owasp education project - template

Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

IAX2 RE DoS: Don’t Let The Fuzz Get You!

Blake CornellOWASP Board Member NY/NJ/[email protected]

0day Project

2OWASP

Open Source VoIP Dilemma

Asterisk is the Open Source VoIP PBX. Supports multiple signaling protocols. One of which is proprietary to their own, the Inter-Asterisk Exchange (IAX2).

IAX is arguably the best VoIP signalling protocol by design. Unlike SIP, which requires up to 10,001 UDP ports, IAX requires just 1! NAT friendly.

Asterisk has been gaining significant headway in the mid-size PBX VoIP market.

if(IAX == !SAFE_FOR_WORK) { asterisk = !SAFE_FOR_WORK; }

3OWASP

Previous Asterisk IAX Research

During The Last HOPE conference (2600), I spoke of an Asterisk VoIP topic. It was titled “Autonomously Bypassing VoIP Filters with Asterisk”. My friend Jeremy McNamara (NuFone founder) and myself detailed how a VoIP Provider and/or a VoIP client could guarantee VoIP service in any country (or airplane) in the world.

During the talk, I released an IAX application port scanner that could be used to find accessible IAX2 services. This script utilized the IAX Control POKE request to determine if a UDP service was an Asterisk server or not.

4OWASP

Previous Asterisk IAX Research

5OWASP

POKE Asterisk IAX Vulnerability

A flood of IAX Control POKE packets caused a Resource Exhaustion on IAX Call Numbers.

If you got hit by the POKE (et al.), you would experienceElevated PDDAudio jitter and dropped audioDropped phone callsAsterisk Segmentation Fault

Non-Exploitable 1.4 branch only

CVE-2008-3263

6OWASP


7OWASP


8OWASP


9OWASP

Digium's POKE “Issue”

if ((f.frametype == AST_FRAME_IAX) && ((f.subclass == IAX_COMMAND_NEW) || (f.subclass == IAX_COMMAND_REGREQ) || (f.subclass == IAX_COMMAND_POKE) || (f.subclass == IAX_COMMAND_FWDOWNL) || (f.subclass == IAX_COMMAND_REGREL)))new = NEW_ALLOW;

There are only 15 bits available for call numbers.Once these call numbers are all NEW_ALLOW new call

numbers can be issued.So what if we can consume all the call numbers?

OWASP

System Resource Usage in “Stable” v1.4

CPU Utilization increases during attack.Usually 100% on one

core of one CPU.CPU Utilization hangs

around 50% after the attack is over.Due to in part by a

'rand' function within the call number determination algorithm.

11OWASP

Digium's POKE “Fix”

/* Deal with POKE/PONG without allocating a callno */if (f.frametype == AST_FRAME_IAX && f.subclass ==

IAX_COMMAND_POKE) {/* Reply back with a PONG, but don't care about the

result. */send_apathetic_reply(1, ntohs(fh->scallno), &sin,

IAX_COMMAND_PONG, ntohs(fh->ts), fh->oseqno);return 1;

} else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) {/* Ignore */return 1;

}

OWASP

Why is this not a good solution?

if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) {send_apathetic_reply(1, ntohs(fh->scallno), &sin,



}


OWASP

Sloppy Fix?

if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) {send_apathetic_reply(1, ntohs(fh->scallno), &sin,



}


OWASP

IAX Vuln Discovery and Disclosure

Since POKE was discovered by accident I had figured that I could find more on purpose.

I then rapidly discovered an additional 12 RE DoS conditions for IAX How did I find these flaws?

Hint: Don't let the Fuzz get you! Hint: You were just looking at a big clue!

Digium, the makers and maintainers of Asterisk, were informed on multiple occasions starting over a year ago regarding these issues. Digium had included executives, developers and security staff in VA discussions.

Digium eventually started refusing to respond to my further inquires and thus refusing to officially respond to these issues. Putting all IAX2 users at risk.

For over 14 months.

What could I do to get Digiums futher attention and help raise awareness to these issues? I contemplated releasing a PoC script to demonstrate the weakness?

OWASP

Who could work here?

In Huntsville Alabama?

OWASP

How about here?

?

OWASP

Or here?

?

OWASP

Resource Exhaustion 0days

I released two additional 0days to the public.http://www.securityscraper.com/

The released was timed to coincide with Astricon 2008. There were numerous Asterisk developers at Astricon when the PoC code was released. There was also a week long “code zone” where developers fix outstanding issues.

At that time I had enough RE 0days to continue releasing one every day for just under a month (without any additional research).

OWASP

How to determine if you are being attacked?

A stream of unauthenticated IAX packets is a big clue. Asterisk v.1.4, it can take up to 30 minutes to exhaust all call numbers and eventually segfault Asterisk. Asterisk v1.6 takes 30 seconds to exhaust call numbers and does not segfault.

Common issues during an attackHigh of Infinite Post Dial Delay Jitter and dropped audioDropped phone callsSegmentation Fault“chan_iax2.c: Raw Hangup”

If you see this, you are more then likely being attacked or out of memory (which can be both).

OWASP


Case Study: NuFone UAT Environment

1st Line: Start of attack.2nd Line: Start of

second attack.

3rd Line: Stop of both attacks.

4th Line: Segfault.

OWASP


User experience during an attack.Two instances of the attack were launched.

25 second PDD immediately. After 2 loops of the attack, numerous “raw hangup”

errors are displayed within the Asterisk CLI. No audio on existing phone call. 31 second PDD.

OWASP

Prevention

Since there was no vendor fix for these issues there were a few options.Block IAX to only trusted IP's ( server to server )Disable IAXActively monitor the IAX service.Hope that Digium fixes it….

I would have told you that this was never going to happen. My best guess was that they couldn’t fix it without breaking backward compatibility (a.k.a. IAX3).

Then 2 business days before this talk I received an email from Digium. They had claimed to “fix” these issues.

– AST-2009-009

OWASP

AST-2009-006 Was Born

“After quite a bit of thought and development, there will be a patch/ update released tomorrow to IAX2 that should at least create conditions that make IAX2 less vulnerable to the DoS attack vectors that you and others have identified in relation to call sequence number exhaustion. This is not a full solution, but it will reduce attack vectors significantly. There is a fundamental change in IAX2 to address the exhaustion issue, and Asterisk will have a switching mechanism on a per-peer basis to allow backwards compatibility without significant re-work of configuration files or code.”

“The implementation here took much longer than expected, as this has been balanced with other open-source tasks as well as fundamentally being a difficult proposition to solve. I'd like to solicit your thoughts on the solution, and if you have comments on the methodology I would be happy to discuss them with you. While it is never a comfortable process to discover shortcomings in protocols or code, we think that the solution that is being put in place is a reasonable balance between functionality and protection. Thank you for your continued consideration and discussion; despite our delay in this particular solution, we are very interested in keeping Asterisk safe from denial of service or other security issues and your observations and discoveries of security issues are welcome.” I agreed with everything “initially” especially the part when they finally

thanked me for my voluntary efforts spanning from over a one year duration.

OWASP

Prevention

Digium decided to utilize a solution that broke backward compatibility. There is likely no other way.

VA MetricsFixing a vulnerability in production is 33 times

more costly then while in the design phase. Utilizing this industry metric we can roughly determine

that while it took just over 14 months to find a feasible solution it would have taken two weeks if it were discovered and fixed during the design phase.

OWASP

Design Errors Are Costly

OWASP

Fuzzing IAX

I build my IAX Fuzzer in two days.Took the IAX IETF Draft and recreated the IAX

packet structure. http://tools.ietf.org/id/draft-guy-iax-05.txt

Ported the data structures into name value pairs hashes.

Programmed the fuzzer to assemble all types of possible IAX packet combinations.

Generated Gig's of log data. Used bash mechanisms to extrapolate vulnerable packet

types

The Fuzzer loops through the unauthenticated space of the protocol stackDiscovered and confirmed over 12 vulnerabilities

within a weekend.

OWASP

Fuzzing IAX my %iaxControlFrames=( 'Nan' => "00", 'NEW' => "01", 'PING' => "02", 'PONG' => "03", 'ACK' => "04", 'HANGUP' => "05", 'REJECT' => "06", 'ACCEPT' => "07", 'AUTHREQ' => "08", 'AUTHREP' => "09", 'INVAL' => "0a", 'LAGRQ' => "0b", 'LAGRP' => "0c", 'REGREQ' => "0d", 'REGAUTH' => "0e", 'REGACK' => "0f", 'REGREJ' => "10", 'REGREL' => "11",

[…]

OWASP

Time For Fun

But first… Mad Props Jeremy McNamara, Founder Nufone

(QA exploits, expertise and knowledge [knows more about VoIP then anyone])

Noam Rathus, SecuriTeam (SecuriTeam Secure Disclosure [experience regarding resistant software maintainers])

John Todd, Digium (The only “friendly” and “sane” person working at Digium [kept me in the loop])

If time is short we will do one of the following. Run a demo attack?

perl iaxFuzz.pl --dos -h 127.0.0.1 -v Show you something new and interesting (SIP+XSS)?

perl sipFuzzer.pl -h 127.0.0.1 -v --xss --sqli

Thanks!!

owasp education project - template

Documents

previous asterisk iax

iax control poke request

iax vuln discovery

regreq f

fwdownl f

iax application port

asterisk voip topic

maintainers of asterisk