|
|
Indigo CERT Vulnerability Assessment Report
Test results of CERT / OUSPG PROTOS test-suite following the release of CERT Advisory CA-2003-06
Introduction
In [1], the CERT coordination center, a major reporting center for Internet security problems, issued an advisory stipulating that numerous vulnerabilities have been reported in multiple vendors' implementations of the Session Initiation Protocol [4]. Related to this advisory, the CERT/CC also issued a Vulnerability Note VU#528719 [2].
This CERT Vulnerability Note is based on the investigation work conducted by the Finnish Oulu University Secure Programming Group using the PROTOS Test-Suite c07-sip [3], which was developed for that purpose.
In the interest of its customers and of the whole Internet community in general represented by the CERT/CC, Indigo Software has taken this Vulnerability Note very seriously and has decided to run a test campaign using the PROTOS Test-Suite on its SIP-based product lines in order to assess a possible vulnerability.
The Indigo SIP-based product portfolio consists of the following products:
The PROTOS Test-Suite [3] applies to User Agent and Proxy Server roles. As Indigo does not include a User Agent offering in its product portfolio, the PROTOS Test-Suite applies to the Proxy role implemented in the Indigo SIP Server & SDK and Indigo Communications Server & SDK product packages.
It is worth noting that since all Indigo SIP servers (Proxy/Redirect/Registrar/Presence/3PCC) being part of the Indigo product portfolio are developed on top of the Indigo SIP Foundation Class (Indigo’s own SIP stack foundation), possible vulnerabilities in the Indigo SIP Foundation Class is implicitly tested and assessed by the PROTOS Test-Suite during those tests.
Criteria to pass a PROTOS test-case
In [1], section Results, OUSPG describes the criteria to be considered to pass or fail a PROTOS test-case. It are copied below:
In this test-suite, the failed status is granted if any of the following criteria are met and a single test-case or linear sequence of cases can be identified to be responsible for it:
If no single test-case can be identified but similar effects are observed, the status is inconclusive.
Sometimes, a subject gets corrupted so badly or is fundamentally so unstable that there is no way to collect accurate test-results for the whole test-run. Untested regions are marked as unknown.
Otherwise, the status is passed.
Detailed results of the vulnerability assessment tests
Test configuration
A User Agent (Microsoft MSN Messenger) is registered with the Indigo Proxy Server (IP 192.168.254.23) and is used as destination endpoint for PROTOS. The PROTOS test tool runs on a separate machine.
The System Under Test (SUT) is :
Test-Group by Test-Group Test Run - Results table
PROTOS command used (i.e. Test-cases range: 573-629):
D:\CERT_warning_protos_c07_test>java -jar c07-sip-r1.jar -touri ndramais@192.168.254.23 -fromuri cert@ganymede.indigosw.net -teardown -start 573 -stop 629 -validcase -lport 5002
| Name |
Exceptional Elements
|
First Index # |
Test Cases |
Indigo Proxy Test Result |
| valid |
n/a |
0 |
1 |
PASSED |
| SIP-Method |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
1 |
193 |
PASSED |
| SIP-Request-URI |
sip-URI |
194 |
61 |
PASSED |
| SIP-Version |
sip-version |
255 |
75 |
PASSED |
| SIP-Via-Host |
ipv4-ascii |
330 |
106 |
PASSED |
| SIP-Via-Hostcolon |
overflow-colon |
436 |
16 |
PASSED |
| SIP-Via-Hostport |
integer-ascii |
452 |
46 |
PASSED |
| SIP-Via-Version |
sip-version |
498 |
75 |
PASSED |
| SIP-Via-Tag |
sip-tag |
573 |
57 |
PASSED |
| SIP-From-Displayname |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
630 |
193 |
PASSED |
| SIP-From-Tag |
sip-tag |
823 |
57 |
PASSED |
| SIP-From-Colon |
overflow-colon |
880 |
16 |
PASSED |
| SIP-From-URI |
sip-URI |
896 |
61 |
PASSED |
| SIP-Contact-Displayname |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
957 |
193 |
PASSED
|
| SIP-Contact-URI |
sip-URI |
1150 |
61 |
PASSED |
| SIP-Contact-Left-Paranthesis |
overflow-leftbracket |
1211 |
16 |
PASSED |
| SIP-Contact-Right-Paranthesis |
overflow-rightbracket |
1227 |
16 |
PASSED |
| SIP-To |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
1243 |
193 |
PASSED |
| SIP-To-Left-Paranthesis |
overflow-leftbracket |
1436 |
16 |
PASSED |
| SIP-To-Right-Paranthesis |
overflow-rightbracket |
1452 |
16 |
PASSED |
| SIP-Call-Id-Value |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
1468 |
193 |
PASSED |
| SIP-Call-Id-At |
overflow-at |
1661 |
16 |
PASSED |
| SIP-Call-Id-Ip |
ipv4-ascii |
1677 |
106 |
PASSED |
| SIP-Expires |
integer-ascii |
1783 |
46 |
PASSED |
| SIP-Max-Forwards |
integer-ascii |
1829 |
46 |
PASSED |
| SIP-Cseq-Integer |
integer-ascii |
1875 |
46 |
PASSED |
| SIP-Cseq-String |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
1921 |
193 |
PASSED |
| SIP-Content-Type |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape, content-type |
2114 |
247 |
PASSED |
| SIP-Content-Length |
integer-ascii |
2361 |
46 |
PASSED |
| SIP-Request-CRLF |
crlf |
2407 |
10 |
PASSED |
| CRLF-Request |
crlf |
2417 |
10 |
PASSED |
| SDP-Attribute-CRLF |
crlf |
2427 |
10 |
PASSED |
| SDP-Proto-v-Identifier |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
2437 |
193 |
PASSED |
| SDP-Proto-v-Equal |
overflow-equal |
2630 |
16 |
PASSED |
| SDP-Proto-v-Integer |
integer-ascii |
2646 |
46 |
PASSED |
| SDP-Origin-Username |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
2692 |
193 |
PASSED |
| SDP-Origin-Sessionid |
integer-ascii |
2885 |
46 |
PASSED |
| SDP-Origin-Networktype |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
2931 |
193 |
PASSED |
| SDP-Origin-Ip |
overflow-equal |
3124 |
106 |
PASSED |
| SDP-Session |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
3230 |
193 |
PASSED |
| SDP-Connection-Networktype |
overflow-general, overflow-space, overflow-null, utf-8, fmtstring
|
3423 |
188 |
PASSED |
| SDP-Connection-Ip |
ipv4-ascii |
3611 |
106 |
PASSED |
| SDP-Time-Start |
integer-ascii |
3717 |
46 |
PASSED |
| SDP-Time-Stop |
empty |
3763 |
1 |
PASSED |
| SDP-Media-Media |
overflow-general, overflow-space, overflow-null, fmtstring, utf-8,
ansi-escape |
3764 |
193 |
PASSED |
| SDP-Media-Port |
integer-ascii |
3957 |
46 |
PASSED |
| SDP-Media-Transport |
overflow-general, overflow-space, overflow-null, fmtstring, ansi-escape
|
4003 |
118 |
PASSED |
| SDP-Media-Type |
integer-ascii |
4121 |
46 |
PASSED |
| SDP-Attribute-Rtpmap |
overflow-general, overflow-space, overflow-null, fmtstring, ansi-escape
|
4167 |
118 |
PASSED |
| SDP-Attribute-Colon |
overflow-colon |
4285 |
16 |
PASSED |
| SDP-Attribute-Payloadtype |
integer-ascii |
4301 |
46 |
PASSED |
| SDP-Attribute-Encodingname |
integer-ascii |
4347 |
118 |
PASSED |
| SDP-Attribute-Slash |
overflow-slash |
4465 |
16 |
PASSED |
| SDP-Attribute-Clockrate |
integer-ascii |
4481 |
46 |
PASSED |
All test-cases in one go
A. Validcase option not activated
PROTOS command used:
D:\CERT_warning_protos_c07_test>java -jar c07-sip-r1.jar -touri ndramais@192.168.254.23 -fromuri cert@ganymede.indigosw.net -teardown -lport 5002
|
Name
|
Exceptional
Elements
|
First Index #
|
Test Cases
|
Indigo Proxy Test Result
|
|
All test-cases in one go
|
–validcase option deactivated
|
1
|
4527
|
PASSED
|
|
|
|
|
|
|
|
|
B. Validcase | |
