Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16412
HistoryMar 19, 2007 - 12:00 a.m.

[Full-disclosure] Asterisk SDP DOS vulnerability

2007-03-1900:00:00
vulners.com
8
JSON

MADYNES Security Advisory

<http://madynes.loria.fr/&gt; http://madynes.loria.fr

Title: Asterisk SIP INVITE remote DOS

Release Date:

  08/03/2007

Severity:

  High - Denial of  Service

Advisory ID:KIPH1

Software:

  Asterisk

   &lt;http://www.asterisk.org/&gt; http://www.asterisk.org/

AsteriskR is a complete IP PBX in software. It runs on a wide variety of
operating systems including Linux, Mac OS X, OpenBSD, FreeBSD and Sun
Solaris and provides all of the features you would expect from a PBX
including many advanced features that are often associated with high end
(and high cost) proprietary PBXs. AsteriskR supports Voice over IP in many
protocols, and can interoperate with almost all standards-based telephony
equipment using relatively inexpensive hardware.

Affected Versions:

  Asterisk 1.2.14, 1.2.15, 1.2.16 

  Asterisk 1.4.1 

  probably previous versions also

Unaffected Versions: Trunk version to date (13/03/2007)

Vulnerability Synopsis: After sending a crafted INVITE message the software
finish abruptly its execution with a Segmentation Fault provoking a Denial
of Service (DoS) in all the services provided by the entity.

Impact: A remote individual can remotely crash and perform a Denial of
Service(DoS) attack in all the services provided by the software by sending
one crafted SIP INVITE message. This is conceptually similar to the "ping of
death".

Resolution: The problem has been fixed in Asterisk versions 1.4.2 and
1.2.17, which is released today 19/03/2007

Vulnerability Description: After sending a crafted message the software
crash abruptly. The message in this case is an anonymous INVITE where the
SDP contains 2 connection headers. The first one must be valid and the
second not where the IP address should be invalid. The callee needs not to
be a valid user or dialplan. In case where asterisk is set to disallow
anonymous call, a valid user and password should be known, and while
responding the corresponding INVITE challenge the information should be
crafted as above. After this crafted SIP INVITE message, the affected
software crash immediately.

Proof of Concept Code: available

Credits:

  Humberto J. Abdelnur &#40;Ph.D Student&#41;

  Radu State &#40;Ph.D&#41;

  Olivier Festor &#40;Ph.D&#41;

  This vulnerability was identified by the Madynes research team at

INRIA

  Lorraine, using the Madynes VoIP fuzzer.

   &lt;http://madynes.loria.fr/&gt; http://madynes.loria.fr/

Disclosure Distribution:

  The advisory will be posted on the following websites:



  1&#41;    Asterisk&#39;s website

  2&#41;     &lt;http://madynes.loria.fr/&gt; http://madynes.loria.fr website



  The advisory will be posted to the following mailing lists:



  1&#41;    [email protected]

  2&#41;    [email protected]
JSON