[Asterisk-code-review] AST-2016-003: Vulnerability replication test. (testsuite[master])
Kevin Harwell
asteriskteam at digium.com
Wed Feb 3 15:19:17 CST 2016
Kevin Harwell has submitted this change and it was merged.
Change subject: AST-2016-003: Vulnerability replication test.
......................................................................
AST-2016-003: Vulnerability replication test.
Sending UDPTL packets to Asterisk with the right amount of missing
sequence numbers and enough redundant 0-length IFP packets, can make
Asterisk crash.
The test fails if Asterisk crashes.
ASTERISK-25603 #close
Reported by: Walter Doekes
ASTERISK-25742 #close
Reported by: Torrey Searle
Change-Id: Ia043c29557f32595efaf825696de24a90a6756ce
---
A tests/fax/pjsip/ast-2015-006/configs/ast1/extensions.conf
A tests/fax/pjsip/ast-2015-006/configs/ast1/pjsip.conf
A tests/fax/pjsip/ast-2015-006/sipp/crash.pcap
A tests/fax/pjsip/ast-2015-006/sipp/endpoint_A.xml
A tests/fax/pjsip/ast-2015-006/sipp/endpoint_B.xml
A tests/fax/pjsip/ast-2015-006/sipp/inject_bridge.csv
A tests/fax/pjsip/ast-2015-006/test-config.yaml
M tests/fax/pjsip/tests.yaml
8 files changed, 400 insertions(+), 0 deletions(-)
Approvals:
Kevin Harwell: Looks good to me, approved; Verified
diff --git a/tests/fax/pjsip/ast-2015-006/configs/ast1/extensions.conf b/tests/fax/pjsip/ast-2015-006/configs/ast1/extensions.conf
new file mode 100644
index 0000000..9ccf33d
--- /dev/null
+++ b/tests/fax/pjsip/ast-2015-006/configs/ast1/extensions.conf
@@ -0,0 +1,6 @@
+[general]
+
+[default]
+exten => basicdial,1,NoOp()
+same => n,Dial(PJSIP/endpoint_B/sip:127.0.0.3)
+same => n,Hangup()
diff --git a/tests/fax/pjsip/ast-2015-006/configs/ast1/pjsip.conf b/tests/fax/pjsip/ast-2015-006/configs/ast1/pjsip.conf
new file mode 100644
index 0000000..bc95b50
--- /dev/null
+++ b/tests/fax/pjsip/ast-2015-006/configs/ast1/pjsip.conf
@@ -0,0 +1,26 @@
+[local-transport]
+type=transport
+protocol=udp
+bind=127.0.0.1
+
+[endpoint-template](!)
+type=endpoint
+context=default
+allow=!all,ulaw
+t38_udptl=yes
+direct_media=no
+
+[endpoint_A](endpoint-template)
+
+[endpoint_B](endpoint-template)
+
+[identify-template](!)
+type=identify
+
+[endpoint_A](identify-template)
+endpoint=endpoint_A
+match=127.0.0.2
+
+[endpoint_B](identify-template)
+endpoint=endpoint_B
+match=127.0.0.3
diff --git a/tests/fax/pjsip/ast-2015-006/sipp/crash.pcap b/tests/fax/pjsip/ast-2015-006/sipp/crash.pcap
new file mode 100644
index 0000000..472370b
--- /dev/null
+++ b/tests/fax/pjsip/ast-2015-006/sipp/crash.pcap
Binary files differ
diff --git a/tests/fax/pjsip/ast-2015-006/sipp/endpoint_A.xml b/tests/fax/pjsip/ast-2015-006/sipp/endpoint_A.xml
new file mode 100644
index 0000000..05f753c
--- /dev/null
+++ b/tests/fax/pjsip/ast-2015-006/sipp/endpoint_A.xml
@@ -0,0 +1,156 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<!DOCTYPE scenario SYSTEM "sipp.dtd">
+
+<scenario name="Phone A calls B to receive a T.38 UDPTL stream.">
+
+ <!-- Initial invite - Call phone B -->
+ <send retrans="500">
+ <![CDATA[
+ INVITE sip:[field2]@[remote_ip]:[remote_port] SIP/2.0
+ Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
+ From: [field0] <sip:[field0]@[local_ip]:[local_port]>;tag=[call_number]
+ To: <sip:[field2]@[remote_ip]:[remote_port];user=phone>
+ CSeq: 1 INVITE
+ Call-ID: [call_id]
+ Contact: <sip:[field0]@[local_ip]:[local_port]>
+ Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Accept-Language: en
+ Allow-Events: talk,hold,conference
+ Max-Forwards: 70
+ Content-Type: application/sdp
+ Content-Length: [len]
+
+ v=0
+ o=- 1324901698 1324901698 IN IP4 [local_ip]
+ s=Polycom IP Phone
+ c=IN IP4 [local_ip]
+ t=0 0
+ a=sendrecv
+ m=audio 2226 RTP/AVP 0 101
+ a=sendrecv
+ a=rtpmap:0 PCMU/8000
+ a=rtpmap:101 telephone-event/8000
+ ]]>
+ </send>
+
+ <recv response="100" optional="true" />
+
+ <recv response="180" optional="true" />
+
+ <recv response="183" optional="true" />
+
+ <recv response="200" />
+
+ <send>
+ <![CDATA[
+ ACK sip:[field1]@[remote_ip]:[remote_port] SIP/2.0
+ Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
+ From: [field0] <sip:[field0]@[remote_ip]>;tag=[call_number]
+ To: <sip:[field1]@[remote_ip];user=phone>[peer_tag_param]
+ CSeq: 1 ACK
+ Call-ID: [call_id]
+ Contact: <sip:[field0]@[local_ip]:[local_port]>
+ Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Accept-Language: en
+ Max-Forwards: 70
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <!-- Reinvite received for T38 - media flows between Enpoint A and Asterisk -->
+ <recv request="INVITE" />
+
+ <send retrans="500">
+ <![CDATA[
+ SIP/2.0 200 OK
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[field0]@[local_ip]:[local_port];transport=[transport]>
+ Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
+ Supported: 100rel,replaces
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Accept-Language: en
+ Testsuite-Track-Phone-A: 2
+ Content-Type: application/sdp
+ Content-Length: [len]
+
+ v=0
+ o=- 1324901698 1324901700 IN IP4 [local_ip]
+ s=Polycom IP Phone
+ c=IN IP4 [local_ip]
+ t=0 0
+ m=image 10972 udptl t38
+ a=sendrecv
+ a=T38FaxVersion:0
+ a=T38MaxBitRate:9600
+ a=T38FaxMaxBuffer:1024
+ a=T38FaxMaxDatagram:400
+ a=T38FaxRateManagement:transferredTCF
+ a=T38FaxUdpEC:t38UDPRedundancy
+ ]]>
+ </send>
+
+ <recv request="ACK"/>
+
+ <!-- Reinvite received when phone B hangs up to clear T.38 -->
+ <recv request="INVITE"/>
+
+ <send retrans="500">
+ <![CDATA[
+ SIP/2.0 200 OK
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[field0]@[local_ip]:[local_port];transport=[transport]>
+ Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
+ Supported: 100rel,replaces
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Accept-Language: en
+ Testsuite-Track-Phone-A: 3
+ Content-Type: application/sdp
+ Content-Length: [len]
+
+ v=0
+ o=- 1324901698 1324901698 IN IP4 [local_ip]
+ s=Polycom IP Phone
+ c=IN IP4 [local_ip]
+ t=0 0
+ a=sendrecv
+ m=audio 2226 RTP/AVP 0 101
+ a=sendrecv
+ a=rtpmap:0 PCMU/8000
+ a=rtpmap:101 telephone-event/8000
+ ]]>
+ </send>
+
+ <recv request="ACK"/>
+
+ <recv request="BYE"/>
+
+ <send retrans="500">
+ <![CDATA[
+ SIP/2.0 200 OK
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[field0]@[local_ip]:[local_port];transport=[transport]>
+ Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
+ Supported: 100rel,replaces
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Accept-Language: en
+ Testsuite-Track-Phone-A: 5
+ Content-Type: application/sdp
+ Content-Length: 0
+ ]]>
+ </send>
+</scenario>
+
diff --git a/tests/fax/pjsip/ast-2015-006/sipp/endpoint_B.xml b/tests/fax/pjsip/ast-2015-006/sipp/endpoint_B.xml
new file mode 100644
index 0000000..f6a6cfe
--- /dev/null
+++ b/tests/fax/pjsip/ast-2015-006/sipp/endpoint_B.xml
@@ -0,0 +1,170 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<!DOCTYPE scenario SYSTEM "sipp.dtd">
+
+<scenario name="Phone B Answers and reINVITEs to send T.38 malicious UDPTL pcap stream.">
+ <Global variables="remote_tag"/>
+
+ <recv request="INVITE" crlf="true">
+ <action>
+ <ereg regexp=".*(;tag=.*)"
+ header="From:"
+ search_in="hdr"
+ check_it="true"
+ assign_to="remote_tag"/>
+ </action>
+ </recv>
+
+ <send>
+ <![CDATA[
+ SIP/2.0 100 Trying
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[field1]@[local_ip]:[local_port];transport=[transport]>
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Accept-Language: en
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <send>
+ <![CDATA[
+ SIP/2.0 180 Ringing
+ [last_Via:]
+ [last_From:]
+ [last_To:];tag=[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[field1]@[local_ip]:[local_port];transport=[transport]>
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Allow-Events: talk,hold,conference
+ Accept-Language: en
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <pause milliseconds="200"/>
+
+ <send retrans="500">
+ <![CDATA[
+ SIP/2.0 200 OK
+ [last_Via:]
+ [last_From:]
+ [last_To:]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Contact: <sip:[field1]@[local_ip]:[local_port];transport=[transport]>
+ Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
+ Supported: 100rel,replaces
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Accept-Language: en
+ Testsuite-Track-Phone-B-Media-Restrict: 1
+ Content-Type: application/sdp
+ Content-Length: [len]
+
+ v=0
+ o=- 1324901698 1324901698 IN IP4 [local_ip]
+ s=Polycom IP Phone
+ c=IN IP4 [local_ip]
+ t=0 0
+ a=sendrecv
+ m=audio 2226 RTP/AVP 0 101
+ a=sendrecv
+ a=rtpmap:0 PCMU/8000
+ a=rtpmap:101 telephone-event/8000
+ ]]>
+ </send>
+
+ <!-- RECV ACK -->
+ <recv request="ACK"/>
+
+ <!-- Wait some period of time -->
+ <pause milliseconds="1500"/>
+
+ <!-- Reinvite to set up T38 Fax session -->
+ <send retrans="500">
+ <![CDATA[
+ INVITE sip:endpoint_B@[remote_ip]:[remote_port] SIP/2.0
+ Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
+ From: <sip:127.0.0.3>
+ To: [$remote_tag]
+ CSeq: [cseq] INVITE
+ [last_Call-ID:]
+ Contact: <sip:[field1]@[local_ip]:[local_port]>
+ Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Accept-Language: en
+ Supported: 100rel,replaces
+ Allow-Events: talk,hold,conference
+ Max-Forwards: 70
+ Content-Type: application/sdp
+ Content-Length: [len]
+
+ v=0
+ o=- 1324901698 1324901700 IN IP4 [local_ip]
+ s=Polycom IP Phone
+ c=IN IP4 [local_ip]
+ t=0 0
+ m=image 30002 udptl t38
+ a=sendrecv
+ a=T38FaxVersion:0
+ a=T38MaxBitRate:9600
+ a=T38FaxMaxBuffer:1024
+ a=T38FaxMaxDatagram:400
+ a=T38FaxRateManagement:transferredTCF
+ a=T38FaxUdpEC:t38UDPRedundancy
+ ]]>
+ </send>
+
+ <recv response="100" optional="true" />
+
+ <recv response="200" />
+
+ <send>
+ <![CDATA[
+ ACK sip:[field1]@[remote_ip]:[remote_port] SIP/2.0
+ Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch]
+ From: <sip:127.0.0.3>
+ To: [$remote_tag]
+ CSeq: [cseq] ACK
+ [last_Call-ID:]
+ Contact: <sip:[field1]@[local_ip]:[local_port]>
+ Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Accept-Language: en
+ Max-Forwards: 70
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <!-- Send malicious T.38 pcap file. -->
+ <nop>
+ <action>
+ <exec play_pcap_image="tests/fax/pjsip/ast-2015-006/sipp/crash.pcap" />
+ </action>
+ </nop>
+
+ <!-- Wait for the pcap to fully get sent. -->
+ <pause milliseconds="14000"/>
+
+ <send>
+ <![CDATA[
+ BYE sip:[field1]@1[remote_ip]:[remote_port] SIP/2.0
+ Via: SIP/2.0/UDP [local_ip]:[local_port];branch=[branch]
+ From: <sip:127.0.0.3>
+ To: [$remote_tag]
+ CSeq: [cseq] BYE
+ [last_Call-ID:]
+ Contact: <sip:[field1]@[local_ip]:[local_port]>
+ User-Agent: PolycomSoundPointIP-SPIP_430-UA/3.2.3.1734
+ Accept-Language: en
+ Max-Forwards: 70
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <recv response="200" />
+</scenario>
+
diff --git a/tests/fax/pjsip/ast-2015-006/sipp/inject_bridge.csv b/tests/fax/pjsip/ast-2015-006/sipp/inject_bridge.csv
new file mode 100644
index 0000000..3d6c1c9
--- /dev/null
+++ b/tests/fax/pjsip/ast-2015-006/sipp/inject_bridge.csv
@@ -0,0 +1,3 @@
+SEQUENTIAL
+endpoint_A;endpoint_B;basicdial
+
diff --git a/tests/fax/pjsip/ast-2015-006/test-config.yaml b/tests/fax/pjsip/ast-2015-006/test-config.yaml
new file mode 100644
index 0000000..f477623
--- /dev/null
+++ b/tests/fax/pjsip/ast-2015-006/test-config.yaml
@@ -0,0 +1,38 @@
+testinfo:
+ summary: 'Test for AST-2015-006 T.38 FAX UDPTL vulnerability'
+ description: |
+ 'Two devices are in a normal Audio call when one does a reinvite
+ to start a T.38 Fax session to send a malicious UDPTL stream.
+ A calls B
+ B initiates T.38 reINVITE
+ B sends malicious UDPTL stream.'
+
+test-modules:
+ add-test-to-search-path: 'True'
+ test-object:
+ config-section: test-object-config
+ typename: 'sipp.SIPpTestCase'
+
+test-object-config:
+ fail-on-any: False
+ test-iterations:
+ -
+ scenarios:
+ - { 'key-args': {'scenario': 'endpoint_A.xml', '-i': '127.0.0.2', '-p': '5060', '-inf': 'inject_bridge.csv'} }
+ - { 'key-args': {'scenario': 'endpoint_B.xml', '-i': '127.0.0.3', '-p': '5060', '-inf': 'inject_bridge.csv'} }
+
+properties:
+ minversion: '13.8.0'
+ dependencies:
+ # The test requires the use of the SIPp feature play_pcap_image.
+ # However the feature is not in a released SIPp version yet.
+ # The feature might be present in the specified version below.
+ - sipp :
+ version : 'v3.5'
+ feature : 'PCAP'
+ - asterisk : 'app_dial'
+ - asterisk : 'chan_pjsip'
+ - asterisk : 'res_pjsip_t38'
+ tags:
+ - pjsip
+ - fax
diff --git a/tests/fax/pjsip/tests.yaml b/tests/fax/pjsip/tests.yaml
index 58bd614..87a641a 100644
--- a/tests/fax/pjsip/tests.yaml
+++ b/tests/fax/pjsip/tests.yaml
@@ -1,5 +1,6 @@
# Enter tests here in the order they should be considered for execution:
tests:
+ - test: 'ast-2015-006'
- test: 't38'
- test: 't38_with_auth'
- test: 'directmedia_reinvite_t38'
--
To view, visit https://gerrit.asterisk.org/2190
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ia043c29557f32595efaf825696de24a90a6756ce
Gerrit-PatchSet: 2
Gerrit-Project: testsuite
Gerrit-Branch: master
Gerrit-Owner: Richard Mudgett <rmudgett at digium.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
More information about the asterisk-code-review
mailing list