IAX2 protocol flaw in IC_NEW could cause reflective amplification DoS
by Joel R. Voss aka. Javantea
May 15, 2007
Official Asterisk bug report
I am releasing the full Asterisk IAX2 exploit framework / alternative implementation. I am giving a talk at Toorcon Seattle 2008 about my findings. Read more about the handshake (and it's failure) at that page.
Although the Asterisk team described a bugfix and mentioned intention to fix this bug, this bug has not been fixed as of Jan 17, 2008 (Tested against 1.4.17). Since the exploit code is widely available through this website, it would seem prudent to fix this if it were indeed a fixable bug. However, it is my opinion that introducing a handshake requirement to the IAX2 protocol would make the protocol far less likely to work with third-party software and hardware.
I am running a vulnerable version at suzy.altsci.com for test (as well as development and actual use) and I intend to keep it running for the purpose of education and disclosure of this vulnerability.
The IAX2 protocol allows an IC_NEW packet to start a call. This is a udp packet that is only 18 bytes long. A call can be quite long and contains a lot of data. Specifically my simple answering machine sends 26307 bytes in 723 packets in 32.0032 seconds. That is 6576.75 bits per second. Using uLaw or another higher bitrate codec, this rate can be increased.
Since UDP can be spoofed, it seems possible that an asterisk server can be tricked into sending megabits per second (until it chokes) at a target with a very low cost to the attacker (18 byte udp packet). I have not tested spoofing an address, but I suspect that it will work.
Since this is a protocol flaw and there are hardware implementations that would be broken by changing the protocol, this does not seem to be fixable. If someone with knowledge of these type of issues could discuss this with me, I would be much more confident in this.
I wrote a python implementation of IAX2 protocol to fuzz the IAX2 protocol and I found this by accident in my first test. If you are interested in fuzzing the IAX2 protocol, I would be happy to share my code with you. I even have a gsm decoder for the project which lets you hear what the fuzzer made the Asterisk box do.
More detailed information coming soon.
Until then, look at the latest internet draft.
echo -ne '\x80\xeb\x00\x00\x00\x00\x00\x07\x00\x00\x06\x01\x08\x04\x00\x00\x02\xaa' | nc -u 192.168.0.3 4569
More detailed information coming soon. If you're interested in developing Asterisk exploits, e-mail me with or without GnuPG.Permalink