Description

I am experimenting with fuzzing on Kamailio SIP. The messages in the attached file crash the Kamailio server.

Troubleshooting

Reproduction

You can build the image using this dockerfile.
I am running the server with a basic configuration (attached kamailio-basic.cfg), using the command:

./src/kamailio -f ../kamailio-basic.cfg -L ./src/modules -Y runtime_dir -n 1 -D -E

kamailio-basic.cfg.txt
On the same machine, I am sending the malformed message using aflnet-replay:

aflnet-replay ~/sipcrash.txt SIP 5060

sipcrash.txt

Debugging Data

root@d3fd59910480:/home/ubuntu/experiments/kamailio# ./src/kamailio -f ../kamailio-basic.cfg -L ./src/modules -Y runtime_dir -n 1 -D -E #!!!
 0(139581) INFO: <core> [core/sctp_core.c:75]: sctp_core_check_support(): SCTP API not enabled - if you want to use it, load sctp module
Listening on 
             udp: 127.0.0.1 [127.0.0.1]:5060
Aliases: 

WARNING: no fork mode 
 0(139581) INFO: rr [./../outbound/api.h:52]: ob_load_api(): unable to import bind_ob - maybe module is not loaded
 0(139581) INFO: rr [rr_mod.c:188]: mod_init(): outbound module not available
 0(139581) INFO: <core> [main.c:2841]: main(): processes (at least): 4 - shm size: 67108864 - pkg size: 8388608
 0(139581) INFO: <core> [core/udp_server.c:154]: probe_max_receive_buffer(): SO_RCVBUF is initially 212992
 0(139581) INFO: <core> [core/udp_server.c:206]: probe_max_receive_buffer(): SO_RCVBUF is finally 425984
 0(139581) WARNING: {1 1 REGISTER 1-670@127.0.0.1} sanity [sanity.c:612]: check_cl(): content length header missing in request
=================================================================
==139581==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001d5e560 at pc 0x000000fcbc2f bp 0x7ffd115433d0 sp 0x7ffd115433c8
READ of size 1 at 0x000001d5e560 thread T0

    #0 0xfcbc2e in skip_uri /home/ubuntu/experiments/kamailio/src/core/parser/contact/contact.c:53:10
    #1 0xfcbc2e in parse_contacts /home/ubuntu/experiments/kamailio/src/core/parser/contact/contact.c:210:7
    #2 0xfcdd18 in contact_parser /home/ubuntu/experiments/kamailio/src/core/parser/contact/parse_contact.c:55:7
    #3 0xfcdd18 in parse_contact /home/ubuntu/experiments/kamailio/src/core/parser/contact/parse_contact.c:84:6
    #4 0x7f0fe32590c4 in parse_message /home/ubuntu/experiments/kamailio/src/modules/registrar/sip_msg.c:125:26
    #5 0x7f0fe3266f2f in save /home/ubuntu/experiments/kamailio/src/modules/registrar/save.c:897:6
    #6 0x695413 in do_action /home/ubuntu/experiments/kamailio/src/core/action.c:1082:4
    #7 0x6ce894 in run_actions /home/ubuntu/experiments/kamailio/src/core/action.c:1581:7
    #8 0x6d161c in run_actions_safe /home/ubuntu/experiments/kamailio/src/core/action.c:1645:8
    #9 0x5f8b1a in rval_get_int /home/ubuntu/experiments/kamailio/src/core/rvalue.c:915:9
    #10 0x603507 in rval_expr_eval_int /home/ubuntu/experiments/kamailio/src/core/rvalue.c:1913:8
    #11 0x60259f in rval_expr_eval_int /home/ubuntu/experiments/kamailio/src/core/rvalue.c:1921:8
    #12 0x691381 in do_action /home/ubuntu/experiments/kamailio/src/core/action.c:1052:10
    #13 0x6ce894 in run_actions /home/ubuntu/experiments/kamailio/src/core/action.c:1581:7
    #14 0x6924cb in do_action /home/ubuntu/experiments/kamailio/src/core/action.c:700:8
    #15 0x6ce894 in run_actions /home/ubuntu/experiments/kamailio/src/core/action.c:1581:7
    #16 0x6d19fd in run_top_route /home/ubuntu/experiments/kamailio/src/core/action.c:1666:8
    #17 0xb16ce6 in receive_msg /home/ubuntu/experiments/kamailio/src/core/receive.c:423:8
    #18 0x7886fb in udp_rcv_loop /home/ubuntu/experiments/kamailio/src/core/udp_server.c:543:4
    #19 0x4f9ab0 in main_loop /home/ubuntu/experiments/kamailio/src/main.c:1480:10
    #20 0x51b219 in main /home/ubuntu/experiments/kamailio/src/main.c:2863:6
    #21 0x7f0fe79b2082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #22 0x43479d in _start (/home/ubuntu/experiments/kamailio/src/kamailio+0x43479d)

0x000001d5e560 is located 0 bytes to the right of global variable 'buf' defined in 'core/udp_server.c:425:14' (0x1d4e560) of size 65536
SUMMARY: AddressSanitizer: global-buffer-overflow /home/ubuntu/experiments/kamailio/src/core/parser/contact/contact.c:53:10 in skip_uri
Shadow bytes around the buggy address:
  0x0000803a3c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a3c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a3c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a3c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a3c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000803a3ca0: 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9
  0x0000803a3cb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000803a3cc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000803a3cd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000803a3ce0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000803a3cf0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==139581==ABORTING

Log Messages

In the Debugging Data

SIP Traffic

traffic.txt

Possible Solutions

Additional Information

version: kamailio 5.5.0-dev2 (x86_64/linux) 2648eb-dirty
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 2648eb -dirty
compiled on 11:51:00 May  5 2024 with afl-clang-fast clang version 10.0.0-4ubuntu1 

Linux d3fd59910480 5.15.0-125-generic #135~20.04.1-Ubuntu SMP Mon Oct 7 13:56:22 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/issues/4204@github.com>
CAPCOMINCAPCOMIN created an issue (kamailio/kamailio#4204)

Description

I am experimenting with fuzzing on Kamailio SIP. The messages in the attached file crash the Kamailio server.

Troubleshooting

Reproduction

You can build the image using this dockerfile.
I am running the server with a basic configuration (attached kamailio-basic.cfg), using the command:

./src/kamailio -f ../kamailio-basic.cfg -L ./src/modules -Y runtime_dir -n 1 -D -E

kamailio-basic.cfg.txt
On the same machine, I am sending the malformed message using aflnet-replay:

aflnet-replay ~/sipcrash.txt SIP 5060

sipcrash.txt

Debugging Data

root@d3fd59910480:/home/ubuntu/experiments/kamailio# ./src/kamailio -f ../kamailio-basic.cfg -L ./src/modules -Y runtime_dir -n 1 -D -E #!!!
 0(139581) INFO: <core> [core/sctp_core.c:75]: sctp_core_check_support(): SCTP API not enabled - if you want to use it, load sctp module
Listening on 
             udp: 127.0.0.1 [127.0.0.1]:5060
Aliases: 

WARNING: no fork mode 
 0(139581) INFO: rr [./../outbound/api.h:52]: ob_load_api(): unable to import bind_ob - maybe module is not loaded
 0(139581) INFO: rr [rr_mod.c:188]: mod_init(): outbound module not available
 0(139581) INFO: <core> [main.c:2841]: main(): processes (at least): 4 - shm size: 67108864 - pkg size: 8388608
 0(139581) INFO: <core> [core/udp_server.c:154]: probe_max_receive_buffer(): SO_RCVBUF is initially 212992
 0(139581) INFO: <core> [core/udp_server.c:206]: probe_max_receive_buffer(): SO_RCVBUF is finally 425984
 0(139581) WARNING: {1 1 REGISTER 1-670@127.0.0.1} sanity [sanity.c:612]: check_cl(): content length header missing in request
=================================================================
==139581==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001d5e560 at pc 0x000000fcbc2f bp 0x7ffd115433d0 sp 0x7ffd115433c8
READ of size 1 at 0x000001d5e560 thread T0

    #0 0xfcbc2e in skip_uri /home/ubuntu/experiments/kamailio/src/core/parser/contact/contact.c:53:10
    #1 0xfcbc2e in parse_contacts /home/ubuntu/experiments/kamailio/src/core/parser/contact/contact.c:210:7
    #2 0xfcdd18 in contact_parser /home/ubuntu/experiments/kamailio/src/core/parser/contact/parse_contact.c:55:7
    #3 0xfcdd18 in parse_contact /home/ubuntu/experiments/kamailio/src/core/parser/contact/parse_contact.c:84:6
    #4 0x7f0fe32590c4 in parse_message /home/ubuntu/experiments/kamailio/src/modules/registrar/sip_msg.c:125:26
    #5 0x7f0fe3266f2f in save /home/ubuntu/experiments/kamailio/src/modules/registrar/save.c:897:6
    #6 0x695413 in do_action /home/ubuntu/experiments/kamailio/src/core/action.c:1082:4
    #7 0x6ce894 in run_actions /home/ubuntu/experiments/kamailio/src/core/action.c:1581:7
    #8 0x6d161c in run_actions_safe /home/ubuntu/experiments/kamailio/src/core/action.c:1645:8
    #9 0x5f8b1a in rval_get_int /home/ubuntu/experiments/kamailio/src/core/rvalue.c:915:9
    #10 0x603507 in rval_expr_eval_int /home/ubuntu/experiments/kamailio/src/core/rvalue.c:1913:8
    #11 0x60259f in rval_expr_eval_int /home/ubuntu/experiments/kamailio/src/core/rvalue.c:1921:8
    #12 0x691381 in do_action /home/ubuntu/experiments/kamailio/src/core/action.c:1052:10
    #13 0x6ce894 in run_actions /home/ubuntu/experiments/kamailio/src/core/action.c:1581:7
    #14 0x6924cb in do_action /home/ubuntu/experiments/kamailio/src/core/action.c:700:8
    #15 0x6ce894 in run_actions /home/ubuntu/experiments/kamailio/src/core/action.c:1581:7
    #16 0x6d19fd in run_top_route /home/ubuntu/experiments/kamailio/src/core/action.c:1666:8
    #17 0xb16ce6 in receive_msg /home/ubuntu/experiments/kamailio/src/core/receive.c:423:8
    #18 0x7886fb in udp_rcv_loop /home/ubuntu/experiments/kamailio/src/core/udp_server.c:543:4
    #19 0x4f9ab0 in main_loop /home/ubuntu/experiments/kamailio/src/main.c:1480:10
    #20 0x51b219 in main /home/ubuntu/experiments/kamailio/src/main.c:2863:6
    #21 0x7f0fe79b2082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #22 0x43479d in _start (/home/ubuntu/experiments/kamailio/src/kamailio+0x43479d)

0x000001d5e560 is located 0 bytes to the right of global variable 'buf' defined in 'core/udp_server.c:425:14' (0x1d4e560) of size 65536
SUMMARY: AddressSanitizer: global-buffer-overflow /home/ubuntu/experiments/kamailio/src/core/parser/contact/contact.c:53:10 in skip_uri
Shadow bytes around the buggy address:
  0x0000803a3c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a3c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a3c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a3c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a3c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000803a3ca0: 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9
  0x0000803a3cb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000803a3cc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000803a3cd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000803a3ce0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000803a3cf0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==139581==ABORTING

Log Messages

In the Debugging Data

SIP Traffic

traffic.txt

Possible Solutions

Additional Information

version: kamailio 5.5.0-dev2 (x86_64/linux) 2648eb-dirty
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 2648eb -dirty
compiled on 11:51:00 May  5 2024 with afl-clang-fast clang version 10.0.0-4ubuntu1 

Linux d3fd59910480 5.15.0-125-generic #135~20.04.1-Ubuntu SMP Mon Oct 7 13:56:22 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/issues/4204@github.com>