| Summary: | ASTERISK-17578: [patch] DoS through manager interface: no timeout for unauthenticated logins | ||
| Reporter: | Tzafrir Cohen (tzafrir) | Labels: | |
| Date Opened: | 2011-03-18 23:43:20 | Date Closed: | 2011-04-21 13:49:57 |
| Priority: | Critical | Regression? | No |
| Status: | Closed/Complete | Components: | Core/ManagerInterface |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) 0001-prevent-flodding-logs-when-too-many-open-files.patch ( 1) 0001-Timeout-of-30-secconds-to-pre-auth-manager-reads.patch ( 2) AST-2011-005-1.4.diff ( 3) AST-2011-005-1.6.1.diff ( 4) AST-2011-005-1.6.2.diff ( 5) AST-2011-005-1.8.diff | |
| Description: | While trying to understand what AST-2011-003 does and if it is actually needed in 1.4, I tried to simply DoS my own system (Debian Squeeze, mostly). The issue is that there's no timeout for a manager connection. Thus I can easily occupy as many asterisk threads and sockets as I want simply by connecting to the manager interface, reading the first line, and doing nothing. If I manage to silently disconnect (somehow not sent the connectiontion teardown to the asterisk server), all the better. I used the following simple attack: while :; do nc localhost 5038 & done Checking for the number of Asterisk threads: ps -eL | grep asterisk |wc -l As an aside, once there are 1024 open files, things get worse. Asterisk keeps printing the warning of 'Too many open files'. It floods the logs and inflates the memory (long after I stopped attempting to connect). The system becomes unusable until I kill asterisk. Tested so far on 1.6.2 and trunk (w/AST-2011-003 applied). I filed this privately. But frankly I suspect others have tried the same simple thing after the advisory was filed. | ||
| Comments: | By: Tzafrir Cohen (tzafrir) 2011-03-19 13:41:03 Patch 0001-prevent-flodding-logs-when-too-many-open-files.patch attached: this works around the worst aspect of the problem: prevents the endless loop of the console to print an endless stream of messages and consume all of my memory in the process. All the CPU activity seems to be done in the main asterisk thread. A brief look from strace after this is applied: poll([{fd=6, events=POLLIN|POLLPRI}], 1, 5000) = 1 ([{fd=6, revents=POLLIN}]) accept(6, 0x7f0c23503d50, [128]) = -1 EMFILE (Too many open files) gettid() = 22839 futex(0x818964, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x818960, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1}) = 1 futex(0x802290, FUTEX_WAKE_PRIVATE, 1) = 1 By: Tzafrir Cohen (tzafrir) 2011-03-20 05:49:12 OK. Big thinko of my part. The instances of nc were still running. That said, the fact that Asterisk will wait indefinitely in this state makes such an attack quite simple. Just make sure the target system does not learn about the tear-down of the connection. By: Tzafrir Cohen (tzafrir) 2011-03-20 08:49:03 Patch 0001-Timeout-of-30-secconds-to-pre-auth-manager-reads.patch: Introduces a timeout for reads before we're authenticated. Fail and break connection on timeout. By: Matthew Nicholson (mnicholson) 2011-03-21 13:18:00 Both of these are legitimate issues and both of these patches look good. I'll work on a security advisory. By: Matthew Nicholson (mnicholson) 2011-03-22 17:25:59 After looking at this further, the fix should also include a way to limit the number of manager connections asterisk will accept. By: Matthew Nicholson (mnicholson) 2011-03-22 17:27:45 Also the timeout on the socket should not be based on activity on the socket, it should be an absolute timeout that will close the socket if successful authentication does not occur within a certain time. By: Jonathan Rose (jrose) 2011-03-28 08:58:03 "It is very important to understand that other than a clear text password and the ability to restrict IP addresses, there is no security of any kind on the Manager interface. If you are running Manager on an untrusted network (or have any other complex needs), you should consider using David Troy’s excellent AstManProxy to handle all of your connections to the manager API." ~Asterisk - The Future of Telephony 2nd Edition p. 228 I was glancing through the various trap notes in the Asterisk book when I came across that and remembered reading this particular issue. By: Tzafrir Cohen (tzafrir) 2011-03-28 09:08:07 AstManProxy is unmaintained. I wonder if it has the same issue. For the debian packaging I enable the manager interface on localhost to make it the simple thing not to enable it to listen on 0.0.0.0 . By: Matthew Nicholson (mnicholson) 2011-03-28 09:17:23 A fix for this issue should go out soon. By: Tzafrir Cohen (tzafrir) 2011-04-03 12:08:09 ping By: Matthew Nicholson (mnicholson) 2011-04-03 12:27:36 I have the patches for this ready to go. The fix is currently scheduled to go out this week. By: Tzafrir Cohen (tzafrir) 2011-04-03 12:35:05 Where can I find them? By: Matthew Nicholson (mnicholson) 2011-04-03 12:39:39 I will post them here tomorrow. By: Digium Subversion (svnbot) 2011-04-05 09:10:35 Repository: asterisk Revision: 312761 U branches/1.4/configs/manager.conf.sample U branches/1.4/main/manager.c ------------------------------------------------------------------------ r312761 | mnicholson | 2011-04-05 09:10:34 -0500 (Tue, 05 Apr 2011) | 8 lines Limit the number of unauthenticated manager sessions and also limit the time they have to authenticate. AST-2011-005 (closes issue ASTERISK-17578) Reported by: tzafrir Tested by: mnicholson ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=312761 By: Digium Subversion (svnbot) 2011-04-05 09:11:47 Repository: asterisk Revision: 312763 U branches/1.6.1/configs/manager.conf.sample U branches/1.6.1/main/manager.c ------------------------------------------------------------------------ r312763 | mnicholson | 2011-04-05 09:11:46 -0500 (Tue, 05 Apr 2011) | 8 lines Limit the number of unauthenticated manager sessions and also limit the time they have to authenticate. AST-2011-005 (closes issue ASTERISK-17578) Reported by: tzafrir Tested by: mnicholson ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=312763 By: Digium Subversion (svnbot) 2011-04-05 09:13:08 Repository: asterisk Revision: 312764 _U branches/1.6.2/ U branches/1.6.2/configs/manager.conf.sample U branches/1.6.2/main/manager.c ------------------------------------------------------------------------ r312764 | mnicholson | 2011-04-05 09:13:08 -0500 (Tue, 05 Apr 2011) | 15 lines Merged revisions 312761 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r312761 | mnicholson | 2011-04-05 09:10:34 -0500 (Tue, 05 Apr 2011) | 8 lines Limit the number of unauthenticated manager sessions and also limit the time they have to authenticate. AST-2011-005 (closes issue ASTERISK-17578) Reported by: tzafrir Tested by: mnicholson ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=312764 By: Digium Subversion (svnbot) 2011-04-05 09:14:51 Repository: asterisk Revision: 312766 _U branches/1.8/ U branches/1.8/configs/manager.conf.sample U branches/1.8/main/manager.c ------------------------------------------------------------------------ r312766 | mnicholson | 2011-04-05 09:14:51 -0500 (Tue, 05 Apr 2011) | 22 lines Merged revisions 312764 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.6.2 ................ r312764 | mnicholson | 2011-04-05 09:13:07 -0500 (Tue, 05 Apr 2011) | 15 lines Merged revisions 312761 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r312761 | mnicholson | 2011-04-05 09:10:34 -0500 (Tue, 05 Apr 2011) | 8 lines Limit the number of unauthenticated manager sessions and also limit the time they have to authenticate. AST-2011-005 (closes issue ASTERISK-17578) Reported by: tzafrir Tested by: mnicholson ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=312766 By: Digium Subversion (svnbot) 2011-04-05 09:16:22 Repository: asterisk Revision: 312767 _U trunk/ U trunk/configs/manager.conf.sample U trunk/main/manager.c ------------------------------------------------------------------------ r312767 | mnicholson | 2011-04-05 09:16:22 -0500 (Tue, 05 Apr 2011) | 29 lines Merged revisions 312766 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.8 ................ r312766 | mnicholson | 2011-04-05 09:14:50 -0500 (Tue, 05 Apr 2011) | 22 lines Merged revisions 312764 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.6.2 ................ r312764 | mnicholson | 2011-04-05 09:13:07 -0500 (Tue, 05 Apr 2011) | 15 lines Merged revisions 312761 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r312761 | mnicholson | 2011-04-05 09:10:34 -0500 (Tue, 05 Apr 2011) | 8 lines Limit the number of unauthenticated manager sessions and also limit the time they have to authenticate. AST-2011-005 (closes issue ASTERISK-17578) Reported by: tzafrir Tested by: mnicholson ........ ................ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=312767 By: Digium Subversion (svnbot) 2011-04-05 09:22:06 Repository: asterisk Revision: 312791 U tags/1.8.3.3/configs/manager.conf.sample U tags/1.8.3.3/main/manager.c ------------------------------------------------------------------------ r312791 | lmadsen | 2011-04-05 09:22:05 -0500 (Tue, 05 Apr 2011) | 2 lines AST-2011-005 (issue ASTERISK-17578) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=312791 By: Digium Subversion (svnbot) 2011-04-05 09:22:19 Repository: asterisk Revision: 312793 U tags/1.6.2.17.3/configs/manager.conf.sample U tags/1.6.2.17.3/main/manager.c ------------------------------------------------------------------------ r312793 | lmadsen | 2011-04-05 09:22:19 -0500 (Tue, 05 Apr 2011) | 2 lines AST-2011-005 (issue ASTERISK-17578) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=312793 By: Digium Subversion (svnbot) 2011-04-05 09:22:30 Repository: asterisk Revision: 312795 U tags/1.6.1.25/configs/manager.conf.sample U tags/1.6.1.25/main/manager.c ------------------------------------------------------------------------ r312795 | lmadsen | 2011-04-05 09:22:30 -0500 (Tue, 05 Apr 2011) | 2 lines AST-2011-005 (issue ASTERISK-17578) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=312795 By: Digium Subversion (svnbot) 2011-04-05 09:22:36 Repository: asterisk Revision: 312796 U tags/1.4.40.1/configs/manager.conf.sample U tags/1.4.40.1/main/manager.c ------------------------------------------------------------------------ r312796 | lmadsen | 2011-04-05 09:22:35 -0500 (Tue, 05 Apr 2011) | 2 lines AST-2011-005 (issue ASTERISK-17578) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=312796 By: Digium Subversion (svnbot) 2011-04-21 13:19:24 Repository: asterisk Revision: 314607 U branches/1.4/channels/chan_skinny.c U branches/1.4/configs/http.conf.sample U branches/1.4/configs/skinny.conf.sample U branches/1.4/main/http.c U branches/1.4/main/manager.c ------------------------------------------------------------------------ r314607 | mnicholson | 2011-04-21 13:19:24 -0500 (Thu, 21 Apr 2011) | 14 lines Added limits to the number of unauthenticated sessions TCP based protocols are allowed to have open simultaneously. Also added timeouts for unauthenticated sessions where it made sense to do so. Unrelated, the manager interface now properly checks if the user has the "system" privilege before executing shell commands via the Originate action. AST-2011-005 AST-2011-006 (closes issue ASTERISK-17384) Reported by: kobaz (related to issue ASTERISK-17578) Reported by: tzafrir ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=314607 By: Digium Subversion (svnbot) 2011-04-21 13:22:21 Repository: asterisk Revision: 314620 _U branches/1.6.2/ U branches/1.6.2/channels/chan_sip.c U branches/1.6.2/channels/chan_skinny.c U branches/1.6.2/configs/http.conf.sample U branches/1.6.2/configs/sip.conf.sample U branches/1.6.2/configs/skinny.conf.sample U branches/1.6.2/main/http.c U branches/1.6.2/main/manager.c ------------------------------------------------------------------------ r314620 | mnicholson | 2011-04-21 13:22:20 -0500 (Thu, 21 Apr 2011) | 20 lines Merged revisions 314607 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r314607 | mnicholson | 2011-04-21 13:19:21 -0500 (Thu, 21 Apr 2011) | 14 lines Added limits to the number of unauthenticated sessions TCP based protocols are allowed to have open simultaneously. Also added timeouts for unauthenticated sessions where it made sense to do so. Unrelated, the manager interface now properly checks if the user has the "system" privilege before executing shell commands via the Originate action. AST-2011-005 AST-2011-006 (closes issue ASTERISK-17384) Reported by: kobaz (related to issue ASTERISK-17578) Reported by: tzafrir ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=314620 By: Digium Subversion (svnbot) 2011-04-21 13:24:07 Repository: asterisk Revision: 314628 _U branches/1.8/ U branches/1.8/channels/chan_sip.c U branches/1.8/channels/chan_skinny.c U branches/1.8/channels/sip/include/sip.h U branches/1.8/configs/http.conf.sample U branches/1.8/configs/sip.conf.sample U branches/1.8/configs/skinny.conf.sample U branches/1.8/main/http.c U branches/1.8/main/manager.c ------------------------------------------------------------------------ r314628 | mnicholson | 2011-04-21 13:24:07 -0500 (Thu, 21 Apr 2011) | 27 lines Merged revisions 314620 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.6.2 ................ r314620 | mnicholson | 2011-04-21 13:22:19 -0500 (Thu, 21 Apr 2011) | 20 lines Merged revisions 314607 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r314607 | mnicholson | 2011-04-21 13:19:21 -0500 (Thu, 21 Apr 2011) | 14 lines Added limits to the number of unauthenticated sessions TCP based protocols are allowed to have open simultaneously. Also added timeouts for unauthenticated sessions where it made sense to do so. Unrelated, the manager interface now properly checks if the user has the "system" privilege before executing shell commands via the Originate action. AST-2011-005 AST-2011-006 (closes issue ASTERISK-17384) Reported by: kobaz (related to issue ASTERISK-17578) Reported by: tzafrir ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=314628 By: Digium Subversion (svnbot) 2011-04-21 13:32:54 Repository: asterisk Revision: 314666 _U trunk/ U trunk/channels/chan_sip.c U trunk/channels/chan_skinny.c U trunk/channels/sip/include/sip.h U trunk/configs/http.conf.sample U trunk/configs/sip.conf.sample U trunk/configs/skinny.conf.sample U trunk/main/http.c U trunk/main/manager.c ------------------------------------------------------------------------ r314666 | mnicholson | 2011-04-21 13:32:54 -0500 (Thu, 21 Apr 2011) | 34 lines Merged revisions 314628 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.8 ................ r314628 | mnicholson | 2011-04-21 13:24:05 -0500 (Thu, 21 Apr 2011) | 27 lines Merged revisions 314620 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.6.2 ................ r314620 | mnicholson | 2011-04-21 13:22:19 -0500 (Thu, 21 Apr 2011) | 20 lines Merged revisions 314607 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r314607 | mnicholson | 2011-04-21 13:19:21 -0500 (Thu, 21 Apr 2011) | 14 lines Added limits to the number of unauthenticated sessions TCP based protocols are allowed to have open simultaneously. Also added timeouts for unauthenticated sessions where it made sense to do so. Unrelated, the manager interface now properly checks if the user has the "system" privilege before executing shell commands via the Originate action. AST-2011-005 AST-2011-006 (closes issue ASTERISK-17384) Reported by: kobaz (related to issue ASTERISK-17578) Reported by: tzafrir ........ ................ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=314666 By: Digium Subversion (svnbot) 2011-04-21 13:49:57 Repository: asterisk Revision: 314685 U branches/1.6.1/channels/chan_sip.c U branches/1.6.1/channels/chan_skinny.c U branches/1.6.1/configs/http.conf.sample U branches/1.6.1/configs/sip.conf.sample U branches/1.6.1/configs/skinny.conf.sample U branches/1.6.1/main/manager.c ------------------------------------------------------------------------ r314685 | mnicholson | 2011-04-21 13:49:56 -0500 (Thu, 21 Apr 2011) | 14 lines Added limits to the number of unauthenticated sessions TCP based protocols are allowed to have open simultaneously. Also added timeouts for unauthenticated sessions where it made sense to do so. Unrelated, the manager interface now properly checks if the user has the "system" privilege before executing shell commands via the Originate action. AST-2011-005 AST-2011-006 (closes issue ASTERISK-17384) Reported by: kobaz (related to issue ASTERISK-17578) Reported by: tzafrir ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=314685 | ||