This is a multi-part message in MIME format.
------=_NextPart_000_00B4_01C76A58.D4117A50
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
MADYNES Security Advisory
MADYNES Security
Advisory
Title: =
Asterisk
SIP INVITE remote DOS
Release Date:
=
08/03/2007
Severity:
High -
Denial of Service
Advisory ID:KIPH1
Software:
=
Asterisk
Asterisk®
is a complete IP PBX in software. It runs on a wide variety of operating
systems including Linux, Mac OS X, OpenBSD, FreeBSD and Sun Solaris and
provides all of the features you would expect from a PBX including many
advanced features that are often associated with high end (and high =
cost)
proprietary PBXs. Asterisk® supports Voice over IP in many =
protocols, and can
interoperate with almost all standards-based telephony equipment using
relatively inexpensive hardware.
Affected
Versions:
Asterisk
1.2.14, 1.2.15, 1.2.16
Asterisk
1.4.1
probably
previous versions also
Unaffected
Versions: Trunk version to date =
(13/03/2007)
Vulnerability
Synopsis: After sending a crafted INVITE message the software finish =
abruptly
its execution with a Segmentation Fault provoking a Denial of Service =
(DoS) in
all the services provided by the entity.
Impact:
A remote individual can remotely crash and perform a Denial of =
Service(DoS) attack
in all the services provided by the software by sending one crafted SIP =
INVITE
message. This is conceptually similar to the "ping of death". =
Resolution: The problem
has been fixed in Asterisk versions 1.4.2 and 1.2.17, which is released =
today 19/03/2007
Vulnerability
Description: After sending a crafted message the software crash =
abruptly. The
message in this case is an anonymous INVITE where the SDP contains 2 =
connection
headers. The first one must be valid and the second not where the IP =
address
should be invalid. The callee needs not to be a valid user or dialplan. =
In case
where asterisk is set to disallow anonymous call, a valid user and =
password
should be known, and while responding the corresponding INVITE challenge =
the
information should be crafted as above. After this crafted SIP INVITE =
message,
the affected software crash immediately.
Proof =
of Concept
Code: available
Credits:
Humberto J.
Abdelnur (Ph.D Student)
Olivier
Festor (Ph.D)
This
vulnerability was identified by the Madynes research team at =
INRIA
Disclosure
Distribution:
The
advisory will be posted on the following =
websites:
1) Asterisk's
website
2) =
http://madynes.loria.fr website
The
advisory will be posted to the following mailing =
lists:
1) =
full-disclosure@lists.grok.org.uk
2) =
voipsec@vopisa.org