Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Asteroid SIP Denial of Service Tool
From: "J. Oquendo" <sil () infiltrated net>
Date: Sat, 28 Oct 2006 11:03:10 -0500

Asteroid is a SIP denial of service attack tools which affected older versions
of Asterisk the Open Source PBX and may affect other products running the SIP
protocol. There are thousands of custom (mis)crafted SIP packets which were
sent to a older versions of Asterisk that caused errors stopping Asterisk.

The packets were crafted based on packetdumps from Wireshark with flags set for
pseudo-spoofing, ranDUMBized extensions, etc.. The purpose of the tool was to
help me understand SIP security and Denials of Service attacks on the SIP
protocol. Originally I had intended on testing out my nCite Session Border
Controller but after watching nCite crash and burn on its own, it made little
sense for me to point it at it.

I have found that by sending a certain sequence of these packets, in a certain
order, servers react differently. Sometimes it crashed faster, sometimes more
extensions subscribed, sometimes voicemails were created and the list went on.
Asterisk version 1.2.13 and better are now patched from this issue but there
are other products it has not been tested on.

The packets were butchered in Perl and called from a shell script since I had
to manipulate packet sequences individually. This Proof of Concept program is
released to the public under the hopes that individuals will find a useful
purpose for assessing DoS vulnerabilities. It is unfortunate though that there
are idiots who will use this lame tool for malicious purposes.

Some vendors, CERT and other organizations were contacted as early as September
9th 2006 to address issues with their products. Most reacted quickly to get the
fixes in order.  Thanks to Kevin P. Flemming and the guys on Asterisk Dev for
creating a thread on this. Dan York for getting some to pay attention. PSIRT
at Cisco for looking into this, Tim Donahue for his perl pointers, vgersh99
(aka vlad) for nawk foo pointers, PHV, Annihilannic, p5wizard (segment!), and
Henning Schulzrinne for taking a look at the tool during his seminars at
Columbia.

Also thanks to Anthony LaMantia, Tzafir Cohen, and the others on the dev list
for tolerating my posts. Public apologies to Jay R. Ashworth for my mis-reading
of the "(Missed)Trust in Caller ID" thread on VOIPSA ;)

Coming 10/31/2006
http://www.infiltrated.net/asteroid/


-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Asteroid SIP Denial of Service Tool J. Oquendo (Oct 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault