Skip to main content

sip fuzz server

Summary

Fuzz SIP clients (UAC) by pointing them to this server

What it does

Perform a SIP fuzzing test on SIP UACs pointed towards SIPVicious. This tool allows testers to check the robustness of the SIP parser and SIP stack by sending mutated SIP messages to a SIP client trying to make calls through the server.

Tool functionality

The sip fuzz server module helps identify unknown security issues using fuzzing techniques. It mutates SIP messages before they are sent to the target client by making use of the mutation engine that is specified. By default it uses radamsa, but the zzuf mutator can also be used as a mutation engine. For details about getting these third-party mutators setup on your system, please follow the installation page.

In the case of most SIP messages, the functionality is rather simple: randomly respond with malformed SIP messages. At the moment, this fuzzer only handles INVITE messages and applies fuzzing to responses to INVITE messages.

The fuzzer works by repeating the following steps:

  1. Wait for an incoming INVITE message
  2. Build a 100 response with the correct values
  3. Pass the 100 response to the fuzzer
  4. Send the message
  5. Do the past 3 steps again but for 180 response
  6. Do the past 3 steps again but for 200 response containing an SDP body

Command format

sipvicious sip fuzz server [target1] [flags]

Flags

  -D, --domain string      Override domain name for the SIP address
      --fuzz-mode string   Specify which part to fuzz; format: part:value; (header|message|body|request-line); e.g. header:Via; see full documentation for details
      --mutator string     Specify the mutator to use (radamsa|zzuf|none) (default "radamsa")

Flags inherited from parent commands

      --ca-cert string       TLS CA Certificate
      --client-cert string   TLS client certificate
      --client-key string    TLS client private key
  -C, --config string        configuration file to use (may be JSON, TOML or YAML)
      --debug                set log level to debug
  -T, --duration duration    
      --logfile string       specify a log filename
      --results string       specify the filename for the result output, defaults to standard output. See documentation for information on file extension meanings
      --srtp string          Specify if either none, dtls or sdes to enforce SRTP for calls; format: method or method:parameters; see full documentation for details (default "none")
      --templates string     Directory to search for template overrides (default ".")
      --tls-key-log string   TLS key log

Examples

sipvicious sip fuzz server udp://0.0.0.0:5060
sipvicious sip fuzz server tcp://0.0.0.0:5060
sipvicious sip fuzz server tls://0.0.0.0:5061

Advanced examples

# start a UDP server and fuzz incoming calls
sipvicious sip fuzz server udp://0.0.0.0:5060

# start a TCP server and only fuzz the body in the response for incoming calls
sipvicious sip fuzz server tcp://0.0.0.0:5060 --fuzz-mode body

Exit codes

Code Description
40 A security issue is raised when the prober detects SIP-level or network-level errors
30 A network connectivity issue is raised when the connection fails before the attack is started

Full flag documentation

Flag: --ca-cert

The CA cert can be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: --client-cert

The client certificate must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: --client-key

The client key must be passed when making use of client certificate authentication. The file should be formatted as PEM.

Flag: -C, --config

Specify a configuration file which may be a JSON, TOML and YAML config format. To get the default settings and figure out which settings are available, one may run the sipvicious utils dump config command. This is typically used to create a template configuration that can then be edited as need be.

These settings may be overwritten when the corresponding flag is explicitly set, if one is present.

Flag: --debug

Tells the logger to print out debug messages.

Flag: -D, --domain

A domain name can be specified so that the SIP URI contains that particular domain rather than the one specified in the SIP message. This is useful for targets that expect a particular domain name.

Flag: -T, --duration

Specify the maximum duration of the attack so that it stops after a certain time. For example, 30s, 10m or 24h.

Flag: --fuzz-mode

The flag fuzz-mode allows one to specify which part of the SIP message to mutate. The value of this flag could be one of the following:

  • message which is default and mutates the whole SIP message
  • header which only mutates one header at a time
  • body which mutates the whole SIP body
  • request-line which only mutates the first line of the SIP request

Additionally, when header is specified as value, it can take a header name which is preceded with a colon. For example, the following value would fuzz the Via header: header:via.

By default, all fuzzing methods are used randomly when the value is not set.

Flag: --logfile

When the logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json file extension, then the output format is in JSON, otherwise it defaults to text format.

Flag: --mutator

Choose the mutation engine to use. Currently supported are the following:

The none mutator can be specified for debugging reasons, for example, to ensure that the SIP messages are generated correctly. When using this value, no fuzzing is actually done.

Flag: --results

When the results flag is specified, upon completing the test, it outputs the results to the specified filename. The format for this output file is text unless the filename ends with a .json file extension. In that case, the result output is that of JSON.

The schema for the JSON output for this submodule can be found here.

Flag: --srtp

The srtp flag when specified, allows users to set the SRTP mode. By default, outgoing calls do not make use of SRTP, while incoming calls automatically handle SRTP depending on the SDP body of the incoming INVITE message. When the srtp flag is set to none, incoming calls do not make use of SRTP, regardless of the SDP body in an incoming INVITE. The srtp mode can also be either dtls or sdes. In both dtls and sdes modes, the parameters are not required and will be generated randomly as need be.

Options for both dtls and sdes mode may be passed after a colon. For example:

  • --srtp dtls:cert.crt:cert.key[:ca.crt] where the first argument after the mode (dtls) is the public certificate cert.crt, then the private key cert.key and finally, the optional certificate authority file ca.crt
  • --srtp sdes:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj where the argument is the base64 encoded cryptographic master key appended with the master salt.

Note that in the case of sdes key, the master key needs to be a valid length, which is 30 octets, for the default crypto-suite AES_CM_128_HMAC_SHA1_80.

Flag: --templates

Allows one to set the template directory which is used to load (or save) the SIP templates.

To get the default SIP templates, make use of the sipvicious sip utils dump templates command.

Flag: --tls-key-log

The TLS key log creates a file with the TLS key that can then be used to decrypt the TLS stream in tools that support it, such as Wireshark.

Future enhancements

These are future features for this tool:

  • handle more than just INVITE messages
  • support re-INVITE

This tool is works in progress.

JSON schema

The following is the JSON schema for the JSON output of this tool:

{
  "type": "object",
  "properties": {
    "status": {
      "type": "object",
      "properties": {
        "returncode": { "type": "integer" },
        "description": { "type": "string" }
      }
    },
    "targets": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "target": { "type": "string" },
          "status": {
            "type": "object",
            "properties": {
              "returncode": { "type": "integer" },
              "description": { "type": "string" }
            }
          },
          "results": {
            "type": "object",
            "properties": {
            }
          },
          "issues": {
            "type": "object",
            "properties": {
            }
          }
        }
      }
    }
  }
}