Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Asteroid SIP Denial of Service Tool

from [J. Oquendo] Network Security [Permanent Link]
Subject: [Full-disclosure] Asteroid SIP Denial of Service Tool
Date: Sat, 28 Oct 2006 11:03:10 -0500 
Asteroid is a SIP denial of service attack tools which affected older versions
of Asterisk the Open Source PBX and may affect other products running the SIP
protocol. There are thousands of custom (mis)crafted SIP packets which were
sent to a older versions of Asterisk that caused errors stopping Asterisk.

The packets were crafted based on packetdumps from Wireshark with flags set for
pseudo-spoofing, ranDUMBized extensions, etc.. The purpose of the tool was to
help me understand SIP security and Denials of Service attacks on the SIP
protocol. Originally I had intended on testing out my nCite Session Border
Controller but after watching nCite crash and burn on its own, it made little
sense for me to point it at it.

I have found that by sending a certain sequence of these packets, in a certain
order, servers react differently. Sometimes it crashed faster, sometimes more
extensions subscribed, sometimes voicemails were created and the list went on.
Asterisk version 1.2.13 and better are now patched from this issue but there
are other products it has not been tested on.

The packets were butchered in Perl and called from a shell script since I had
to manipulate packet sequences individually. This Proof of Concept program is
released to the public under the hopes that individuals will find a useful
purpose for assessing DoS vulnerabilities. It is unfortunate though that there
are idiots who will use this lame tool for malicious purposes.

Some vendors, CERT and other organizations were contacted as early as September
9th 2006 to address issues with their products. Most reacted quickly to get the
fixes in order.  Thanks to Kevin P. Flemming and the guys on Asterisk Dev for
creating a thread on this. Dan York for getting some to pay attention. PSIRT
at Cisco for looking into this, Tim Donahue for his perl pointers, vgersh99
(aka vlad) for nawk foo pointers, PHV, Annihilannic, p5wizard (segment!), and
Henning Schulzrinne for taking a look at the tool during his seminars at
Columbia.

Also thanks to Anthony LaMantia, Tzafir Cohen, and the others on the dev list
for tolerating my posts. Public apologies to Jay R. Ashworth for my mis-reading
of the "(Missed)Trust in Caller ID" thread on VOIPSA ;)

Coming 10/31/2006
http://www.infiltrated.net/asteroid/


-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Asteroid SIP Denial of Service Tool, J. Oquendo <=
Previous by Date:  Re: [Full-disclosure] [ Capture Skype trafic ], gabriel rosenkoetter
Next by Date:  Re: [Full-disclosure] ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability, FistFuXXer
Previous by Thread:  [Full-disclosure] Removing Hidden fields automatically in Paros, Richard Braganza
Next by Thread:  [Full-disclosure] Signature for new bot?, Line Noise
Indexes:  [Date] [Thread] [Top] [All Lists]