Posts Tagged OpenSBC Crash
Network dialog minimization is the problem of given an original dialog that satisfies a goal, producing a minimized dialog comprising the smallest subset of the original dialog that when replayed still achieves the same goal as the original dialog. In essence, the minimized dialog provides a shortcut to the goal, removing all connections and messages in the original dialog unrelated to the goal. A minimized dialog enables understanding what parts of a dialog really matter for the goal e.g., determining which messages and fields are really required to exploit a network server without expensive code analysis. We use our dialog minimization technique to replay an INVITE of Death attack on the OpenSBC SIP server. The minimization reveals another, previously unknown, attack on the OpenSBC server OSVDB 86607. The attack input is shown in Figure below.
Experiment: To obtain the original dialog we deploy a test OpenSBC server, configured in UDP stateful proxying mode without authentication, and use SIPp to simulate both a SIP user agent client (UAC) and a SIP user agent server (UAS). Then, we use the available attack tool against the test server, producing an attack trace with INVITE of Death packet in it.
New Vulnerability: The 3-level minimization outputs that a single 74-byte SIP INVITE request is needed to crash the server (Figure 1). However, the minimized input does not contain the Via header, whose flawed processing created the original vulnerability (aka. INVITE of Death). Replaying the minimized input against a version of OpenSBC that patches the original vulnerability, still crashes the server. We have reported the new vulnerability to the OpenSBC author, who has confirmed that it corresponds to a null-pointer dereference in the parser. The details on vulnerability can be found here. This example illustrates that the dialog minimization is useful for capturing the essential constraints to reach and exercise a vulnerability, without expensive code analysis.
Conclusion: Dialog minimization and replay is a useful capability in vulnerability analysis. Minimizing a network attack dialog enables understanding the conditions leading to exploitation without expensive code inspection, and the minimized dialog can be used as an exploit signature. Furthermore, minimization is fundamental to isolate the real attack when the input is a network trace (e.g., captured at an IDS) that contains an attack on a vulnerability but also much other traffic unrelated to the attack. In this case we applied network dialog minimization technique to minimize an attack on the OpenSBC SIP server. More details on dialog minimization and its different security applications can be found here.