rtp bleed
Note
This documentation applies to SIPVicious version v6.0.0-experimental.6. Please note that only the latest version of SIPVicious PRO is supported.Summary
Detects and exploits the RTP Bleed vulnerability
What it does
The purpose of this tool is to reproduce, detect and exploit the vulnerability described in the RTP Bleed attack details page. The tool goes beyond the very basics of the attack, allowing testers to probe the target concurrently, decode audio into wav files and display RTCP information when RTCP is received.
Tool functionality
The basic functionality of the rtp bleed
bleed command is as follows:
- Probe phase which consists of sending RTP and RTCP packets to the target host on the port ranges; This phase takes the following steps:
- Starting the specified number of socket pairs, each pair consisting of an RTP even port and an RTCP odd port socket.
- Sending probes for each RTP and RTCP port; each RTP port is, by default, sent 8 packets, while each corresponding RTCP port is sent 1 packet, both with an interval of 1ms.
- Asynchronously, listen for responses on the RTP and RTCP ports.
- If any RTP response is received, the probing phase is paused and the probing socket pair is reused while RTP and RTCP packets are sent to the detected socket pairs only.
- Each received RTP response packet is noted and potentially processed until the RTP stream is stopped.
- The probing phase is then resumed from where it was paused.
The tool displays the following information:
- When RTCP responses are received, the RTCP response is decoded and logged at INFO level
- When the first RTP packet is received from a new source, the new source is logged at INFO level
- When the tool exits, the number of packets and type of packet (RTP or RTCP) received on each response is returned
Note that the probing phase only pauses when RTP packets are received and not for RTCP packets.
Note
The target URI for this tool does not take a port. Therefore the format for the target URI isudp://hostname-or-ip
.Video demonstration
Command format
sipvicious rtp bleed target-uri [flags]
Flags
--bleed-config strings Specify RTP/RTCP probe and attack interval and count. See documentation for specification details e.g. --bleed-config rtp-probe-interval:2ms,rtp-probe-count:16,rtcp-probe-interval:4ms
-c, --conn-count int Number of sockets to use during probing phase (default 10)
-o, --output strings Save received RTP and RTCP packets to pcap or wave file(s)
-p, --port-ranges string Range of ports to probe for RTP/RTCP (default "10000-20000,35000-65000")
-A, --probe-all-ports Probe all ports rather than sticking to the default behavior of only probing even RTP ports and/or odd RTCP ports
-S, --probe-during-attack Do not pause probing phase during attack phase
--proto string Choose which protocol to probe for (either RTP or RTCP; default being both)
--rate string Specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms
-r, --rounds int Number of times to probe the port ranges on the target(s)
--rtcp-payload string Set the RTCP payload file to be used for the probing and attacking phase
--rtp-payload string Set the RTP payload file to be used for the probing and attacking phase
Flags inherited from parent commands
-C, --config string configuration file to use (may be JSON, TOML or YAML)
--debug set log level to debug
-T, --duration duration Stop the tool after a certain amount of time; e.g. 30s
--logfile string specify a log filename
--results string specify the filename for the result output, defaults to standard output. See documentation for information on file extension meanings
--srtp string Specify either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")
Examples
sipvicious rtp bleed udp://target -p10000-11000
sipvicious rtp bleed udp://target --port-ranges 35000-40000 --proto rtp -T 10s
Advanced examples
# specify range of ports for the rtp attack using 100 sockets and keep probing
sipvicious rtp bleed udp://demo.sipvicious.pro -p 35000-40000 -c 100
# rate limiting the attack, probe all ports and do not to pause probing while attack phase
sipvicious rtp bleed udp://demo.sipvicious.pro --rate 100/1s -S --probe-all-ports
# only probing for rtcp while using null rtcp payload with round count set to 5
sipvicious rtp bleed udp://demo.sipvicious.pro -p 35000-40000 --proto rtcp -r 5 --rtcp-payload ""
# specify an rtp payload, save audio received and save both rtp and rtcp received in a pcap file
sipvicious rtp bleed udp://demo.sipvicious.pro -p 35000-40000 --rtp-payload 2600hz.raw -o out.pcap -w
# rtp probe only with a 100ms attack interval, sending 20 rtp packets on each probe with 10ms interval
sipvicious rtp bleed udp://demo.sipvicious.pro --proto rtp --bleed-config rtp-attack-interval:100ms,rtp-probe-count:20,rtp-probe-interval:10ms -p 35000-40000
# probing all ports with specific rtcp requirements
sipvicious rtp bleed udp://demo.sipvicious.pro --bleed-config rtcp-probe-count:5,rtcp-probe-interval:10ms --bleed-config rtcp-attack-interval:10s --probe-all-ports --probe-during-attack
Exit codes
Code | Description |
---|---|
40 | A security issue is raised when RTP or RTCP packets are received as a result of the attack |
30 | Network connectivity issues cannot be detected with this tool since no network feedback is expected from the target during attack unless the target is vulnerable |
Full flag documentation
Flag: --bleed-config
Specify RTP bleed configuration. This flag accepts the following values:
rtp-probe-count
where the number of packets used for probing is set for RTP during probe modertp-probe-interval
where the duration (e.g.12ms
) is set for the interval between one probe and another for RTP during probe modertp-attack-interval
where the duration (e.g.9ms
) is set for the interval between one attack packet and another for RTP during attack modertcp-probe-count
where the number of packets used for probing is set for RTCP during probe modertcp-probe-interval
where the duration (e.g.12ms
) is set for the interval between one probe and another for RTCP during probe modertcp-attack-interval
where the duration (e.g.9ms
) is set for the interval between one attack packet and another for RTCP during attack mode
Setting the probe count higher may increase the likelihood of winning a race condition, but it may also slow down the attack thus having the opposite effect.
Flag: -C
, --config
Specify a configuration file which may be a JSON, TOML and YAML config
format. To get the default settings and figure out which settings are available, one may
run the sipvicious utils dump config
command. This is typically used to create a template
configuration that can then be edited as need be.
These settings may be overwritten when the corresponding flag is explicitly set, if one is present.
Flag: -c
, --conn-count
The conn-count
allows setting of how many sockets should be used during the probing phase. This may increase the chances of identifying an RTP session especially when the target is only vulnerable during a short period of time. The default value for this is set to 10 connections.
Flag: --debug
Tells the logger to print out debug messages.
Flag: -T
, --duration
Specify the maximum duration of the attack so that it stops after a certain time. Examples include:
30s
10m
24h
Flag: --logfile
When the logfile
flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json
file extension, then the output format is in JSON, otherwise it defaults to text format.
Flag: -o
, --output
Save received RTP and RTCP packets to pcap or wave file(s)
When the file extension is .pcap
, a packet capture file is written to disk showing responses received during the test. This allows testers to make use of tools such as Wireshark to observe the behaviour of the target system.
When the file extension is .wav
, wav files are created in each RTP stream that can be decoded. The file name is formatted as follows: [filename]-[srcIP_srcPort]-[dstIP_dstPort].wav
.
Flag: -p
, --port-ranges
The port-ranges
argument is usually passed a comma delimited and hyphen separated list of ports to be used during the probing phase. The default list of ports is 10000-20000,35000-65000
which is known to cover a number of common media gateway configurations. The following are examples of valid values that can be passed to this argument:
12345
, to target only port 1234512000-13000
, to probe between port 12000 and 1300012345,23456,34567,35000-65000
to probe ports 12345, 23456, 34567, and between 35000 and 65000
Flag: -A
, --probe-all-ports
When the probe-all-ports
flag is set, each target port is probed for all enabled protocols instead of probing even ports with RTP packets and odd ports with RTCP packets. In other words, each port is sent both RTP and RTCP packets when this flag is set, unless the proto
flag specifies which protocol is to be probed, in which case, only that specific protocol is used for all specified ports.
Flag: -S
, --probe-during-attack
The default behaviour is to pause while probing so that only one side of an RTP stream is hijacked at a time. When the probe-during-attack
flag is used, the tool does not pause probing while the attack mode is on. This is useful when demonstrating Denial of Service attacks on a target RTP proxy. When this flag is turned on, RTP streams for both sides might be hijacked thus leaving the caller and callee without any audio.
Flag: --proto
Choose which protocol to use during the probing phase. Valid options are rtp and rtcp. By default, both protocols are used.
Flag: --rate
Rate allows one to limit the probing phase below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.
Flag: --results
When the results
flag is specified, upon completing the test, it outputs the results to the specified filename. The format for this output file is text unless the filename ends with a .json
file extension. In that case, the result output is that of JSON.
The schema for the JSON output for this submodule can be found here.
Flag: -r
, --rounds
The number of rounds for how many times the port ranges are tested is specified by the rounds
argument.
Flag: --rtcp-payload
Pass a filename argument to the rtcp-payload
flag to set the RTCP payload to be sent during the probe and attack phases.
Flag: --rtp-payload
The rtp-payload
parameter allows the setting of a file that is used for the RTP stream. The following file types are supported:
.raw
, for raw audio to be passed to the RTP stream without any transcoding.wav
, for wave files to be transcoded for the RTP stream.rtp
, for payload files containing the whole RTP packet to be sent as is
Flag: --srtp
The srtp
flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE
message. When the srtp
flag is set to none
, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE
. The srtp
mode can also be either dtls
or sdes
. In both dtls
and sdes
modes, the parameters are not required and will be generated randomly as need be.
Options for both dtls
and sdes
mode may be passed after a colon. For example:
--srtp dtls:cert.crt:cert.key[:ca.crt]
where the first argument after the mode (dtls
) is the public certificatecert.crt
, then the private keycert.key
and finally, the optional certificate authority fileca.crt
--srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj
where the argument is the base64 encoded cryptographic master key appended with the master salt.
Note that in the case of sdes
key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80
.
Future enhancements
Call setup functionality
We would like to have a SIP client built into the tool which allows setting up of a (legit) SIP call. This will allow testers in lab environment or with SIP credentials to easily test for the vulnerability. The tool could test for the vulnerability multiple times, each time setting up a call and then testing for RTP bleed after an amount of time that increases with each round. This would allow the tester to automatically be able to tell if the target system is vulnerable, and if the vulnerable system can only be attacked during the first few seconds or first few packets.
Codec changing and detection
In the future, the RTP header’s payload type may be specified and/or assumed automatically by copying the payload type in the incoming RTP packets.
JSON schema
The following is the JSON schema for the JSON output of this tool:
{
"type": "object",
"properties": {
"status": {
"type": "object",
"properties": {
"returncode": { "type": "integer" },
"description": { "type": "string" }
}
},
"targets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"target": { "type": "string" },
"status": {
"type": "object",
"properties": {
"returncode": { "type": "integer" },
"description": { "type": "string" }
}
},
"results": {
"type": "object",
"properties": {
}
},
"issues": {
"type": "object",
"properties": {
"stats": {
"type": "array",
"items": {
"type": "object",
"properties": {
"rtp_packet_num": {"type": "integer"},
"rtcp_packet_num": {"type": "integer"},
"unknown_packet_num": {"type": "integer"}
}
}
}
}
}
}
}
}
}
}