[VOIPSEC] Actual Attacks - UA handling
Ari Takanen
art at codenomicon.com
Thu Mar 3 01:33:08 CST 2005
Hello Mark,
In the specification, there should be no restriction of having longer
than 255 character user name. Having over 255 characters in the user
name is not an overflow in itself, and can be valid in some
scenarios. An implementation that just cuts user names to 255
characters is just broken from SIP perspective. If the VoIP
implementation happens to have an overflow in the parsing of the URI,
you cannot protect from this by setting any hard limits in the
implementation. We extensively test for problems like this in REGISTER
also in our test tools, and I agree that behavior is different across
implementations. Some crash and some don't :)
Best regards,
/Ari
--
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen Codenomicon Ltd.
ari.takanen at codenomicon.com Kaitovayla 1
tel: +358-40 50 67678 FIN-90570 Oulu
http://www.codenomicon.com Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
On Tue, Mar 01, 2005 at 08:20:59AM -0500, Mark Teicher wrote:
> Just validating whether a VOIP's implementation allows for buffer overflow in a URI over a REGISTER request over UDP is possible.
> Most UA should not accept a malicious request over 255 characters as the username, but some of the major player implementations do, and no configuration option to restrict how many characters a UA should accept.
>
> /cheers
> /
More information about the Voipsec
mailing list