[VOIPSEC] Actual Attacks - UA handling
Mark Teicher
mht3 at earthlink.net
Fri Mar 4 20:51:49 CST 2005
Ari,
Some of the leading VOIP vendors allow for lots of characters in the URI,
sending embedded commands within the URI can also crash some VOIP phones..
/mark
At 02:33 AM 3/3/2005, Ari Takanen wrote:
>Hello Mark,
>
>In the specification, there should be no restriction of having longer
>than 255 character user name. Having over 255 characters in the user
>name is not an overflow in itself, and can be valid in some
>scenarios. An implementation that just cuts user names to 255
>characters is just broken from SIP perspective. If the VoIP
>implementation happens to have an overflow in the parsing of the URI,
>you cannot protect from this by setting any hard limits in the
>implementation. We extensively test for problems like this in REGISTER
>also in our test tools, and I agree that behavior is different across
>implementations. Some crash and some don't :)
>
>Best regards,
>
>/Ari
>
>--
>-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
>Ari Takanen Codenomicon Ltd.
>ari.takanen at codenomicon.com Kaitovayla 1
>tel: +358-40 50 67678 FIN-90570 Oulu
>http://www.codenomicon.com Finland
>PGP: http://www.codenomicon.com/codenomicon-key.asc
>-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
>
>On Tue, Mar 01, 2005 at 08:20:59AM -0500, Mark Teicher wrote:
> > Just validating whether a VOIP's implementation allows for buffer
> overflow in a URI over a REGISTER request over UDP is possible.
> > Most UA should not accept a malicious request over 255 characters as
> the username, but some of the major player implementations do, and no
> configuration option to restrict how many characters a UA should accept.
> >
> > /cheers
> > /
More information about the Voipsec
mailing list