Fuzzing Attacks and Protection on VoIP/UCbe.security.westcon.com/documents?documentId=35682&filename=... · Impact of Fuzzing Attacks ... • Attacker gains access using fuzzing in

Fuzzing Attacks and

Protection on VoIP/UC

Presented by:

Sipera Systems

2 UC Security Requirements

© 2008 Sipera Systems, Inc. All Rights Reserved.

Agenda

What are Fuzzing Attacks?

VoIP/UC is different

Impact of Fuzzing attacks on VoIP

Protection techniques



Fuzzing

Fuzzing

• Fuzzing was developed as a Black Box software testing technique, to find implementation bugs using malformed/semi-malformed data injection in an automated fashion

Protocol Fuzzing

• A protocol fuzzer sends forged packets to the tested application, or may act as a proxy modifying packets on the fly and replaying them

Random vs. Protocol Aware

• Truly Random Approach allows for exhaustive coverage but requires infinite time

• Protocol Aware approach limits the randomness

- Makes each message penetrate deeper

- Provides better coverage



Impact of Fuzzing Attacks

Crashes

• This is the most common impact and results in complete Denial of

Service (DoS)

Loops or heavy processing

• Extremely large fuzzed packets sometimes result in loops and

heavy processing, causing DoS of genuine requests

Buffer overflows

• This is the most dangerous impact and the attacker gets to violate,

Confidentiality, Integrity, Availability

• Attacker gains access using fuzzing in spite of all access control

and encryption mechanisms



Writing Protocol Fuzzing Tools

Grammar/ABNF aware Fuzzing steps

• Acquire the ABNF or specification

• Design valid inputs

• Define and/or reuse anomalous inputs

• Insert anomalous inputs by replacing symbols

• Generate test cases or attack vectors



SIP Fuzzing

SIP grammar (ABNF)

• The SIP grammar is defined in rfc 3261 (Augmented

Backus-Naur Form)

SIP Fuzzing: Exploits different aspects of the

SIP grammar

• Infinite sentences

• Syntax

• Delimiters

• Field Values

• Context-Sensitive



SIP Fuzzing Categories

Grammar/ABNF Valid Impractical errors

• ABNF can express infinite “sentences” which even though perfectly valid are impractical to handle

Example: Grammar for “From” header

From = ( "From" / "f" ) HCOLON from-specfrom-spec = ( name-addr / addr-spec ) *( SEMI from-param )from-param = tag-param / generic-paramtag-param = "tag" EQUAL tokengeneric-param = token [ EQUAL gen-value ]gen-value = token / host / quoted-stringtoken = 1*(alphanum / "-" / "." / "!" / "%" / "*" / "_" / "+" / "`" / "'" / "~" )BNF Valid Impractical Error = From: Alice <sip:[email protected]>;tag=1928301774; gen1=val1;gen2=val2;…;genn=valn

//n=10000

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <sip:[email protected]>From: Alice <sip:[email protected]>;tag=1928301774;gen1=val1;…;genn=valnCall-ID: a84b4c76e66710CSeq: 314159 INVITEMax-Forwards: 70Contact: <sip:[email protected]>Content-Length: 0




Syntax Errors

• Syntax errors violate the grammar of the underlying language.

• They are created by removing an element, adding an extra element and providing the elements in wrong order.

Example: Grammar for IP address

IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGITSyntax error = 192.192.192.192.192

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <sip:[email protected]>From: Alice <sip:[email protected]>;tag=1928301774Call-ID: a84b4c76e66710CSeq: 314159 INVITEMax-Forwards: 70Contact: <sip:[email protected]>Content-Length: 0




Delimiter Errors

• Delimiters mark the separation of fields in a sentence.

• In SIP the delimiters are white space characters (space, tab, line-feed, etc.), or other characters (commas, semicolons, etc.)

• Delimiters can be omitted, multiplied or replaced by other unusual characters. Paired delimiters, such as braces, can be left unbalanced.

Example: “:” is a delimiter after each SIP header

Delimiter error = From Alice

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <sip:[email protected]>From Alice <sip:[email protected]>;tag=1928301774Call-ID: a84b4c76e66710CSeq: 314159 INVITEMax-Forwards: 70Contact: <sip:[email protected]>Content-Length: 0




Field Value Errors

• Normally, a field value has a range or many disjoint ranges of allowable values.

• Field errors can include values which are at range boundary or totally out-of-range.

Example: Max-Forwards legitimate value = 0-255

Field-value error = Max-Forwards: 99999999999

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <sip:[email protected]>From: Alice <sip:[email protected]>;tag=1928301774Call-ID: a84b4c76e66710CSeq: 314159 INVITEMax-Forwards: 99999999999Contact: <sip:[email protected]>Content-Length: 0




Context Dependent Errors

• A Context dependent error, violates context dependent property of a grammar

Example: CSeq Method can not be BYE in an INVITE message

Context-dependent error = CSeq: 314159 BYE (Inside an INVITE request)

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <sip:[email protected]>From: Alice <sip:[email protected]>;tag=1928301774Call-ID: a84b4c76e66710CSeq: 314159 BYEMax-Forwards: 70Contact: <sip:[email protected]>Content-Length: 0



SIP Fuzzing Tool

Generate Fuzzing test cases

• Simplify formal interface specification

• Design valid-cases

• Define or reuse anomalies

• Insert the anomalies

• Design & Generate test cases



SIP Fuzzing Tool

Simplify formal interface specification

• For example: simplify SIP grammar to express one

header at a time only.<Request-Line> = <Method> SP <Request-URI> SP <SIP-Version> CRLF

<SIP-Version> = "SIP" "/" 1…n {<DIGIT>} "." 1…n {<DIGIT>}

<DIGIT> = 0|1|2|3|4|5|6|7|8|9

Design valid cases

• Some representative valid test cases are generated

(designed) to be used to generate invalid casesINVITE sip:[email protected] SIP/2.0



SIP Fuzzing Tool

Define Reuse Anomalies

• Anomalies are defined as exceptional or unexpected

elements that may cause havoc.

• Each part of the grammar can be replaced with

anomalous grammar

<ASCII-Overflow> = ()|a|aa|aaaa|aaaaaaaa|… 20…17

<FORMAT-Overflow> = <STR-FORMAT-Overflow>|<HEX-FORMAT-OVERFLOW>|<INT-FORMAT-Overflow>

<STR-FORMAT-Overflow> = ()|%s|%s%s|%s%s%s%s|%s%s%s%s%s%s%s%s|… 20…17

<HEX-FORMAT-Overflow> = ()|%x|%x%x|%x%x%x%x|%x%x%x%x%x%x%x%x|… 20…17

<INT-FORMAT-Overflow> = <INT-NORMAL-FORMAT-Overflow>|<INT-UNUSUAL-FORMAT-Overflow>

<INT-NORMAL-FORMAT-Overflow> = ()|%d|%d%d|%d%d%d%d|%d%d%d%d%d%d%d%d|… 20…17



SIP Fuzzing Tool

Insert Anomalies

• For example: replace in SIP version “SIP” with the

selection of the two overflows.<Request-Line> = <Method> SP <Request-URI> SP <SIP-Version> CRLF

<SIP-Version> = <ASCII-Overflow>|<FORMAT-Overflow> "/" 1…n {<DIGIT>} "." 1…n {<DIGIT>}

<DIGIT> = 0|1|2|3|4|5|6|7|8|9



SIP Fuzzing Tool

Design & Generate fuzzed test cases

• Designing test cases involves replace valid parts of grammar with the valid test case<SIP-Version-SIP-Overflow> =

INVITE sip:[email protected] <ASCII-Overflow>|<FORMAT-Overflow>/2.0

• Generating test case involves expanding the fuzzed grammar<SIP-Version-SIP-Overflow> =

INVITE sip:[email protected] /2.0

INVITE sip:[email protected] a/2.0

INVITE sip:[email protected] aa/2.0

INVITE sip:[email protected] aaaa/2.0 …

INVITE sip:[email protected] %s/2.0

INVITE sip:[email protected] %s%s/2.0

INVITE sip:[email protected] %s%s%s%s/2.0 …



VoIP/UC is different

VoIP is Different

Real-time

Peer-to-peer Weak VoIP Endpoints

Complex Protocols

for Rich FeaturesHuman Interactive

Application Layer



SMTP: Connect

to Server

& Send email

VoIP is Different Peer-to-peer

Server

Client

IP PBX

Client/ServerClient/Server

POP3: Connect to

Server

& Receive emails

Make Call Deliver Call

Answer Call

Conversation

RTP over UDP

(Voice, Video)

Client/Server Peer-to-peer

Client



VoIP is DifferentComplex Application Layer

Packet processing

Header inspection

Limited payload inspection

Application state, Context,

Semantic processing

Header Attack

Header Att

Header ack

Header Attack

Header AttHeader Att

Header ackHeader ack

Header Att

Header ack

Attack



VoIP is DifferentWeak VoIP Endpoints

Virus scanner, firewall, HIDS

High CPU, Memory

Security protocols: IPSec,802.1X

No security tools

Weak CPU, Low memory

Limited security protocols



Impact of Fuzzing Attacks Peer-to-peer

Attackers can directly

fuzz endpoints

Fuzzed attacks usually

pass through IP PBX and

directly attack phones

IP PBX

Client/ServerClient/Server

Make Call Deliver Call

Answer Call

Conversation

RTP over UDP

(Voice, Video)

Peer-to-peer



Impact of Fuzzing AttacksComplex Application Layer

Complex Application

layer grammar allows for

more fuzzing

combinations

Allows for context or

state dependent fuzzing,

very difficult to protect

with stateless firewalls

Transfer Conference Hold Forward…

Header Att

Header ack

Attack



Impact of Fuzzing AttacksWeak VoIP Endpoints

Endpoints are weak

Low CPU, low memory,

Simple loops prove

costly,

No Security tools,

nothing to inspect bad

packets and block on

client No security tools

Weak CPU, Low memory

Limited security protocols



Fuzzing Protection

Protecting against Grammar compliant fuzzes (SIP Torture etc)

• Enforcement of Practical limits

• User, Network, Device based policy control

• Dedicated Vulnerability Research

- Vulnerability Shielding Signatures

• Exploit Research

- Exploit Blocking Signatures

• Signature Update Service

Protecting against Syntactic, delimiter, Field value etc Fuzzing

• Grammar Validation/Enforcement

• Enforcement of Practical limits

• Dedicated Vulnerability Research

- Vulnerability Shielding Signatures

• Exploit Research

- Exploit Blocking Signatures

• Signature Update Service



Fuzzing Protection

Grammar Validation

• Does this comply with RFC ABNF

- As a whole message

- Individual headers

- SDP/Body of the message

REGISTER sip:ss2.wcom.com SIP/2.0Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:[email protected]> To: LittleGuy <sip:[email protected]> Call-ID: [email protected] CSeq: 2 REGISTER Contact: <sip:[email protected]> Authorization: Digest username="UserB", realm="MCI WorldCom SIP", nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", uri="sip:ss2.wcom.com", response="dfe56131d1958046689cd83306477ecc" Content-Length: 0

Does the SIP

message comply

with SIP RFC ABNF

Does the header

line comply with

RFC ABNF



Fuzzing Protection

Enforcement of Practical limits

• Enforcement of SIP Messages

• Enforcement of SIP Headers

• Enforcement of Field Values

REGISTER sip:ss2.wcom.com SIP/2.0Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:[email protected]> To: LittleGuy <sip:[email protected]> Call-ID: [email protected] CSeq: 2 REGISTER Contact: <sip:[email protected]> Authorization: Digest username="UserB", realm="MCI WorldCom SIP", nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", uri="sip:ss2.wcom.com", response="dfe56131d1958046689cd83306477ecc" Content-Length: 0

Is this in the list of

allowed SIP

Messages

Are these in the

list of allowed SIP

Headers for this

message

Is this compliant

with maximum

user part length

Is this compliant

with maximum

host part length

Is this compliant

with maximum

header length



Fuzzing Protection

User, Network, Device policy enforcement

• Is this device able to send or receive this message/header length,

header field value etc

• Is this SIP network able to handle this messages

• Is this user/sip domain allowed to send these messages

Policy Enforcement



Fuzzing Protection

Dedicated Vulnerability Research

• Extensively test new devices, phones call servers, for

vulnerabilities till breaking point

• Develop vulnerability shields specific to these devices



Fuzzing Protection

Exploit Research

• Extensively research new codes which can exploit

vulnerabilities

• Develop signatures for specific exploits

//Exploit\x52\x52\x52\x52\xB8\x8A\x05sip:ss2.wcom.com SIP/2.0

Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:[email protected]> To: LittleGuy <sip:[email protected]> Call-ID: [email protected] CSeq: 2 REGISTER Contact: <sip:[email protected]> Content-Length: 0



Fuzzing Protection

Signature Update Service

• Update Signature as new exploits are discovered

• Ensure short turnaround time

Documents

Fuzzing Attacks and Protection on VoIP/UCbe.security.westcon.com/documents?documentId=35682&filename=... · Impact of Fuzzing Attacks ... • Attacker gains access using fuzzing in