Archive for September, 2014

INVITE of Death and Network Dialog Minimization (New Vulnerability in VoIP Server)

Network dialog minimization is the problem of given an original dialog that satisfies a goal, producing a minimized dialog comprising the smallest subset of the original dialog that when replayed still achieves the same goal as the original dialog. In essence, the minimized dialog provides a shortcut to the goal, removing all connections and messages in the original dialog unrelated to the goal. A minimized dialog enables understanding what parts of a dialog really matter for the goal e.g., determining which messages and fields are really required to exploit a network server without expensive code analysis. We use our dialog minimization technique to replay an INVITE of Death attack on the OpenSBC SIP server. The minimization reveals another, previously unknown, attack on the OpenSBC server OSVDB 86607. The attack input is shown in Figure below.

New VoIP Vulnerability

Experiment: To obtain the original dialog we deploy a test OpenSBC server, configured in UDP stateful proxying mode without authentication, and use SIPp to simulate both a SIP user agent client (UAC) and a SIP user agent server (UAS). Then, we use the available attack tool against the test server, producing an attack trace with INVITE of Death packet in it.

sipdialog

New Vulnerability: The 3-level minimization outputs that a single 74-byte SIP INVITE request is needed to crash the server (Figure 1). However, the minimized input does not contain the Via header, whose flawed processing created the original vulnerability (aka. INVITE of Death). Replaying the minimized input against a version of OpenSBC that patches the original vulnerability, still crashes the server. We have reported the new vulnerability to the OpenSBC author, who has confirmed that it corresponds to a null-pointer dereference in the parser. The details on vulnerability can be found here. This example illustrates that the dialog minimization is useful for capturing the essential constraints to reach and exercise a vulnerability, without expensive code analysis.

Conclusion: Dialog minimization and replay is a useful capability in vulnerability analysis. Minimizing a network attack dialog enables understanding the conditions leading to exploitation without expensive code inspection, and the minimized dialog can be used as an exploit signature. Furthermore, minimization is fundamental to isolate the real attack when the input is a network trace (e.g., captured at an IDS) that contains an attack on a vulnerability but also much other traffic unrelated to the attack. In this case we applied network dialog minimization technique to minimize an attack on the OpenSBC SIP server. More details on dialog minimization and its different security applications can be found here.

BibTex

@inproceedings{ndm,
author = {M. Zubair Rafique and Juan Caballero and Christophe Huygens and Wouter Joosen},
title = {{Network Dialog Minimization and Network Dialog Diffing: Two Novel Primitives for Network Security Applications}},
booktitle = {Proceedings of the 2014 Annual Computer Security Applications Conference},
address = {New Orleans, LA},
month = {December},
year = {2014},
}

, , , , , , , , ,

Leave a comment

[ACSAC 2014] Network Dialog Minimization and Network Dialog Diffing: Two Novel Primitives for Network Security Applications

In this work, we present two fundamental primitives for network security: network dialog minimization and network dialog diffing. Network dialog minimization (NDM) simplifies an original dialog with respect to a goal, so that the minimized dialog when replayed still achieves the goal, but requires minimal network communication, achieving significant time and bandwidth savings. We present network delta debugging, the first technique to solve NDM. Network dialog diffing compares two dialogs, aligns them, and identifies their common and different parts. We propose a novel dialog diffing technique that aligns two dialogs by finding a mapping that maximizes similarity.
We have applied our techniques to 5 applications. We apply our dialog minimization approach for: building drive-by download milkers for 9 exploit kits, integrating them in a infrastructure that has collected over 14,000 malware samples running from a single machine; efficiently measuring the percentage of popular sites that allow cookie replay, finding that 31% do not destroy the server-side state when a user logs out and that 17% provide cookies that live over a month; simplifying a cumbersome user interface, saving our institution 3 hours of time per year and employee; and finding a new vulnerability in a SIP server. We apply our dialog diffing approach for clustering benign (F-Measure = 100%) and malicious (F-Measure = 87.6%) dialogs.

BibTex                                     Download


@inproceedings{ndm,
author = {M. Zubair Rafique and Juan Caballero and Christophe Huygens and Wouter Joosen},
title = {{Network Dialog Minimization and Network Dialog Diffing: Two Novel Primitives for Network Security Applications}},
booktitle = {Proceedings of the 2014 Annual Computer Security Applications Conference},
address = {New Orleans, LA},
month = {December},
year = {2014},
}

, , , , , , , , , , , , ,

Leave a comment