS vulnerability
From: "Radu State" <state () loria ! fr>
Date: 2007-03-19 18:00:14
Message-ID: 5m8j6b$a84tj () ironport1 ! loria ! fr
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
MADYNES Security Advisory
<http://madynes.loria.fr/> http://madynes.loria.fr
Title: Asterisk SIP INVITE remote DOS
Release Date:
08/03/2007
Severity:
High - Denial of Service
Advisory ID:KIPH1
Software:
Asterisk
<http://www.asterisk.org/> http://www.asterisk.org/
AsteriskR is a complete IP PBX in software. It runs on a wide variety of
operating systems including Linux, Mac OS X, OpenBSD, FreeBSD and Sun
Solaris and provides all of the features you would expect from a PBX
including many advanced features that are often associated with high end
(and high cost) proprietary PBXs. AsteriskR supports Voice over IP in many
protocols, and can interoperate with almost all standards-based telephony
equipment using relatively inexpensive hardware.
Affected Versions:
Asterisk 1.2.14, 1.2.15, 1.2.16
Asterisk 1.4.1
probably previous versions also
Unaffected Versions: Trunk version to date (13/03/2007)
Vulnerability Synopsis: After sending a crafted INVITE message the software
finish abruptly its execution with a Segmentation Fault provoking a Denial
of Service (DoS) in all the services provided by the entity.
Impact: A remote individual can remotely crash and perform a Denial of
Service(DoS) attack in all the services provided by the software by sending
one crafted SIP INVITE message. This is conceptually similar to the "ping of
death".
Resolution: The problem has been fixed in Asterisk versions 1.4.2 and
1.2.17, which is released today 19/03/2007
Vulnerability Description: After sending a crafted message the software
crash abruptly. The message in this case is an anonymous INVITE where the
SDP contains 2 connection headers. The first one must be valid and the
second not where the IP address should be invalid. The callee needs not to
be a valid user or dialplan. In case where asterisk is set to disallow
anonymous call, a valid user and password should be known, and while
responding the corresponding INVITE challenge the information should be
crafted as above. After this crafted SIP INVITE message, the affected
software crash immediately.
Proof of Concept Code: available
Credits:
Humberto J. Abdelnur (Ph.D Student)
Radu State (Ph.D)
Olivier Festor (Ph.D)
This vulnerability was identified by the Madynes research team at
INRIA
Lorraine, using the Madynes VoIP fuzzer.
<http://madynes.loria.fr/> http://madynes.loria.fr/
Disclosure Distribution:
The advisory will be posted on the following websites:
1) Asterisk's website
2) <http://madynes.loria.fr/> http://madynes.loria.fr website
The advisory will be posted to the following mailing lists:
1) full-disclosure@lists.grok.org.uk
2) voipsec@vopisa.org
[Attachment #5 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:st1="urn:schemas-microsoft-com:office:smarttags" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="State"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PlaceType"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PlaceName"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place" downloadurl="http://www.5iantlavalamp.com/"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=FR link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>MADYNES Security
Advisory <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
style='font-size:10.0pt;font-family:"Courier New"'><a
href="http://madynes.loria.fr/"><span \
lang=EN-US>http://madynes.loria.fr</span></a></span></font><font size=2 face="Courier \
New"><span lang=EN-US style='font-size:10.0pt;font-family: "Courier \
New"'><o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Title: Asterisk
SIP INVITE remote DOS <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Release \
Date:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> 08/03/2007<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Severity: \
<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> High - Denial of \
Service<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Advisory \
ID:KIPH1<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'>Software:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> Asterisk<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> </span></font><font size=2 face="Courier \
New"><span style='font-size:10.0pt;font-family:"Courier New"'><a \
href="http://www.asterisk.org/"><span \
lang=EN-US>http://www.asterisk.org/</span></a></span></font><font size=2 \
face="Courier New"><span lang=EN-US style='font-size:10.0pt;font-family: "Courier \
New"'><o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-autospace:none'><font size=2
face="Courier New"><span lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'>Asterisk® is a complete IP PBX in software. It runs on a wide variety of \
operating systems including Linux, Mac OS X, OpenBSD, FreeBSD and Sun Solaris and
provides all of the features you would expect from a PBX including many
advanced features that are often associated with high end (and high cost)
proprietary PBXs. Asterisk® supports Voice over IP in many protocols, and can
interoperate with almost all standards-based telephony equipment using
relatively inexpensive hardware.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Affected
Versions:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> Asterisk 1.2.14, 1.2.15, 1.2.16 \
<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> Asterisk 1.4.1 <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> probably previous versions \
also<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Unaffected
Versions: Trunk version to date (13/03/2007)<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-autospace:none'><font size=2
face="Courier New"><span lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'>Vulnerability
Synopsis: After sending a crafted INVITE message the software finish abruptly
its execution with a Segmentation Fault provoking a Denial of Service (DoS) in
all the services provided by the entity.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-autospace:none'><font size=2
face="Courier New"><span lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'>Impact: A remote individual can remotely crash and perform a Denial of \
Service(DoS) attack in all the services provided by the software by sending one \
crafted SIP INVITE message. This is conceptually similar to the "ping of \
death". <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-autospace:none'><font size=2
face="Courier New"><span lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Resolution: The problem
has been fixed in Asterisk versions 1.4.2 and 1.2.17, which is released today \
19/03/2007 <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-autospace:none'><font size=2
face="Courier New"><span lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'>Vulnerability
Description: After sending a crafted message the software crash abruptly. The
message in this case is an anonymous INVITE where the SDP contains 2 connection
headers. The first one must be valid and the second not where the IP address
should be invalid. The callee needs not to be a valid user or dialplan. In case
where asterisk is set to disallow anonymous call, a valid user and password
should be known, and while responding the corresponding INVITE challenge the
information should be crafted as above. After this crafted SIP INVITE message,
the affected software crash immediately. <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Proof of Concept
Code: available<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'>Credits:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> Humberto J. Abdelnur (Ph.D \
Student)<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> <st1:place w:st="on"><st1:PlaceName \
w:st="on">Radu</st1:PlaceName> <st1:PlaceType \
w:st="on">State</st1:PlaceType></st1:place> (Ph.D)<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> Olivier Festor \
(Ph.D)<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> This vulnerability was identified by the Madynes \
research team at INRIA<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> <st1:place w:st="on"><st1:State \
w:st="on">Lorraine</st1:State></st1:place>, using the Madynes VoIP \
fuzzer.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> </span></font><font size=2 face="Courier \
New"><span style='font-size:10.0pt;font-family:"Courier New"'><a \
href="http://madynes.loria.fr/"><span \
lang=EN-US>http://madynes.loria.fr/</span></a></span></font><font size=2 \
face="Courier New"><span lang=EN-US style='font-size:10.0pt;font-family: "Courier \
New"'><o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>Disclosure
Distribution: <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> The advisory will be posted on the following \
websites:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> 1) Asterisk's \
website<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> 2) </span></font><font size=2 \
face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'><a \
href="http://madynes.loria.fr/"><span \
lang=EN-US>http://madynes.loria.fr</span></a></span></font><font size=2 face="Courier \
New"><span lang=EN-US style='font-size:10.0pt;font-family: "Courier New"'> \
website<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> The advisory will be posted to the following \
mailing lists:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> 1) \
full-disclosure@lists.grok.org.uk<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face="Courier New"><span
lang=EN-US style='font-size:10.0pt;font-family:"Courier \
New"'> 2) \
voipsec@vopisa.org<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic