| Summary: | ASTERISK-23373: [patch]Security: Open FD exhaustion with chan_sip Session-Timers | ||||
| Reporter: | Corey Farrell (coreyfarrell) | Labels: | Security | ||
| Date Opened: | 2014-02-25 10:44:04.000-0600 | Date Closed: | 2014-03-10 15:12:54 | ||
| Priority: | Major | Regression? | |||
| Status: | Closed/Complete | Components: | Channels/chan_sip/General | ||
| Versions: | SVN 1.8.25.0 11.7.0 12.0.0 | Frequency of Occurrence | |||
| Related Issues: |
| ||||
| Environment: | Attachments: | ( 0) chan_sip-earlier-st.patch ( 1) chan_sip-earlier-st-1.8.patch ( 2) chan_sip-earlier-st-11.patch ( 3) uac.xml | |||
| Description: | An attacker can use all available open FD's with sipp INVITE requests. It seems this attack only requires knowledge of an extension on an asterisk system that accepts "public" dial-in.
{noformat} sipp 192.168.1.1:5060 -s 100 -sf uac.xml -p 5066 -r 1000 -m 1000 {noformat} Asterisk will respond with code 422 for all 1000 INVITE's. This will leak 1000 channels, and when using timerfd that's 5000 open file descriptors. The file descriptors cannot be released without restarting asterisk, so intrusion detection system could be by-passed by sending the INVITE's slowly. I haven't yet checked to see if this can be exploited using a permitted Session Expires value. | ||||
| Comments: | By: Corey Farrell (coreyfarrell) 2014-02-25 11:25:32.409-0600 Note this issue was found using testsuite patched with ASTERISK-23369. tests/channels/SIP/session_timers/uas_minimum_se ended with chancount != 0, but with no threads for active channels. uac.xml is derived from that test. By: Corey Farrell (coreyfarrell) 2014-02-27 02:29:45.566-0600 I first tried a patch that correctly hungup the channel and pvt, but {{sip_new}} allocates RTP and RTCP sockets, and they were held for 32 seconds on my system. To avoid opening RTP/RTCP, request errors need to be handled before {{sip_new}}. Session timers need to be after {{check_user}}, since {{st_get_mode}} can use p->relatedpeer. By: Corey Farrell (coreyfarrell) 2014-02-27 12:57:51.704-0600 I forgot to mention, [^chan_sip-earlier-st.patch] is for branches/1.8 only. I want to get feedback on this approach before I prepare patches for 11+. By: Kinsey Moore (kmoore) 2014-03-03 15:04:39.027-0600 Now that I have some other issues out of the way, I'm going to look into the attached patch. By: Kinsey Moore (kmoore) 2014-03-04 11:09:26.560-0600 This looks pretty solid. Go ahead with the 11+ implementation whenever you're ready. By: Corey Farrell (coreyfarrell) 2014-03-05 00:04:57.755-0600 Updated 1.8 patch includes a tiny change to add {} to an if statement that is being moved to the new procedure. It turns out the difference in this code between versions is much smaller than I initially thought, {{get_header}} has been renamed to {{sip_get_header}}. I also ran this through testsuite channels/SIP for 1.8 and 11, compiled against 12 and trunk. By: Kinsey Moore (kmoore) 2014-03-05 14:04:06.034-0600 These patches look good. I'm going to go ahead and push them into our internal security repository unless you have any more changes you'd like to make to them. By: Corey Farrell (coreyfarrell) 2014-03-05 14:13:54.748-0600 Please go ahead, thank you. By: Kinsey Moore (kmoore) 2014-03-10 09:24:02.751-0500 This has been committed to 1.8, 1.8.15-certified, 11, 11.6-certified, 12, and trunk. | ||||