Asterisk
  1. Asterisk
  2. ASTERISK-23373

[patch]Security: Open FD exhaustion with chan_sip Session-Timers

    Details

      Description

      An attacker can use all available open FD's with sipp INVITE requests. It seems this attack only requires knowledge of an extension on an asterisk system that accepts "public" dial-in.

      sipp 192.168.1.1:5060 -s 100 -sf uac.xml -p 5066 -r 1000 -m 1000
      

      Asterisk will respond with code 422 for all 1000 INVITE's. This will leak 1000 channels, and when using timerfd that's 5000 open file descriptors. The file descriptors cannot be released without restarting asterisk, so intrusion detection system could be by-passed by sending the INVITE's slowly.

      I haven't yet checked to see if this can be exploited using a permitted Session Expires value.

      1. chan_sip-earlier-st.patch
        12 kB
        Corey Farrell
      2. chan_sip-earlier-st-1.8.patch
        12 kB
        Corey Farrell
      3. chan_sip-earlier-st-11.patch
        12 kB
        Corey Farrell
      4. uac.xml
        2 kB
        Corey Farrell

        Issue Links

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          Hide
          Corey Farrell added a comment -

          Note this issue was found using testsuite patched with ASTERISK-23369. tests/channels/SIP/session_timers/uas_minimum_se ended with chancount != 0, but with no threads for active channels. uac.xml is derived from that test.

          Show
          Corey Farrell added a comment - Note this issue was found using testsuite patched with ASTERISK-23369 . tests/channels/SIP/session_timers/uas_minimum_se ended with chancount != 0, but with no threads for active channels. uac.xml is derived from that test.
          Hide
          Corey Farrell added a comment -

          I first tried a patch that correctly hungup the channel and pvt, but sip_new allocates RTP and RTCP sockets, and they were held for 32 seconds on my system.

          To avoid opening RTP/RTCP, request errors need to be handled before sip_new. Session timers need to be after check_user, since st_get_mode can use p->relatedpeer.

          Show
          Corey Farrell added a comment - I first tried a patch that correctly hungup the channel and pvt, but sip_new allocates RTP and RTCP sockets, and they were held for 32 seconds on my system. To avoid opening RTP/RTCP, request errors need to be handled before sip_new . Session timers need to be after check_user , since st_get_mode can use p->relatedpeer.
          Hide
          Corey Farrell added a comment -

          I forgot to mention, chan_sip-earlier-st.patch is for branches/1.8 only. I want to get feedback on this approach before I prepare patches for 11+.

          Show
          Corey Farrell added a comment - I forgot to mention, chan_sip-earlier-st.patch is for branches/1.8 only. I want to get feedback on this approach before I prepare patches for 11+.
          Hide
          Kinsey Moore added a comment -

          Now that I have some other issues out of the way, I'm going to look into the attached patch.

          Show
          Kinsey Moore added a comment - Now that I have some other issues out of the way, I'm going to look into the attached patch.
          Hide
          Kinsey Moore added a comment -

          This looks pretty solid. Go ahead with the 11+ implementation whenever you're ready.

          Show
          Kinsey Moore added a comment - This looks pretty solid. Go ahead with the 11+ implementation whenever you're ready.
          Hide
          Corey Farrell added a comment -

          Updated 1.8 patch includes a tiny change to add {} to an if statement that is being moved to the new procedure.

          It turns out the difference in this code between versions is much smaller than I initially thought, get_header has been renamed to sip_get_header.

          I also ran this through testsuite channels/SIP for 1.8 and 11, compiled against 12 and trunk.

          Show
          Corey Farrell added a comment - Updated 1.8 patch includes a tiny change to add {} to an if statement that is being moved to the new procedure. It turns out the difference in this code between versions is much smaller than I initially thought, get_header has been renamed to sip_get_header . I also ran this through testsuite channels/SIP for 1.8 and 11, compiled against 12 and trunk.
          Hide
          Kinsey Moore added a comment -

          These patches look good. I'm going to go ahead and push them into our internal security repository unless you have any more changes you'd like to make to them.

          Show
          Kinsey Moore added a comment - These patches look good. I'm going to go ahead and push them into our internal security repository unless you have any more changes you'd like to make to them.
          Hide
          Corey Farrell added a comment -

          Please go ahead, thank you.

          Show
          Corey Farrell added a comment - Please go ahead, thank you.
          Hide
          Kinsey Moore added a comment -

          This has been committed to 1.8, 1.8.15-certified, 11, 11.6-certified, 12, and trunk.

          Show
          Kinsey Moore added a comment - This has been committed to 1.8, 1.8.15-certified, 11, 11.6-certified, 12, and trunk.

            People

            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: