Skip to main content

Tags Denial of Service

VoIPmonitor: static builds lack memory corruption protections

Published on Mar 15, 2021 in , , , ,

Description

The binaries available for download at https://www.voipmonitor.org/download are built without any memory corruption protection in place. The following is output from the tool hardening-check:

hardening-check voipmonitor:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: no, not found!
 Immediate binding: no, not found!
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: unknown, no -fcf-protection instructions found!

When stack protection together with Fortify Source and other protection mechanisms are in place, exploitation of memory corruption vulnerabilities normally results in a program crash instead of leading to remote code execution. Most modern compilation systems create executable binaries with these features built-in by default. When these features are not used, attackers may easily exploit memory corruption vulnerabilities, such as buffer overflows, to run arbitrary code. In this advisory we will demonstrate how a buffer overflow reported in a separate advisory, could be abused to run arbitrary code because of the lack of standard memory corruption protection in the static build releases of VoIPmonitor.

Read more about VoIPmonitor: static builds lack memory corruption protections

sngrep: stack overflow via malformed SDP connection address

Published on Nov 20, 2020 in , ,

Description

When sending a specially crafted SIP message with a malformed SDP connection address, sngrep crashes due to a stack overflow. The following backtrace was generated during our tests:

(gdb) bt
#0  __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7ced859 in __GI_abort () at abort.c:79
#2  0x00007ffff7d583ee in __libc_message (
    action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff7e8207c "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7dfa9ba in __GI___fortify_fail (
    msg=msg@entry=0x7ffff7e82064 "stack smashing detected")
    at fortify_fail.c:26
#4  0x00007ffff7dfa986 in __stack_chk_fail () at stack_chk_fail.c:24
#5  0x0000555555560651 in sip_parse_msg_media (msg=0x7ffff0046c60, 
    payload=<optimized out>) at sip.c:740
#6  0x3131313131313131 in ?? ()
#7  0x3131313131313131 in ?? ()

The issue was originally discovered during OpenSIPIt; tracked down and analyzed for severity and impact later.

Read more about sngrep: stack overflow via malformed SDP connection address

sngrep: buffer overflow via malformed SDP media type

Published on Nov 20, 2020 in , , ,

Description

When sending a specially crafted SIP message with a malformed SDP media type, sngrep crashes due to a buffer overflow. The following backtrace was generated during our tests:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7ced859 in __GI_abort () at abort.c:79
#2  0x00007ffff7d583ee in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff7e8207c "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7dfa9ba in __GI___fortify_fail (
    msg=msg@entry=0x7ffff7e82012 "buffer overflow detected") at fortify_fail.c:26
#4  0x00007ffff7df9256 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007ffff7df8b36 in __strcpy_chk (dest=0x7ffff00306f2 "", 
    src=0x7ffff79fcad1 'A' <repeats 200 times>..., destlen=destlen@entry=15)
    at strcpy_chk.c:30
#6  0x0000555555563f72 in strcpy (__src=<optimized out>, __dest=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:90
#7  media_set_type (media=<optimized out>, type=<optimized out>) at media.c:65
#8  0x0000000000000000 in ?? ()

The issue was originally discovered during OpenSIPIt; tracked down and analyzed for severity and impact later.

Read more about sngrep: buffer overflow via malformed SDP media type

How doing QA testing for SIPVicious PRO led to an Asterisk DoS

Published on Nov 10, 2020 in , , , ,

Executive summary (TL;DR)

While heavily testing SIPVicious PRO for bugs, we encountered an unexpected crash in Asterisk. We reported this to the Asterisk team, who issued a fix. (Update February 4, 2026: SIPVicious PRO is an internal tool and is not sold or licensed.)

How the Asterisk crash was found

We test our software as much as we can because, like any other software, ours contains bugs too! When it comes to SIPVicious PRO, one of our quality assurance tests is to run it against instances of Asterisk and Kamailio and check for expected results. Our test suite loads these servers in a docker environment and automatically runs SIPVicious PRO against these targets. During these tests, we look for crashes, race conditions and other unchecked states that we might have failed to address in our own code. We do this through various methods, one of which is to observe exit codes in SIPVicious PRO that indicate the result of the test.

Read more about How doing QA testing for SIPVicious PRO led to an Asterisk DoS

Asterisk: crash via INVITE flood over TCP

Published on Nov 6, 2020 in , , ,

Description

When an Asterisk instance is flooded with INVITE messages over TCP, it was observed that after some time Asterisk crashes due to a segmentation fault. The backtrace generated after the crash is:

Read more about Asterisk: crash via INVITE flood over TCP

Kamailio: off-by-one heap overflow

Published on Mar 19, 2018 in , , , ,

Description

A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap overflow.

Impact

Abuse of this vulnerability leads to denial of service in Kamailio. Further research may show that exploitation leads to remote code execution.

Read more about Kamailio: off-by-one heap overflow

Asterisk PJSIP: stack corruption via large Accept header in SUBSCRIBE

Published on Feb 22, 2018 in , , , , ,

Description

A large SUBSCRIBE message with multiple malformed Accept headers will crash Asterisk due to stack corruption.

Impact

Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use. Brief analysis indicates that this is an exploitable vulnerability that may lead to remote code execution.

Read more about Asterisk PJSIP: stack corruption via large Accept header in SUBSCRIBE

Asterisk PJSIP: crash via repeated INVITE messages over TCP/TLS

Published on Feb 22, 2018 in , , , ,

Description

A crash occurs when a number of INVITE messages are sent over TCP or TLS and then the connection is suddenly closed. This issue leads to a segmentation fault.

Read more about Asterisk PJSIP: crash via repeated INVITE messages over TCP/TLS

Asterisk PJSIP: crash via invalid SDP media format description

Published on Feb 22, 2018 in , , , ,

Description

A specially crafted SDP message body with an invalid media format description causes a segmentation fault in asterisk using chan_pjsip.

Impact

Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use.

Read more about Asterisk PJSIP: crash via invalid SDP media format description

Asterisk PJSIP: crash via invalid SDP fmtp attribute

Published on Feb 22, 2018 in , , , ,

Description

A specially crafted SDP message body with an invalid fmtp attribute causes a segmentation fault in asterisk using chan_pjsip.

Impact

Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use.

Read more about Asterisk PJSIP: crash via invalid SDP fmtp attribute

Subscribe

Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

Interested in our services? Let's collaborate.
Get in touch

We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.