Monday, June 1, 2009

SIP Protocol Fuzz Testing

Fuzzing is a black-box testing technique heavily leveraged to discover flaws in software and protocol implementations. There are several tools that exist today to help a security tester automate or allow crafting fuzz test cases.

I have used open-source tools like WebScarab, some commercial ones and the proprietary ones for several years for testing web applications. In between had chance to fuzz test standalone applications and Internet browser clients as well.

Recently I had an opportunity to fuzz test VoIP applications and servers. This is when I came across this interesting project called PROTOS. It provides test suites for testing several protocol implementations. The ones that I found interesting due to my subject knowledge were SIP, HTTP-REPLY and LDAP. Nevertheless it provides test suite for DNS and several others.

PROTOS Test-Suite: c07-sip
has been accredited for discovering flaws in several open-source and commercial SIP protocol implementations ranging from Cisco, Alcatel, Nortel to IPTel. It contains 4527 tests. I used this test suite to test SIP Express Router (SER) and Asterisk both open-source SIP proxy implementations. I could successfully reproduce the CERT advisory CA-2003-06 for SER’s vulnerable SIP implementation version. The c07-sip test suite crashed SER within the first 10 tests leveraging a format string attack. The screenshots below highlight the status of SER before and after the attack.






Tests conducted on the latest version of SER and Asterisk did not bring up any security issues. Nevertheless great but this test suite should not be considered comprehensive in itself as it only tests a subset of SIP methods, namely INVITE messages. For a comprehensive test some commercial solution like Codenomicon or MuDynamics probably would be a better bet. I haven’t used both of these thus far so I can’t really ascertain their value. Codenomicon had sponsored the PROTOS project with their testing framework so quite likely they would be good as well.

At the end of the day, lack of coverage doesn’t undermine the importance of PROTOS suite in any manner. It is base minimum that a related protocol implementation must pass!

2 comments:

  1. Thanks for using the PROTOS, and for a nice review! PROTOS SIP was released publicly in February 2003, and was provided free-of-charge to help SIP developers gain at least some level of confidence in their code. 99% of SIP developers use it as a baseline test. If you look at any commercial tool for fuzzing, you can see that both SIP as a protocol and the tools themselves have progressed significantly since then. Check out for example the Defensics product line from Codenomicon (originally released in 2002): http://www.codenomicon.com/products/d3-sip-uas.shtml

    ReplyDelete