[VOIPSEC] Actual Attacks - UA handling

Mark Teicher mht3 at earthlink.net
Sun Mar 6 16:50:29 GMT 2005 

According to the specification, or interpretation of the specification, 
there is no limit.  Different vendors will interpret the SIP specification 
differently, hopefully some vendors will utilize some sort of best 
practices to ensure no parts of a VOIP solution are vulnerable to internet 
attacks or configuration errors.

/m

At 05:00 PM 3/5/2005, Christopher A. Martin wrote:
>But you have to set some standard limitation, whether it is in the SIP spec
>or even in good programming best practices...is anyone aware of any coding
>best practice that can be used as a premise for this?
>
>Christopher A. Martin
>P.O. Box 1264
>Cedar Hill, Texas 75106
>Chris at InfraVAST.com
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> > Behalf Of Mark Teicher
> > Sent: Friday, March 04, 2005 8:52 PM
> > To: Ari Takanen
> > Cc: Voipsec at voipsa.org
> > Subject: Re: [VOIPSEC] Actual Attacks - UA handling
> >
> > Ari,
> >
> > Some of the leading VOIP vendors allow for lots of characters in the URI,
> > sending embedded commands within the URI can also crash some VOIP phones..
> >
> > /mark
> >
> > At 02:33 AM 3/3/2005, Ari Takanen wrote:
> > >Hello Mark,
> > >
> > >In the specification, there should be no restriction of having longer
> > >than 255 character user name. Having over 255 characters in the user
> > >name is not an overflow in itself, and can be valid in some
> > >scenarios. An implementation that just cuts user names to 255
> > >characters is just broken from SIP perspective. If the VoIP
> > >implementation happens to have an overflow in the parsing of the URI,
> > >you cannot protect from this by setting any hard limits in the
> > >implementation. We extensively test for problems like this in REGISTER
> > >also in our test tools, and I agree that behavior is different across
> > >implementations. Some crash and some don't :)
> > >
> > >Best regards,
> > >
> > >/Ari
> > >
> > >--
> > >-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> > >Ari Takanen                       Codenomicon Ltd.
> > >ari.takanen at codenomicon.com       Kaitovayla 1
> > >tel: +358-40 50 67678             FIN-90570 Oulu
> > >http://www.codenomicon.com        Finland
> > >PGP: http://www.codenomicon.com/codenomicon-key.asc
> > >-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> > >
> > >On Tue, Mar 01, 2005 at 08:20:59AM -0500, Mark Teicher wrote:
> > > > Just validating whether a VOIP's implementation allows for buffer
> > > overflow in a URI over a REGISTER request over UDP is possible.
> > > > Most UA should not accept a malicious request over 255 characters as
> > > the username, but some of the major player implementations do, and no
> > > configuration option to restrict how many characters a UA should accept.
> > > >
> > > > /cheers
> > > > /
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list