[Home]

Summary:ASTERISK-12245: An issue with the IAX2 channel allows anonymous connections to cause resource starvation
Reporter:Noam Rathaus (rathaus)Labels:
Date Opened:2008-06-22 10:03:08Date Closed:2009-09-03 14:11:08
Priority:MajorRegression?No
Status:Closed/CompleteComponents:Channels/chan_iax2
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) iaxvuln.tar.gz
Description:The following is a Denial of Service vulnerability in Asterisk submitted to the SecuriTeam Secure disclosure project. The vulnerability causes Asterisk to use 100% cpu for about 8 minutes at a modest cost to the attacker.

The attack can be spoofed and it is possible to trigger against servers that don't allow anonymous connections.

Asterisk version 1.4.20.1 (seems to affect 1.4.19.1+)

****** ADDITIONAL INFORMATION ******

We would rather post the exploit code here - unless we are instructed otherwise - instead we will like to send it to a non-public locate
Comments:By: Tilghman Lesher (tilghman) 2008-06-22 12:07:53

Publishing it here is fine.  Since the issue has been marked private, the general public will be unable to view this issue until after a fix has been committed and a new release made.

By: Noam Rathaus (rathaus) 2008-06-22 12:29:23

Sending this IAX data, and incrementing the Outbound sequence number:
0000   80 17 00 00 00 00 08 76 9b 00 06 01 08 04 00 00  .......v........
0010   02 aa 00 00 00 00 00 00 00 00 00 00 00 00        ..............

Inter-Asterisk eXchange v2
   Packet type: Full packet (1)
       .000 0000 0001 0111 = Source call: 23
       .000 0000 0000 0000 = Destination call: 0
       0... .... .... .... = Retransmission: False
       [Call identifier: 1]
       Timestamp: 2166
       [Absolute Time: Jun 22, 2008 20:30:31.617623000]
       [Lateness: -2.165000000 seconds]
       Outbound seq.no.: 155
       Inbound seq.no.: 0
       Type: IAX (6)
           IAX subclass: NEW (1)
           Information Element: Actual codec capability: 0x000002aa
               IE id: Actual codec capability (0x08)
               Length: 4
               Actual codec capability: 0x000002aa
                   .... .... .... .... .... .... .... ...0 = G.723.1 compression: Not supported
                   .... .... .... .... .... .... .... ..1. = GSM compression: Supported
                   .... .... .... .... .... .... .... .0.. = Raw mu-law data (G.711): Not supported
                   .... .... .... .... .... .... .... 1... = Raw A-law data (G.711): Supported
                   .... .... .... .... .... .... ...0 .... = G.726 compression: Not supported
                   .... .... .... .... .... .... ..1. .... = ADPCM: Supported
                   .... .... .... .... .... .... .0.. .... = Raw 16-bit Signed Linear (8000 Hz) PCM: Not supported
                   .... .... .... .... .... .... 1... .... = LPC10, 180 samples/frame: Supported
                   .... .... .... .... .... ...0 .... .... = G.729a Audio: Not supported
                   .... .... .... .... .... ..1. .... .... = SPEEX Audio: Supported
                   .... .... .... .... .... .0.. .... .... = iLBC Free compressed Audio: Not supported
                   .... .... .... ...0 .... .... .... .... = JPEG images: Not supported
                   .... .... .... ..0. .... .... .... .... = PNG images: Not supported
                   .... .... .... .0.. .... .... .... .... = H.261 video: Not supported
                   .... .... .... 0... .... .... .... .... = H.263 video: Not supported


Will result in the IAX on the other end to utilize increasing amounts of CPU time, until it no longer can service any other request by those incoming from the attacker

Since the packet is UDP based, it is also easily spoofable.

The attack works well against servers that have guest access turned off as those who allow guest access.

The attack is to send 20000 IC_NEW packets to the server. This sounds like a lot, but it's only 360kB and can be done over time (5 seconds or so). If it does not cause 100% cpu, the attack can be repeated until the server is successfully nonfunctional.

By: Tilghman Lesher (tilghman) 2008-06-23 14:58:55

Do you have sample exploit code you can post?  I'm sending that many IAX2 NEW packets at once, but I'm only seeing Asterisk unavailable for the exact period of time that the attack lasts.  Once the flood subsides, I'm going right back to 0% CPU usage.

By: Noam Rathaus (rathaus) 2008-06-23 15:05:47

The iaxvuln includes the exploit we have received, and which we used to recreate the issue.

To run it, modify the file riax5.py so that the IP address is the right one.

And run 'python riax5.py' - during the run the Asterisk service will experience high load which lasts even if you stop the exploit.

By: Tilghman Lesher (tilghman) 2008-06-23 15:29:22

Okay, I'm still scratching my head, because I'm running this over and over, and the target Asterisk box is not spiking the CPU.

By: Noam Rathaus (rathaus) 2008-06-23 15:41:07

It happens on the following system we tested:
* Asterisk 1.4.20.1 (latest) from source on Gentoo 2007.0 amd64
* Gentoo 2008.0 amd64
* Slackware 12.1 i686

It also worked against 1.4.19.1on Slackware 12.1 i686.

We also tested it against Gentoo 2007.0 amd64 portage Asterisk 1.2.14-r2 and Asterisk 1.4.19 on Slackware 12.1 i686. Both did not display the symptom.

By: Noam Rathaus (rathaus) 2008-06-23 15:41:51

I forgot to mention it happens on Debian unstable

By: Tilghman Lesher (tilghman) 2008-06-23 15:50:27

I'm running this on an Ubuntu 7.10 box with Asterisk SVN-branch-1.4-r124450M, and I'm unable to reproduce the issue.

By: Tilghman Lesher (tilghman) 2008-06-23 17:21:27

Just to be clear, I _do_ see a CPU spike associated with this, but it subsides immediately after packets cease to be sent.

By: Tilghman Lesher (tilghman) 2008-07-02 14:15:02

I've committed another patch in revision 127133 that seems to cause the aforementioned spike to no longer show up.  We never got the 5 minute unavailability that you had mentioned in this issue, so we're unable to test whether this change affected that.  However, I wanted to let you know that a patch has gone in where the CPU no longer spikes when hit with a stream of 32000 IAX NEW requests within a period of 5 seconds.

By: Noam Rathaus (rathaus) 2008-07-02 14:24:41

If you want I can test it on my environments - they all show the issue

I m not sure how to get this patch you have introduced into my version.

By: Tilghman Lesher (tilghman) 2008-07-02 14:56:34

svn co http://svn.digium.com/svn/asterisk/branches/1.4 asterisk-1.4

By: Noam Rathaus (rathaus) 2008-07-02 23:03:30

I will test and get back to you.

Can you tell me when do you guys plan on advising the public of this problem?

By: Tilghman Lesher (tilghman) 2008-07-03 01:35:53

Our schedule on any such advisory will depend partly upon your confirmation that it fixes the problem that you detected.  However, since we were unable to make Asterisk perform in the poor way that you specified, it is likely that the assessment will be either Moderate or Low and it may not engender an immediate release.  No advisory has yet been written, and even on the day of a disclosure release, it usually takes us several hours to get all of our ducks in a row.  If you would like to coordinate our security release with your own disclosure, that's certainly available as an option, as well.

By: Noam Rathaus (rathaus) 2008-07-03 08:33:02

Hi,

I compiled, ran, make install, make samples, so that I will be using the defaults.

Loaded the chan_iax2, and I still see the problem occurring.

What can I provide to help you see this issue?

By: Tilghman Lesher (tilghman) 2008-07-03 09:29:48

I would need remote access to a machine that is having the issue.  You may coordinate with me on the IRC network Freenode, on the channel #asterisk-bugs.

By: Tilghman Lesher (tilghman) 2008-07-14 15:31:59

rathaus: ping.  Can you provide me with access to a machine that exhibits this problem?

By: Noam Rathaus (rathaus) 2008-07-14 23:01:05

Yes. As I mentioned before I can.

When are you available to proceed with this?

By: Tilghman Lesher (tilghman) 2008-07-15 08:30:31

rathaus:  I can't say when I'm specifically available, but please come on the Freenode IRC network, into the channel #asterisk-bugs, and we can find a time that works for both of us.

By: Noam Rathaus (rathaus) 2008-07-15 08:36:48

I m there now, let me know when would be a good time to catch you there.

By: Tilghman Lesher (tilghman) 2008-07-15 17:10:44

What username are you using?  I have not found a rathaus in the #asterisk-bugs channel at all today, and a request for a person to answer to the name rathaus turned up no replies.

By: Tilghman Lesher (tilghman) 2008-07-31 12:57:08

rathaus: have you been able to replicate your setup yet?

By: Noam Rathaus (rathaus) 2008-08-11 12:22:20

yes

I have it ready, looked for you today (2008-08-11)

By: Tzafrir Cohen (tzafrir) 2008-10-05 01:08:36

Reproduced here, on a Debian Lenny system with 1.4 system (svn r144758) connecting to localhost.

By: Tzafrir Cohen (tzafrir) 2008-10-05 02:53:05

Symptoms look strikingly similar to those of the script from http://www.voip0day.com/news/remote-denial-of-service-exploit-effects-the-asterisk-pbx/

By: Leif Madsen (lmadsen) 2009-01-09 13:13:34.000-0600

Pinging this issue. Any word on whether this is an issue that has already been resolved?

By: Leif Madsen (lmadsen) 2009-02-27 16:30:59.000-0600

I'm assigning this issue to dvossel to determine whether this is still an issue that needs to remain open. Thanks!

By: Russell Bryant (russell) 2009-02-28 08:53:36.000-0600

Yes, this is an issue that needs to remain open.

By: Tilghman Lesher (tilghman) 2009-06-10 09:01:34

rathaus: we have scheduled the release of this advisory for this week, probably tomorrow (June 11th, 2009).  Is this enough time for you to coordinate a simultaneous advisory by your organization?

By: Noam Rathaus (rathaus) 2009-06-10 14:22:55

yes it is.

By: Tilghman Lesher (tilghman) 2009-06-10 14:34:49

Sorry to do this to you, but we've changed course once again on handling this.  The advisory will be delayed at least until next week, while discussions are happening in the background.

By: Digium Subversion (svnbot) 2009-09-03 11:32:40

Repository: asterisk
Revision: 215955

U   trunk/channels/chan_iax2.c
U   trunk/channels/iax2-parser.c
U   trunk/channels/iax2-parser.h
U   trunk/channels/iax2.h
U   trunk/configs/iax.conf.sample
U   trunk/include/asterisk/acl.h
U   trunk/include/asterisk/astobj2.h
U   trunk/main/acl.c
U   trunk/main/astobj2.c

------------------------------------------------------------------------
r215955 | dvossel | 2009-09-03 11:32:40 -0500 (Thu, 03 Sep 2009) | 6 lines

Merge code associated with AST-2009-006

(closes issue ASTERISK-12245)
Reported by: rathaus
Tested by: tilghman, russell, dvossel, dbrooks

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=215955

By: Digium Subversion (svnbot) 2009-09-03 11:58:21

Repository: asterisk
Revision: 215958

U   branches/1.2/Makefile
U   branches/1.2/acl.c
U   branches/1.2/astobj2.c
U   branches/1.2/channels/chan_iax2.c
U   branches/1.2/channels/iax2-parser.c
U   branches/1.2/channels/iax2-parser.h
U   branches/1.2/channels/iax2.h
U   branches/1.2/configs/iax.conf.sample
U   branches/1.2/include/asterisk/acl.h
U   branches/1.2/include/asterisk/astobj2.h
A   branches/1.2/include/asterisk/sha1.h
U   branches/1.2/include/asterisk/utils.h
A   branches/1.2/sha1.c
U   branches/1.2/utils.c

------------------------------------------------------------------------
r215958 | dvossel | 2009-09-03 11:58:21 -0500 (Thu, 03 Sep 2009) | 7 lines

Merge code associated with AST-2009-006

(closes issue ASTERISK-12245)
Reported by: rathaus
Tested by: tilghman, russell, dvossel, dbrooks


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=215958

By: Digium Subversion (svnbot) 2009-09-03 13:33:18

Repository: asterisk
Revision: 216000

U   branches/1.4/channels/chan_iax2.c
U   branches/1.4/channels/iax2-parser.c
U   branches/1.4/channels/iax2-parser.h
U   branches/1.4/channels/iax2.h
U   branches/1.4/configs/iax.conf.sample
U   branches/1.4/include/asterisk/acl.h
U   branches/1.4/include/asterisk/astobj2.h
U   branches/1.4/main/acl.c
U   branches/1.4/main/astobj2.c

------------------------------------------------------------------------
r216000 | dvossel | 2009-09-03 13:33:18 -0500 (Thu, 03 Sep 2009) | 7 lines

Merge code associated with AST-2009-006

(closes issue ASTERISK-12245)
Reported by: rathaus
Tested by: tilghman, russell, dvossel, dbrooks


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=216000

By: Digium Subversion (svnbot) 2009-09-03 13:34:38

Repository: asterisk
Revision: 216001

_U  trunk/

------------------------------------------------------------------------
r216001 | dvossel | 2009-09-03 13:34:38 -0500 (Thu, 03 Sep 2009) | 12 lines

Blocked revisions 216000 via svnmerge

........
 r216000 | dvossel | 2009-09-03 13:32:32 -0500 (Thu, 03 Sep 2009) | 7 lines
 
 Merge code associated with AST-2009-006
 
 (closes issue ASTERISK-12245)
 Reported by: rathaus
 Tested by: tilghman, russell, dvossel, dbrooks
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=216001

By: Digium Subversion (svnbot) 2009-09-03 13:40:58

Repository: asterisk
Revision: 216003

_U  branches/1.6.0/
U   branches/1.6.0/channels/chan_iax2.c
U   branches/1.6.0/channels/iax2-parser.c
U   branches/1.6.0/channels/iax2-parser.h
U   branches/1.6.0/channels/iax2.h
U   branches/1.6.0/configs/iax.conf.sample
U   branches/1.6.0/include/asterisk/acl.h
U   branches/1.6.0/include/asterisk/astobj2.h
U   branches/1.6.0/main/acl.c
U   branches/1.6.0/main/astobj2.c

------------------------------------------------------------------------
r216003 | dvossel | 2009-09-03 13:40:58 -0500 (Thu, 03 Sep 2009) | 13 lines

Merged revisions 215955 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
 r215955 | dvossel | 2009-09-03 11:31:54 -0500 (Thu, 03 Sep 2009) | 6 lines
 
 Merge code associated with AST-2009-006
 
 (closes issue ASTERISK-12245)
 Reported by: rathaus
 Tested by: tilghman, russell, dvossel, dbrooks
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=216003

By: Digium Subversion (svnbot) 2009-09-03 13:42:13

Repository: asterisk
Revision: 216004

_U  branches/1.6.1/
U   branches/1.6.1/channels/chan_iax2.c
U   branches/1.6.1/channels/iax2-parser.c
U   branches/1.6.1/channels/iax2-parser.h
U   branches/1.6.1/channels/iax2.h
U   branches/1.6.1/configs/iax.conf.sample
U   branches/1.6.1/include/asterisk/acl.h
U   branches/1.6.1/include/asterisk/astobj2.h
U   branches/1.6.1/main/acl.c
U   branches/1.6.1/main/astobj2.c

------------------------------------------------------------------------
r216004 | dvossel | 2009-09-03 13:42:13 -0500 (Thu, 03 Sep 2009) | 13 lines

Merged revisions 215955 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
 r215955 | dvossel | 2009-09-03 11:31:54 -0500 (Thu, 03 Sep 2009) | 6 lines
 
 Merge code associated with AST-2009-006
 
 (closes issue ASTERISK-12245)
 Reported by: rathaus
 Tested by: tilghman, russell, dvossel, dbrooks
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=216004

By: Digium Subversion (svnbot) 2009-09-03 13:43:28

Repository: asterisk
Revision: 216007

_U  branches/1.6.2/
U   branches/1.6.2/channels/chan_iax2.c
U   branches/1.6.2/channels/iax2-parser.c
U   branches/1.6.2/channels/iax2-parser.h
U   branches/1.6.2/channels/iax2.h
U   branches/1.6.2/configs/iax.conf.sample
U   branches/1.6.2/include/asterisk/acl.h
U   branches/1.6.2/include/asterisk/astobj2.h
U   branches/1.6.2/main/acl.c
U   branches/1.6.2/main/astobj2.c

------------------------------------------------------------------------
r216007 | dvossel | 2009-09-03 13:43:28 -0500 (Thu, 03 Sep 2009) | 13 lines

Merged revisions 215955 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

........
 r215955 | dvossel | 2009-09-03 11:31:54 -0500 (Thu, 03 Sep 2009) | 6 lines
 
 Merge code associated with AST-2009-006
 
 (closes issue ASTERISK-12245)
 Reported by: rathaus
 Tested by: tilghman, russell, dvossel, dbrooks
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=216007

By: Digium Subversion (svnbot) 2009-09-03 13:50:21

Repository: asterisk
Revision: 216010

U   tags/1.6.1.6/channels/chan_iax2.c
U   tags/1.6.1.6/channels/iax2-parser.c
U   tags/1.6.1.6/channels/iax2-parser.h
U   tags/1.6.1.6/channels/iax2.h
U   tags/1.6.1.6/configs/iax.conf.sample
U   tags/1.6.1.6/include/asterisk/acl.h
U   tags/1.6.1.6/include/asterisk/astobj2.h
U   tags/1.6.1.6/main/acl.c
U   tags/1.6.1.6/main/astobj2.c

------------------------------------------------------------------------
r216010 | dvossel | 2009-09-03 13:50:21 -0500 (Thu, 03 Sep 2009) | 8 lines

Merge code associated with AST-2009-006

(closes issue ASTERISK-12245)
Reported by: rathaus
Tested by: tilghman, russell, dvossel, dbrooks



------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=216010

By: Digium Subversion (svnbot) 2009-09-03 13:51:50

Repository: asterisk
Revision: 216012

U   tags/1.6.0.15/channels/chan_iax2.c
U   tags/1.6.0.15/channels/iax2-parser.c
U   tags/1.6.0.15/channels/iax2-parser.h
U   tags/1.6.0.15/channels/iax2.h
U   tags/1.6.0.15/configs/iax.conf.sample
U   tags/1.6.0.15/include/asterisk/acl.h
U   tags/1.6.0.15/include/asterisk/astobj2.h
U   tags/1.6.0.15/main/acl.c
U   tags/1.6.0.15/main/astobj2.c

------------------------------------------------------------------------
r216012 | dvossel | 2009-09-03 13:51:50 -0500 (Thu, 03 Sep 2009) | 7 lines

Merge code associated with AST-2009-006

(closes issue ASTERISK-12245)
Reported by: rathaus
Tested by: tilghman, russell, dvossel, dbrooks


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=216012

By: Digium Subversion (svnbot) 2009-09-03 14:11:07

Repository: asterisk
Revision: 216015

U   tags/1.4.26.2/channels/chan_iax2.c
U   tags/1.4.26.2/channels/iax2-parser.c
U   tags/1.4.26.2/channels/iax2-parser.h
U   tags/1.4.26.2/channels/iax2.h
U   tags/1.4.26.2/configs/iax.conf.sample
U   tags/1.4.26.2/include/asterisk/acl.h
U   tags/1.4.26.2/include/asterisk/astobj2.h
U   tags/1.4.26.2/main/acl.c
U   tags/1.4.26.2/main/astobj2.c

------------------------------------------------------------------------
r216015 | dvossel | 2009-09-03 14:11:07 -0500 (Thu, 03 Sep 2009) | 8 lines

Merge code associated with AST-2009-006

(closes issue ASTERISK-12245)
Reported by: rathaus
Tested by: tilghman, russell, dvossel, dbrooks



------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=216015