The following issue has been RESOLVED. ====================================================================== https://bugtracker.iptel.org/view.php?id=62 ====================================================================== Reported By: tsearle Assigned To: stefan ====================================================================== Project: SEMS Issue ID: 62 Category: DSM Reproducibility: always Severity: major Priority: normal Status: resolved Resolution: fixed Fixed in Version: master ====================================================================== Date Submitted: 2011-09-20 16:59 CEST Last Modified: 2011-10-17 15:51 CEST ====================================================================== Summary: Port Depletion Exploit when using DSM without audio Description: When using the DSM script that is posted here: http://www.mail-archive.com/[email protected]/msg00470.html
I have found by accident that if you send a 200 OK to the INVITE w/o SDP SEMS will create an RTP port and will not free it at the end of the call. Even though this scenario shouldn't happen in the real world, it does make it possible to easily attack SEMS ====================================================================== ---------------------------------------------------------------------- (0000102) stefan (manager) - 2011-10-17 15:51 https://bugtracker.iptel.org/view.php?id=62#c102 ---------------------------------------------------------------------- DSM calls stayed in Disconnecting state, as there was no 200 replied to BYE. [master 4551a82] b/f: reply 200 to BYE in DSM call also, the referenced script had some issues, corrected below ------------------------------------------------ import(mod_dlg); initial state START enter { set(reply_request="0"); set(connect_session="0"); logVars(1); }; transition "on INVITE" START - invite / log(1, "to runinvite") -> runinvite; transition "on Session Start" START - sessionStart / log(1, "to runsession") -> runsession; state runinvite enter { dlg.reply(100, "Trying"); dlg.connectCalleeRelayed("sip:[email protected]:5090", "sip:[email protected]:5090"); -- go directly to runsession state repost(); }; transition "Let's wait" runinvite - -> runsession; state runsession; transition "BYE while waiting" runsession - hangup / { log(1, "bye while connecting"); B2B.terminateOtherLeg(); stop(false); } -> END; transition "Provisional reply" runsession - B2B.otherReply(#code < 200) / { log(1, "received provisional reply") log(1, #code) log(1, #reason) } -> runsession; transition "Positive reply" runsession - B2B.otherReply(#code < 300) / { log(1, "received positive reply") log(1, #code) log(1, #reason) } -> conn; transition "Negative reply" runsession - B2B.otherReply() / { log(1, "received negative reply") log(1, #code) log(1, #reason) stop(true) } -> END; state conn enter { log(1, "in connected state"); }; transition "BYE on leg A" conn - hangup / { B2B.terminateOtherLeg(); stop(false); } -> END; transition "BYE on leg B" conn - B2B.otherBye() / stop(true) -> END; state END; Issue History Date Modified Username Field Change ====================================================================== 2011-09-20 16:59 tsearle New Issue 2011-09-20 17:04 tsearle Issue Monitored: tsearle 2011-10-17 15:51 stefan Note Added: 0000102 2011-10-17 15:51 stefan Status new => resolved 2011-10-17 15:51 stefan Fixed in Version => master 2011-10-17 15:51 stefan Resolution open => fixed 2011-10-17 15:51 stefan Assigned To => stefan ====================================================================== _______________________________________________ Semsdev mailing list [email protected] http://lists.iptel.org/mailman/listinfo/semsdev
