Summary:ASTERISK-23373: [patch]Security: Open FD exhaustion with chan_sip Session-Timers
Reporter:Corey Farrell (coreyfarrell)Labels:Security
Date Opened:2014-02-25 10:44:04.000-0600Date Closed:2014-03-10 15:12:54
Versions:SVN 11.7.0 12.0.0 Frequency of
duplicatesASTERISK-14731 [patch] sip session timer: Does not work if initial INVITE min-se timer is too small
Environment:Attachments:( 0) chan_sip-earlier-st.patch
( 1) chan_sip-earlier-st-1.8.patch
( 2) chan_sip-earlier-st-11.patch
( 3) uac.xml
Description:An attacker can use all available open FD's with sipp INVITE requests.  It seems this attack only requires knowledge of an extension on an asterisk system that accepts "public" dial-in.

sipp -s 100 -sf uac.xml -p 5066 -r 1000 -m 1000

Asterisk will respond with code 422 for all 1000 INVITE's.  This will leak 1000 channels, and when using timerfd that's 5000 open file descriptors.  The file descriptors cannot be released without restarting asterisk, so intrusion detection system could be by-passed by sending the INVITE's slowly.

I haven't yet checked to see if this can be exploited using a permitted Session Expires value.
Comments:By: Corey Farrell (coreyfarrell) 2014-02-25 11:25:32.409-0600

Note this issue was found using testsuite patched with ASTERISK-23369.  tests/channels/SIP/session_timers/uas_minimum_se ended with chancount != 0, but with no threads for active channels.  uac.xml is derived from that test.

By: Corey Farrell (coreyfarrell) 2014-02-27 02:29:45.566-0600

I first tried a patch that correctly hungup the channel and pvt, but {{sip_new}} allocates RTP and RTCP sockets, and they were held for 32 seconds on my system.

To avoid opening RTP/RTCP, request errors need to be handled before {{sip_new}}. Session timers need to be after {{check_user}}, since {{st_get_mode}} can use p->relatedpeer.

By: Corey Farrell (coreyfarrell) 2014-02-27 12:57:51.704-0600

I forgot to mention, [^chan_sip-earlier-st.patch] is for branches/1.8 only.  I want to get feedback on this approach before I prepare patches for 11+.

By: Kinsey Moore (kmoore) 2014-03-03 15:04:39.027-0600

Now that I have some other issues out of the way, I'm going to look into the attached patch.

By: Kinsey Moore (kmoore) 2014-03-04 11:09:26.560-0600

This looks pretty solid. Go ahead with the 11+ implementation whenever you're ready.

By: Corey Farrell (coreyfarrell) 2014-03-05 00:04:57.755-0600

Updated 1.8 patch includes a tiny change to add {} to an if statement that is being moved to the new procedure.

It turns out the difference in this code between versions is much smaller than I initially thought, {{get_header}} has been renamed to {{sip_get_header}}.

I also ran this through testsuite channels/SIP for 1.8 and 11, compiled against 12 and trunk.

By: Kinsey Moore (kmoore) 2014-03-05 14:04:06.034-0600

These patches look good. I'm going to go ahead and push them into our internal security repository unless you have any more changes you'd like to make to them.

By: Corey Farrell (coreyfarrell) 2014-03-05 14:13:54.748-0600

Please go ahead, thank you.

By: Kinsey Moore (kmoore) 2014-03-10 09:24:02.751-0500

This has been committed to 1.8, 1.8.15-certified, 11, 11.6-certified, 12, and trunk.