[VOIPSEC] VoIP-Phones: Weakness in proccessing

Christian Wieser chwieser at ee.oulu.fi
Fri Jul 22 09:07:10 CDT 2005 

[snip]
> 
> My point is that SIP has enough complexity that you can't possibly test all p
> ossible permutations of messages and message sequences.  You've just taken an
>  unsolvable problem and tossed it in the lap of your QA group.  

This is the question for completeness of the testing. With testing we
can only show the absence of specific bugs, but can not claim the
correctness of the software. Formal verification of implementations
has not been done for SIP, afaik.


> Unless you in
> sist on a well-defined SIP profile and filter messages that don't fit within 
> that profile, you're always going to have a significant vulnerability to atta
> cks by mal-formed SIP messages and sequences.  

True, a single bug can ruin your day. On filtering:
It is rather challenging to write correct filters. Giving an example:
The maximum field length of a "Display name" is not limited by the
specification. A name consisting of 512x"A" is a valid Display name,
but can already crash an application due to an buffer overflow, how
about "%100s"?


> In the carrier-class cable voi
> ce space I live in, the certification process for a code image on a VoIP devi
> ce takes many months.  Cable operators are going to be reluctant to take shot
> gun images from their vendors that risk creating millions of truck rolls when
>  a bug in a new image turns that device into a doorstop.  This has happened w
> ith set-top boxes and that kind of mistake costs tens of millions of dollars.
>   Even worse, you can attack core facilities like media gateway controllers w
> ith mal-formed SIP messages and sequences.  That could end up denying service
>  to everybody in the network, not just a small set of VoIP terminal devices.
> 

Robustness testing, fuzzing is rather efficient to catch certain
 bugs. Does it solve all problems - no.

>  
> 
> Geoff
> 
> 
> 
> ________________________________
> 
> From: Ari Takanen [mailto:art at codenomicon.com]
> Sent: Thu 7/21/2005 8:03 PM
> To: Geoff Devine
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] VoIP-Phones: Weakness in proccessing
> 
> 
> 
> Geoff,
> 
> Sorry I could not respond to your comment earlier. You said that all
> permutations are impossible to test, which is of course true, but we
> have to try. Both robustness tests and fuzzers are attempting to cover
> all these unexpected inputs. Fuzzers are typically semi-random,
> whereas robustness tests are more advanced, systematic and "smart".
> 
> One can start with the free robustness testing techniques introduced
> by PROTOS in their SIP and H.323 test-suites. I hope all vendors are
> using them by now. PROTOS provides the minimum baseline for
> robustness. Also that PROTOS research shows that it is not only ascii
> protocols that have these problems. Actually many binary protocols
> described in ASN.1 have much more serious problems due to the freedom
> of being able to describe about any types of structures with it.
> 
> PROTOS tests in SIP have been continued in our company, and
> Codenomicon SIP Test Tool is constantly increasing the test coverage
> in SIP. From the 4500 PROTOS tests, we are already beyond 100,000 test
> cases for SIP. But the number of test cases is not important, it is
> the coverage of the tools. You can have millions of redundant fuzzing
> test cases and still not reach the coverage of PROTOS even.
> 
> It is good to finally notice that people looking for security flaws in
> SIP are going beyond the robustness testing coverage of PROTOS! It has
> been quite quiet after the release of PROTOS test-suite by CERT/CC.
> There is lots of work quietly being done in the commercial companies
> though. For example, our company is working with our commercial
> customers to fix these issues without disclosing any of the found
> flaws publicly. Nobody wants public attention to SIP weaknesses, and
> it is in nobodys interest for the exploits to start spreading in VoIP
> scene (except perhaps that might be the interest of the hackers).
> 
> There is nothing new or special in this bug, it is just a quality
> assurance flaw that should have been tested away.
> 
> /Ari
> 
> PS: Update your SIP phone regularly!
> 
> On Fri, Jul 08, 2005 at 09:01:10AM -0400, Geoff Devine wrote:
> > I'd point out that this kind of problem is the most glaring security
> > weakness with SIP.  As a completely unstructured text-based
> > protocol, you can't possibly test all permutations of SIP messages.
> 
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 

Christian Wieser
mailto:chwieser at ee.oulu.fi

More information about the Voipsec mailing list