[OpenSIPS-Devel] [ opensips-Bugs-3603098 ] Buffer Overflow Attack? DoS Attack?

SourceForge.net noreply at sourceforge.net
Mon Feb 4 23:55:36 CET 2013 

Bugs item #3603098, was opened at 2013-02-02 06:01
Message generated for change (Comment added) made by apsaras
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3603098&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: 1.8.x
>Status: Closed
Resolution: None
Priority: 5
Private: No
Submitted By: apsaras (apsaras)
Assigned to: Nobody/Anonymous (nobody)
Summary: Buffer Overflow Attack? DoS Attack?

Initial Comment:
OpenSIPs 1.8.1 on CentOS 5.8 64bit

Everything worked fine until an attack started. No one was able to register or communicate and on log I can only see the following

Feb  2 15:29:28 sip03 /usr/sbin/opensips[20497]: ERROR:core:parse_cseq: expecting CSeq EoL
Feb  2 15:29:28 sip03 /usr/sbin/opensips[20497]: ERROR:core:parse_cseq: bad cseq
Feb  2 15:29:28 sip03 /usr/sbin/opensips[20497]: ERROR:core:get_hdr_field: bad cseq
Feb  2 15:29:28 sip03 /usr/sbin/opensips[20497]: ERROR:maxfwd:is_maxfwd_present: parsing MAX_FORWARD header failed!
.....
Feb  2 15:29:31 sip03 /usr/sbin/opensips[20497]: ERROR:uri:check_username: Call {www,proxy}_authorize before calling check_* functions!
.....
Feb  2 15:29:40 sip03 /usr/sbin/opensips[20486]: ERROR:uri:check_username: No authorized credentials found (error in scripts)
.....
Feb  2 15:29:40 sip03 /usr/sbin/opensips[20492]: ERROR:uri:check_username: No authorized credentials found (error in scripts)
Feb  2 15:31:26 sip03 /usr/sbin/opensips[20499]: ERROR:core:parse_uri: bad char '@' in state 5 parsed: <sip:tine at dm> (11) / <sip:tine at dm@x.x.x.x> (25)F

And then a registration request

Feb  2 15:31:29 sip03 /usr/sbin/opensips[20502]: ERROR:core:parse_msg: message=<REGISTER sip:tilman hausherr at x.x.x.x SIP/2.0^M Via: SIP/2.0/UDP 85.25.20.15:5107;branch=z9hG4bK-3045379966;rport^M Content-Length: 0^M From: "tilman hausherr"<sip:tilman hausherr at 91.217.155.70>; tag=74696c6d616e2068617573686572720133393033393337393433^M Accept: application/sdp^M User-Agent: friendly-scanner^M To: "tilman hausherr"<sip:tilman hausherr at x.x.x.x>^M Contact: sip:tilman hausherr at x.x.x.x^M CSeq: 1 REGISTER^M Call-ID: 660108110^M Max-Forwards: 70^M ^M >

Alot of errors and again an other Registration Request

Feb  2 15:33:08 sip03 /usr/sbin/opensips[20495]: ERROR:core:parse_msg: message=<REGISTER sip:u don't know at x.x.x.x SIP/2.0^M Via: SIP/2.0/UDP 85.25.20.15:5107;branch=z9hG4bK-2954121837;rport^M Content-Length: 0^M From: "u don't know"<sip:u don't know at x.x.x.x>; tag=7520646f6e2774206b6e6f7701383037303536343636^M Accept: application/sdp^M User-Agent: friendly-scanner^M To: "u don't know"<sip:u don't know at x.x.x.x>^M Contact: sip:u don't know at x.x.x.x^M CSeq: 1 REGISTER^M Call-ID: 3997264461^M Max-Forwards: 70^M ^M >

Is that a problem/bug in core? Is that a mistake on my script? In any case the result was Denial Of Service.



----------------------------------------------------------------------

>Comment By: apsaras (apsaras)
Date: 2013-02-04 14:55

Message:
No. The only think I found was that the attacker tried to make outbound
calls without registration sending malformed sip messages. I am not sure
what he was trying to do exactly, overload the system, tried a buffer
overflow or just had a faulty script. The result was to have opensips
overloaded just doing parsing and throwing errors on the log.

To protect the system I am filtering now the Agent Header and I am using
the sanity check. Hope that 's enough. 

----------------------------------------------------------------------

Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2013-02-04 08:43

Message:
So Antonis, have you found the how your OpenSIPS got overloaded ?

Regards,
Bogdan

----------------------------------------------------------------------

Comment By: apsaras (apsaras)
Date: 2013-02-02 08:00

Message:
This is the first time we had malformed SIP requests. Probably the attacker
had something wrong on the script. I have no measurement on CPS but from
traffic shaper I see a 1Mbit traffic increase for 5 minutes. 

Probably you are right, that this is not a bug. My first impression looking
the logs was that the attacker managed to successfully register by
overflowing some buffer which is not true.

I am sorry for wrong posting.


----------------------------------------------------------------------

Comment By: Muhammad Shahzad (shari_786pk)
Date: 2013-02-02 07:11

Message:
What is the frequency of these malformed SIP requests? Can you give some
estimate  of CPS?

To me it does not look like a bug but rather a voip security issue. If you
would post it to opensips user or develop mailing list then you would
probably get a quicker answer. Don't open a bug it you are sure its a bug.
It saves everybody's time.

Thank you.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3603098&group_id=232389

More information about the Devel mailing list