[Asterisk-code-review] AST-2017-012: Vulnerability replication test. (...testsuite[16])

Friendly Automation asteriskteam at digium.com
Fri Jul 19 08:30:25 CDT 2019


Friendly Automation has submitted this change and it was merged. ( https://gerrit.asterisk.org/c/testsuite/+/11582 )

Change subject: AST-2017-012: Vulnerability replication test.
......................................................................

AST-2017-012: Vulnerability replication test.

Sending RTCP packets to Asterisk with one report (for example a Receiver
Report and a Sender Report).

The test fails if Asterisk crashes.

ISSUES: - ASTERISK-27382
        - ASTERISK-27429
Change-Id: I41b313e5e42e82ee10c75052fc3c98fcabe46adf
---
A tests/rtp/ast-2017-012/configs/ast1/extensions.conf
A tests/rtp/ast-2017-012/configs/ast1/pjsip.conf
A tests/rtp/ast-2017-012/configs/ast1/rtp.conf
A tests/rtp/ast-2017-012/sipp/crash-27382.pcap
A tests/rtp/ast-2017-012/sipp/invalid-rtcp-packet.xml
A tests/rtp/ast-2017-012/test-config.yaml
M tests/rtp/tests.yaml
7 files changed, 208 insertions(+), 0 deletions(-)

Approvals:
  Joshua Colp: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved
  Friendly Automation: Approved for Submit



diff --git a/tests/rtp/ast-2017-012/configs/ast1/extensions.conf b/tests/rtp/ast-2017-012/configs/ast1/extensions.conf
new file mode 100644
index 0000000..7328ffc
--- /dev/null
+++ b/tests/rtp/ast-2017-012/configs/ast1/extensions.conf
@@ -0,0 +1,6 @@
+[rtcp_test]
+
+exten => test,1,Answer
+exten => test,n,Noop(RTCP Packet Test ASTERISK-27382)
+exten => test,n,Wait(100)
+exten => test,n,Hangup
diff --git a/tests/rtp/ast-2017-012/configs/ast1/pjsip.conf b/tests/rtp/ast-2017-012/configs/ast1/pjsip.conf
new file mode 100644
index 0000000..6aa4717
--- /dev/null
+++ b/tests/rtp/ast-2017-012/configs/ast1/pjsip.conf
@@ -0,0 +1,37 @@
+;--
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+Non mapped elements start
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+[general]
+udpbindaddr = 127.0.0.1:5060
+
+[test1]
+transport = udp
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+Non mapped elements end
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+--;
+
+
+[transport-udp]
+type = transport
+protocol = udp
+bind = 127.0.0.1:5060
+
+[test1]
+type = aor
+contact = sip:127.0.0.1:5061
+
+[test1]
+type = identify
+endpoint = test1
+match = 127.0.0.1:5061
+
+[test1]
+type = endpoint
+context = rtcp_test
+direct_media = no
+aors = test1
+allow=all,ulaw,alaw
diff --git a/tests/rtp/ast-2017-012/configs/ast1/rtp.conf b/tests/rtp/ast-2017-012/configs/ast1/rtp.conf
new file mode 100644
index 0000000..fb420ba
--- /dev/null
+++ b/tests/rtp/ast-2017-012/configs/ast1/rtp.conf
@@ -0,0 +1,3 @@
+[general]
+; Turn off strictrtp so that DTMF does not get dropped
+strictrtp=no
diff --git a/tests/rtp/ast-2017-012/sipp/crash-27382.pcap b/tests/rtp/ast-2017-012/sipp/crash-27382.pcap
new file mode 100644
index 0000000..5f60a94
--- /dev/null
+++ b/tests/rtp/ast-2017-012/sipp/crash-27382.pcap
Binary files differ
diff --git a/tests/rtp/ast-2017-012/sipp/invalid-rtcp-packet.xml b/tests/rtp/ast-2017-012/sipp/invalid-rtcp-packet.xml
new file mode 100644
index 0000000..4e18362
--- /dev/null
+++ b/tests/rtp/ast-2017-012/sipp/invalid-rtcp-packet.xml
@@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<!DOCTYPE scenario SYSTEM "sipp.dtd">
+
+<!-- This program is free software; you can redistribute it and/or      -->
+<!-- modify it under the terms of the GNU General Public License as     -->
+<!-- published by the Free Software Foundation; either version 2 of the -->
+<!-- License, or (at your option) any later version.                    -->
+<!--                                                                    -->
+<!-- This program is distributed in the hope that it will be useful,    -->
+<!-- but WITHOUT ANY WARRANTY; without even the implied warranty of     -->
+<!-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the      -->
+<!-- GNU General Public License for more details.                       -->
+<!--                                                                    -->
+<!-- You should have received a copy of the GNU General Public License  -->
+<!-- along with this program; if not, write to the                      -->
+<!-- Free Software Foundation, Inc.,                                    -->
+<!-- 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA             -->
+<!--                                                                    -->
+<!--                 Sipp 'uac' scenario with pcap (rtp) play           -->
+<!--                                                                    -->
+
+<scenario name="UAC with media">
+  <!-- In client mode (sipp placing calls), the Call-ID MUST be         -->
+  <!-- generated by sipp. To do so, use [call_id] keyword.                -->
+  <send retrans="500">
+    <![CDATA[
+
+      INVITE sip:[service]@[remote_ip]:[remote_port] SIP/2.0
+      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
+      From: test1 <sip:test1@[local_ip]:[local_port]>;tag=[call_number]
+      To: roramirez <sip:[service]@[remote_ip]:[remote_port]>
+      Call-ID: [call_id]
+      CSeq: 1 INVITE
+      Contact: sip:sipp@[local_ip]:[local_port]
+      Max-Forwards: 70
+      Subject: Performance Test
+      Content-Type: application/sdp
+      Content-Length: [len]
+
+      v=0
+      o=user1 53655765 2353687637 IN IP[local_ip_type] [local_ip]
+      s=-
+      c=IN IP[local_ip_type] [local_ip]
+      t=0 0
+      m=audio [auto_media_port] RTP/AVP 8 101
+      a=rtpmap:8 PCMA/8000
+      a=rtpmap:101 telephone-event/8000
+      a=fmtp:101 0-11,16
+    ]]>
+  </send>
+
+  <recv response="100" optional="true">
+  </recv>
+
+  <recv response="180" optional="true">
+  </recv>
+
+  <!-- By adding rrs="true" (Record Route Sets), the route sets         -->
+  <!-- are saved and used for following messages sent. Useful to test   -->
+  <!-- against stateful SIP proxies/B2BUAs.                             -->
+  <recv response="200" rtd="true" crlf="true">
+  </recv>
+
+  <!-- Packet lost can be simulated in any send/recv message by         -->
+  <!-- by adding the 'lost = "10"'. Value can be [1-100] percent.       -->
+  <send>
+    <![CDATA[
+
+      ACK sip:[service]@[remote_ip]:[remote_port] SIP/2.0
+      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
+      From: sipp <sip:sipp@[local_ip]:[local_port]>;tag=[call_number]
+      To: sut <sip:[service]@[remote_ip]:[remote_port]>[peer_tag_param]
+      Call-ID: [call_id]
+      CSeq: 1 ACK
+      Contact: sip:sipp@[local_ip]:[local_port]
+      Max-Forwards: 70
+      Subject: Performance Test
+      Content-Length: 0
+
+    ]]>
+  </send>
+
+  <pause milliseconds="3000"/>
+  <!-- Play a pre-recorded PCAP file (RTP stream)                       -->
+  <nop>
+    <action>
+        <!-- RTP AND RTCP Packet extract leg-b side from
+             https://issues.asterisk.org/jira/browse/ASTERISK-27382     -->
+        <exec play_pcap_audio="crash-27382.pcap" />
+    </action>
+  </nop>
+
+  <!-- Pause 10 seconds, which is less than the duration of the         -->
+  <!-- PCAP file                                                        -->
+  <pause milliseconds="10000"/>
+
+  <!-- The 'crlf' option inserts a blank line in the statistics report. -->
+  <send retrans="500">
+    <![CDATA[
+
+      BYE sip:[service]@[remote_ip]:[remote_port] SIP/2.0
+      Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
+      From: sipp <sip:sipp@[local_ip]:[local_port]>;tag=[call_number]
+      To: sut <sip:[service]@[remote_ip]:[remote_port]>[peer_tag_param]
+      Call-ID: [call_id]
+      CSeq: 2 BYE
+      Contact: sip:sipp@[local_ip]:[local_port]
+      Max-Forwards: 70
+      Subject: Performance Test
+      Content-Length: 0
+
+    ]]>
+  </send>
+
+  <recv response="200" crlf="true">
+  </recv>
+
+  <!-- definition of the response time repartition table (unit is ms)   -->
+  <ResponseTimeRepartition value="10, 20, 30, 40, 50, 100, 150, 200"/>
+
+  <!-- definition of the call length repartition table (unit is ms)     -->
+  <CallLengthRepartition value="10, 50, 100, 500, 1000, 5000, 10000"/>
+
+</scenario>
diff --git a/tests/rtp/ast-2017-012/test-config.yaml b/tests/rtp/ast-2017-012/test-config.yaml
new file mode 100644
index 0000000..4cc6923
--- /dev/null
+++ b/tests/rtp/ast-2017-012/test-config.yaml
@@ -0,0 +1,37 @@
+testinfo:
+    summary:     'Test for AST-2017-12 Remote Crash Vulnerability in RTCP Stack'
+    description: |
+        'A SIPp scenario send INVITE to create inbound call in a SIP channel
+        with device test1. After ANSWER by Asterisk, the device send RTP
+        traffic and RTCP packets contain more than one report (Receiver Report
+        and a Sender Report).
+        The test passes as long Asterisk does not crash and receive BYE by test1.'
+    issues:
+        - jira: 'ASTERISK-27382'
+        - jira: 'ASTERISK-27429'
+
+test-modules:
+    test-object:
+        config-section: sipp-config
+        typename: 'sipp.SIPpTestCase'
+
+sipp-config:
+    fail-on-any: True
+    test-iterations:
+        -
+            scenarios:
+                - { 'key-args': {'scenario': 'invalid-rtcp-packet.xml', '-p': '5061', '-s': 'test' } }
+
+properties:
+    dependencies:
+        - python : 'twisted'
+        - python : 'starpy'
+        - sipp :
+            version : 'v3.0'
+            feature : 'PCAP'
+        - asterisk: 'chan_pjsip'
+        - custom : 'rawsocket'
+    tags:
+        - pjsip
+        - RTP
+        - RTCP
diff --git a/tests/rtp/tests.yaml b/tests/rtp/tests.yaml
index 3ff1e44..56e9f9e 100644
--- a/tests/rtp/tests.yaml
+++ b/tests/rtp/tests.yaml
@@ -1,3 +1,4 @@
 # Enter tests here in the order they should be considered for execution:
 tests:
     - dir: 'strict_rtp'
+    - test: 'ast-2017-012'

-- 
To view, visit https://gerrit.asterisk.org/c/testsuite/+/11582
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: testsuite
Gerrit-Branch: 16
Gerrit-Change-Id: I41b313e5e42e82ee10c75052fc3c98fcabe46adf
Gerrit-Change-Number: 11582
Gerrit-PatchSet: 1
Gerrit-Owner: Rodrigo Ramirez Norambuena <a at rodrigoramirez.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20190719/9c3225a6/attachment-0001.html>


More information about the asterisk-code-review mailing list