[VOIPSEC] Actual Attacks - UA handling

Christopher A. Martin chris at infravast.com
Sat Mar 5 16:00:37 CST 2005 

But you have to set some standard limitation, whether it is in the SIP spec
or even in good programming best practices...is anyone aware of any coding
best practice that can be used as a premise for this?

Christopher A. Martin
P.O. Box 1264
Cedar Hill, Texas 75106
Chris at InfraVAST.com
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Mark Teicher
> Sent: Friday, March 04, 2005 8:52 PM
> To: Ari Takanen
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Actual Attacks - UA handling
> 
> Ari,
> 
> Some of the leading VOIP vendors allow for lots of characters in the URI,
> sending embedded commands within the URI can also crash some VOIP phones..
> 
> /mark
> 
> At 02:33 AM 3/3/2005, Ari Takanen wrote:
> >Hello Mark,
> >
> >In the specification, there should be no restriction of having longer
> >than 255 character user name. Having over 255 characters in the user
> >name is not an overflow in itself, and can be valid in some
> >scenarios. An implementation that just cuts user names to 255
> >characters is just broken from SIP perspective. If the VoIP
> >implementation happens to have an overflow in the parsing of the URI,
> >you cannot protect from this by setting any hard limits in the
> >implementation. We extensively test for problems like this in REGISTER
> >also in our test tools, and I agree that behavior is different across
> >implementations. Some crash and some don't :)
> >
> >Best regards,
> >
> >/Ari
> >
> >--
> >-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> >Ari Takanen                       Codenomicon Ltd.
> >ari.takanen at codenomicon.com       Kaitovayla 1
> >tel: +358-40 50 67678             FIN-90570 Oulu
> >http://www.codenomicon.com        Finland
> >PGP: http://www.codenomicon.com/codenomicon-key.asc
> >-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> >
> >On Tue, Mar 01, 2005 at 08:20:59AM -0500, Mark Teicher wrote:
> > > Just validating whether a VOIP's implementation allows for buffer
> > overflow in a URI over a REGISTER request over UDP is possible.
> > > Most UA should not accept a malicious request over 255 characters as
> > the username, but some of the major player implementations do, and no
> > configuration option to restrict how many characters a UA should accept.
> > >
> > > /cheers
> > > /
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list