Fuzzing SIP over TLS
Fuzzing SIP over TLS
Currently, I've made a lexer for SIP communication that allows one to construct an object and to manipulate a SIP message.
Scenarios
Shuffle randomly the SIP message
This results in the call been hang after some delay. We probably want to generate random fields instead.
Keep changing the SIP version
Version is changed randomly between SIP/1.0 and SIP/2.0.
TODO - Change the status code
Bad SDP body
If the body content of a SDP request is invalid, an assertion failed. The null pointer seems to not be a problem because it's checked, however the caller should probably not call the function in the first place. Will investigate further.
In sdp.cpp:
583 assert(remoteSession_);
#0 0x00007ffff39fdd22 in raise () at /usr/lib/libc.so.6
#1 0x00007ffff39e7862 in abort () at /usr/lib/libc.so.6
#2 0x00007ffff39e7747 in _nl_load_domain.cold () at /usr/lib/libc.so.6
#3 0x00007ffff39f6616 in () at /usr/lib/libc.so.6
#4 0x000055555a84fa0e in jami::Sdp::processIncomingOffer(std::vector<jami::MediaAttribute, std::allocator<jami::MediaAttribute> > const&) (this=0x6110015f0080, mediaList=std::vector of length 1, capacity 1 = {...}) at sdp.cpp:583
#5 0x0000555559bc894e in jami::transaction_request_cb(pjsip_rx_data*) (rdata=0x625007721b08) at sipvoiplink.cpp:451
#6 0x000055555aeaf623 in pjsip_endpt_process_rx_data ()
#7 0x000055555aeaf856 in endpt_on_rx_msg ()
#8 0x000055555aeb685e in pjsip_tpmgr_receive_packet ()
#9 0x000055555a079ce0 in jami::tls::ChanneledSIPTransport::handleEvents() (this=0x625007721900) at /usr/include/c++/11.1.0/bits/channeled_transport.cpp:237
#10 0x000055555a070967 in operator()() const (__closure=0x603002aed2b0) at /usr/include/c++/11.1.0/bits/channeled_transport.cpp:150
#11 0x000055555a0809bd in std::__invoke_impl<void, jami::tls::ChanneledSIPTransport::ChanneledSIPTransport(pjsip_endpoint*, int, const std::shared_ptr<jami::ChannelSocket>&, const jami::IpAddr&, const jami::IpAddr&, jami::onShutdownCb&&)::<lambda(const uint8_t*, size_t)>::<lambda()>&>(std::__invoke_other, struct {...} &) (__f=...) at /usr/include/c++/11.1.0/bits/invoke.h:61
#12 0x000055555a07ea22 in std::__invoke_r<void, jami::tls::ChanneledSIPTransport::ChanneledSIPTransport(pjsip_endpoint*, int, const std::shared_ptr<jami::ChannelSocket>&, const jami::IpAddr&, const jami::IpAddr&, jami::onShutdownCb&&)::<lambda(const uint8_t*, size_t)>::<lambda()>&>(struct {...} &) (__fn=...) at /usr/include/c++/11.1.0/bits/invoke.h:111
#13 0x000055555a07d701 in std::_Function_handler<void(), jami::tls::ChanneledSIPTransport::ChanneledSIPTransport(pjsip_endpoint*, int, const std::shared_ptr<jami::ChannelSocket>&, const jami::IpAddr&, const jami::IpAddr&, jami::onShutdownCb&&)::<lambda(const uint8_t*, size_t)>::<lambda()> >::_M_invoke(const std::_Any_data &) (__functor=...) at /usr/include/c++/11.1.0/bits/std_function.h:291
#14 0x00005555596e546d in std::function<void ()>::operator()() const (this=0x603002aed2b0) at /usr/include/c++/11.1.0/bits/std_function.h:560
#15 0x0000555559a89730 in jami::ScheduledExecutor::loop() (this=0x625007723e10) at scheduled_executor.cpp:137
#16 0x0000555559a85e1e in operator()() const (__closure=0x603000073a88) at scheduled_executor.cpp:32
#17 0x0000555559a8f8be in std::__invoke_impl<void, jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> >(std::__invoke_other, struct {...} &&) (__f=...) at /usr/include/c++/11.1.0/bits/invoke.h:61
#18 0x0000555559a8f779 in std::__invoke<jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> >(struct {...} &&) (__fn=...) at /usr/include/c++/11.1.0/bits/invoke.h:96
#19 0x0000555559a8f64e in std::thread::_Invoker<std::tuple<jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> > >::_M_invoke<0>(std::_Index_tuple<0>) (this=0x603000073a88) at /usr/include/c++/11.1.0/bits/std_thread.h:253
#20 0x0000555559a8f584 in std::thread::_Invoker<std::tuple<jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> > >::operator()(void) (this=0x603000073a88) at /usr/include/c++/11.1.0/bits/std_thread.h:260
#21 0x0000555559a8f53c in std::thread::_State_impl<std::thread::_Invoker<std::tuple<jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> > > >::_M_run(void) (this=0x603000073a80) at /usr/include/c++/11.1.0/bits/std_thread.h:211
#22 0x00007ffff47333c4 in std::execute_native_thread_routine(void*) (__p=0x603000073a80) at /build/gcc/src/gcc/libstdc++-v3/src/c++11/thread.cc:82
#23 0x00007ffff667a259 in start_thread () at /usr/lib/libpthread.so.0
#24 0x00007ffff3abf5e3 in clone () at /usr/lib/libc.so.6
Payload attack (SDP Huge value of Content-Length)
Alice duplicates the body of its SDP request N times. N grows at a rate of 2^M.
After some threshold, connection between peer can not be establish if iniated from Alice. Bob can still call Alice.
Payload attack (SIP MESSAGE)
Alice spam bob with very huge message text.
The TLS connections seems to stop working and Bob receive the message text (short version) over the DHt instead.
Sending none supported content-type (text/html, text/javascript, etc.)
The content-type is simply ignored. Call can be made.