1 / 30

IAX2 RE DoS: Don’t Let The Fuzz Get You!

Blake Cornell OWASP Board Member NY/NJ/LI blake@owasp.org 212-202-6704. IAX2 RE DoS: Don’t Let The Fuzz Get You!. 0day Project. Open Source VoIP Dilemma.

eliza
Download Presentation

IAX2 RE DoS: Don’t Let The Fuzz Get You!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Blake Cornell OWASP Board Member NY/NJ/LI blake@owasp.org 212-202-6704 IAX2 RE DoS: Don’t Let The Fuzz Get You! 0day Project

  2. Open Source VoIP Dilemma Asterisk is the Open Source VoIP PBX. Supports multiple signaling protocols. One of which is proprietary to their own, the Inter-Asterisk Exchange (IAX2). IAX is arguably the best VoIP signalling protocol by design. Unlike SIP, which requires up to 10,001 UDP ports, IAX requires just 1! NAT friendly. Asterisk has been gaining significant headway in the mid-size PBX VoIP market. if(IAX == !SAFE_FOR_WORK) { asterisk = !SAFE_FOR_WORK; }

  3. Previous Asterisk IAX Research During The Last HOPE conference (2600), I spoke of an Asterisk VoIP topic. It was titled “Autonomously Bypassing VoIP Filters with Asterisk”. My friend Jeremy McNamara (NuFone founder) and myself detailed how a VoIP Provider and/or a VoIP client could guarantee VoIP service in any country (or airplane) in the world. During the talk, I released an IAX application port scanner that could be used to find accessible IAX2 services. This script utilized the IAX Control POKE request to determine if a UDP service was an Asterisk server or not.

  4. Previous Asterisk IAX Research

  5. POKE Asterisk IAX Vulnerability A flood of IAX Control POKE packets caused a Resource Exhaustion on IAX Call Numbers. If you got hit by the POKE (et al.), you would experience Elevated PDD Audio jitter and dropped audio Dropped phone calls Asterisk Segmentation Fault Non-Exploitable 1.4 branch only CVE-2008-3263

  6. POKE Asterisk IAX Vulnerability

  7. POKE Asterisk IAX Vulnerability

  8. POKE Asterisk IAX Vulnerability

  9. Digium's POKE “Issue” if ((f.frametype == AST_FRAME_IAX) && ((f.subclass == IAX_COMMAND_NEW) || (f.subclass == IAX_COMMAND_REGREQ) || (f.subclass == IAX_COMMAND_POKE) || (f.subclass == IAX_COMMAND_FWDOWNL) || (f.subclass == IAX_COMMAND_REGREL))) new = NEW_ALLOW; There are only 15 bits available for call numbers. Once these call numbers are all NEW_ALLOW new call numbers can be issued. So what if we can consume all the call numbers?

  10. System Resource Usage in “Stable” v1.4 • CPU Utilization increases during attack. • Usually 100% on one core of one CPU. • CPU Utilization hangs around 50% after the attack is over. • Due to in part by a 'rand' function within the call number determination algorithm.

  11. Digium's POKE “Fix” /* Deal with POKE/PONG without allocating a callno */ if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) { /* Reply back with a PONG, but don't care about the result. */ send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->oseqno); return 1; } else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) { /* Ignore */ return 1; }

  12. Why is this not a good solution? if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) { send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->oseqno); return 1; } else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) { /* Ignore */ return 1; } if ((f.frametype == AST_FRAME_IAX) && ((f.subclass == IAX_COMMAND_NEW) || (f.subclass == IAX_COMMAND_REGREQ) || (f.subclass == IAX_COMMAND_POKE) || (f.subclass == IAX_COMMAND_FWDOWNL) || (f.subclass == IAX_COMMAND_REGREL))) new = NEW_ALLOW;

  13. Sloppy Fix? if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) { send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->oseqno); return 1; } else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) { /* Ignore */ return 1; } if ((f.frametype == AST_FRAME_IAX) && ((f.subclass == IAX_COMMAND_NEW) || (f.subclass == IAX_COMMAND_REGREQ) || (f.subclass == IAX_COMMAND_POKE) || (f.subclass == IAX_COMMAND_FWDOWNL) || (f.subclass == IAX_COMMAND_REGREL))) new = NEW_ALLOW;

  14. IAX Vuln Discovery and Disclosure Since POKE was discovered by accident I had figured that I could find more on purpose. I then rapidly discovered an additional 12 RE DoS conditions for IAX How did I find these flaws? Hint: Don't let the Fuzz get you! Hint: You were just looking at a big clue! Digium, the makers and maintainers of Asterisk, were informed on multiple occasions starting over a year ago regarding these issues. Digium had included executives, developers and security staff in VA discussions. Digium eventually started refusing to respond to my further inquires and thus refusing to officially respond to these issues. Putting all IAX2 users at risk. For over 14 months. What could I do to get Digiums futher attention and help raise awareness to these issues? I contemplated releasing a PoC script to demonstrate the weakness?

  15. Who could work here? • In Huntsville Alabama?

  16. How about here? • ?

  17. Or here? • ?

  18. Resource Exhaustion 0days I released two additional 0days to the public. http://www.securityscraper.com/ The released was timed to coincide with Astricon 2008. There were numerous Asterisk developers at Astricon when the PoC code was released. There was also a week long “code zone” where developers fix outstanding issues. At that time I had enough RE 0days to continue releasing one every day for just under a month (without any additional research).

  19. How to determine if you are being attacked? A stream of unauthenticated IAX packets is a big clue. Asterisk v.1.4, it can take up to 30 minutes to exhaust all call numbers and eventually segfault Asterisk. Asterisk v1.6 takes 30 seconds to exhaust call numbers and does not segfault. Common issues during an attack High of Infinite Post Dial Delay Jitter and dropped audio Dropped phone calls Segmentation Fault “chan_iax2.c: Raw Hangup” If you see this, you are more then likely being attacked or out of memory (which can be both).

  20. How to determine if you are being attacked? 1st Line: Start of attack. 2nd Line: Start of second attack. Case Study: NuFone UAT Environment 3rd Line: Stop of both attacks. 4th Line: Segfault.

  21. How to determine if you are being attacked? • User experience during an attack. • Two instances of the attack were launched. • 25 second PDD immediately. • After 2 loops of the attack, numerous “raw hangup” errors are displayed within the Asterisk CLI. No audio on existing phone call. 31 second PDD.

  22. Prevention Since there was no vendor fix for these issues there were a few options. Block IAX to only trusted IP's ( server to server ) Disable IAX Actively monitor the IAX service. Hope that Digium fixes it…. I would have told you that this was never going to happen. My best guess was that they couldn’t fix it without breaking backward compatibility (a.k.a. IAX3). Then 2 business days before this talk I received an email from Digium. They had claimed to “fix” these issues. AST-2009-009

  23. AST-2009-006 Was Born • “After quite a bit of thought and development, there will be a patch/ update released tomorrow to IAX2 that should at least create conditions that make IAX2 less vulnerable to the DoS attack vectors that you and others have identified in relation to call sequence number exhaustion. This is not a full solution, but it will reduce attack vectors significantly. There is a fundamental change in IAX2 to address the exhaustion issue, and Asterisk will have a switching mechanism on a per-peer basis to allow backwards compatibility without significant re-work of configuration files or code.” • “The implementation here took much longer than expected, as this has been balanced with other open-source tasks as well as fundamentally being a difficult proposition to solve. I'd like to solicit your thoughts on the solution, and if you have comments on the methodology I would be happy to discuss them with you. While it is never a comfortable process to discover shortcomings in protocols or code, we think that the solution that is being put in place is a reasonable balance between functionality and protection. Thank you for your continued consideration and discussion; despite our delay in this particular solution, we are very interested in keeping Asterisk safe from denial of service or other security issues and your observations and discoveries of security issues are welcome.” • I agreed with everything “initially” especially the part when they finally thanked me for my voluntary efforts spanning from over a one year duration.

  24. Prevention • Digium decided to utilize a solution that broke backward compatibility. There is likely no other way. • VA Metrics • Fixing a vulnerability in production is 33 times more costly then while in the design phase. • Utilizing this industry metric we can roughly determine that while it took just over 14 months to find a feasible solution it would have taken two weeks if it were discovered and fixed during the design phase.

  25. Design Errors Are Costly

  26. Fuzzing IAX I build my IAX Fuzzer in two days. Took the IAX IETF Draft and recreated the IAX packet structure. http://tools.ietf.org/id/draft-guy-iax-05.txt Ported the data structures into name value pairs hashes. Programmed the fuzzer to assemble all types of possible IAX packet combinations. Generated Gig's of log data. Used bash mechanisms to extrapolate vulnerable packet types The Fuzzer loops through the unauthenticated space of the protocol stack Discovered and confirmed over 12 vulnerabilities within a weekend.

  27. Fuzzing IAX | 0x01 | NEW | Initiate a new call | 0x02 | PING | Ping request | 0x03 | PONG | Ping or poke reply | 0x04 | ACK | Explicit acknowledgment | 0x05 | HANGUP | Initiate call tear-down | 0x06 | REJECT | Reject a call | 0x07 | ACCEPT | Accept a call | 0x08 | AUTHREQ | Authentication request | 0x09 | AUTHREP | Authentication reply | 0x0a | INVAL | Invalid message | 0x0b | LAGRQ | Lag request | 0x0c | LAGRP | Lag reply | 0x0d | REGREQ | Registration request | 0x0e | REGAUTH | Registration authentication | 0x0f | REGACK | Registration acknowledgement | 0x10 | REGREJ | Registration reject | 0x11 | REGREL | Registration release […]

  28. Fuzzing IAX my %iaxControlFrames=( 'Nan' => "00", 'NEW' => "01", 'PING' => "02", 'PONG' => "03", 'ACK' => "04", 'HANGUP' => "05", 'REJECT' => "06", 'ACCEPT' => "07", 'AUTHREQ' => "08", 'AUTHREP' => "09", 'INVAL' => "0a", 'LAGRQ' => "0b", 'LAGRP' => "0c", 'REGREQ' => "0d", 'REGAUTH' => "0e", 'REGACK' => "0f", 'REGREJ' => "10", 'REGREL' => "11", […]

  29. Time For Fun • But first… Mad Props • Jeremy McNamara, Founder Nufone • (QA exploits, expertise and knowledge [knows more about VoIP then anyone]) • Noam Rathus, SecuriTeam • (SecuriTeam Secure Disclosure [experience regarding resistant software maintainers]) • John Todd, Digium • (The only “friendly” and “sane” person working at Digium [kept me in the loop]) • If time is short we will do one of the following. • Run a demo attack? • perl iaxFuzz.pl --dos -h 127.0.0.1 -v • Show you something new and interesting (SIP+XSS)? • perl sipFuzzer.pl -h 127.0.0.1 -v --xss --sqli • Thanks!!

More Related