Oulun yliopisto - Etusivulle University of Oulu in English

ee.oulu.fi

Electrical and Information Engineering

Faculty of Technology > Electrical and Information Engineering > Computer Engineering Laboratory


OUSPG

[This page is CSS2 enabled. Your browser might not fully support it]

PROTOS Test-Suite: c07-h2250v4

$RCSfile: index.html,v $ $Revision: 1.38 $ $Date: 2004/11/10 10:02:50 $
Permission is hereby granted for quoting, reprinting and redistributing
this document, provided that a link to this document is given, and all
changes made are clearly separated from the original text.

ABSTRACT

H.323 is a collection of protocols and other standards which together enable conferencing over packet-based networks. H.323 is embraced by major vendors and implementations range from desktop applications to heavy-duty and industrial-grade gateways. A subset of H.323, H.225.0, was chosen as the subject protocol for vulnerability assessment through syntax testing and test-suite creation. The scope was further narrowed down to the initial call setup message. A survey of the related standards was made. Test-material was prepared and tests were carried out against a sample set of existing implementations. Results were gathered and reported. Many of the implementations available for evaluation failed to perform in a robust manner under the test. Some failures had information security implications, and should be considered as vulnerabilities. In order to achieve a robustness baseline for H.323 products this test-material should be adopted for their evaluation and development.

Table of Contents

Introduction

This test-suite is a byproduct of the "PROTOS - Security Testing of Protocol Implementations" project. [1] This test-suite covers a limited set of information security and robustness related implementation errors within the chosen focus area. Important: Background, goals, limitations, terminology and licensing for this test-suite release are explained in the "Test-suite releases in Theory and Practice" document. This test-suite covers a limited set of information security and robustness related implementation errors for a subset of the chosen protocol.

"H.323 is the international standard and the market leader for IP Telephony. H.323 networks in production today carrying hundreds of millions (perhaps billions) of minutes per month. H.323 has proven to be an extremely scalable solution that meets the needs of both service providers and enterprises, with H.323 products ranging from stacks and chips to wireless phones and video conferencing hardware." - H.323 Information Site [2]

The purpose of this test-suite is to evaluate implementation level security and robustness of H.225.0 implementations. H.225.0 is a protocol responsible for signalling and setting up H.323 calls. The factors behind choosing H.225.0 included:

  • H.323 is the de-facto standard for Voice over IP (VoIP) and conferencing and it is widely deployed. Moreover, based on lack of prior known vulnerability announcements it appears that the H.323 has not been closely scrutinised or implementations are uncommonly robust.
  • H.225.0 is the first and most commonly exposed interface to H.323 session establishment.
  • H.225.0 must be implemented by most H.323 components, namely by terminals, gateways, proxies and multi-point control units.
  • Due to firewall unfriendly and dynamic behaviour of H.323, many firewall products contain complex H.225.0 parsing code that should be tested for robustness due to critical placement of potentially vulnerable code.

The scope of the test-suite was narrowed to H.225.0 version 4 Setup-PDU. Rationale behind this selection was:

  • Setup is the first message sent to a target H.323 endpoint upon call signalling, it is easy to deliver test-cases and to restore the implementation back to its initial state by disconnecting.
  • Certain security measures can be enforced only after the Setup-PDU has been parsed and implementations are by design ready to accept incoming setup messages.
  • H.225.0 implements a subset of recommendation Q.931 which is used in ISDN signaling. Certain elements of Q.931 utilise BER encoded ASN.1.
  • Many information elements used in H.225.0 can be included in Setup-PDU.
  • The User-user information element in H.225.0 utilises complex ASN.1 packet encoding rules (PER) which are also used in H.225.0 RAS (Registration, Admission, and Status) messages between H.323 endpoints and gatekeepers.

Test-Suite Design

Standard Survey

Recommendation H.323 defines a collection of protocols and standards which together enable conferencing over packet-based networks (such as IP networks). [3] Of these standards, the following ones must be supported by H.323 endpoint implementations:

  • H.245 for exchanging terminal capabilities and creation of media channels
  • H.225.0 for call signalling
  • RAS for registration and other admission control with a gatekeeper
  • RTP/RTCP for sequencing audio and video packets
  • G.711 audio codec

H.225.0 stands for Call signalling protocols and media stream packetisation for packet-based multimedia communication systems. [4]

"Call signaling is a basic requirement needed to set up and tear down a call between two endpoints. H.225.0 uses a subset of Q.931 signaling protocol for this purpose. Q.931 was initially developed for signaling in integrated services digital networks (ISDN). H.225.0 adopts Q.931 signaling by incorporating it in its message format. H.225.0 call signaling is sent directly between the endpoints when no gatekeeper exist. When a gatekeeper exists then it may be routed through the gatekeeper." - H.323 and Associated Protocols by Asim Karim [5]

The available standards specifying H.225.0 were studied and analysed. The relevant specifications are listed below.

  • Recommendation H.225.0 - Call signalling protocols and media stream packetization for packet-based multimedia communication systems (version 4) [4]
  • Recommendation H.323 - Packet-based multimedia communications systems (version 4) [3]
  • H.323v4 Implementors' Guide [6]
  • Recommendation Q.931 - ISDN user-network interface layer 3 specification for basic call control [7]
  • Recommendation Q.932 - Generic procedures for the control of ISDN supplementary services [8]
  • RFC1006 - ISO Transport Service on top of the TCP Version 3 [9]
  • Recommendation X.691 - ASN.1 encoding rules - Specification of Packed Encoding Rules (PER) [10]

Subject Survey

A survey of available implementations is conducted. This should include a diverse selection of implementations in order to gain a better insight into the applications implementing the protocol, and to give a hint on the impact of potential vulnerabilities. A subset of the implementations is chosen to be tested during the test-suite creation and prerelease phases. Typically, not all implementations are available for testing.

The H.323 recommendation describes the components of an H.323 system. [3] The relations of H.323 entities are illustrated in the figure below. The components within the scope of this test-suite, ones that have to parse H.225.0 Setup-PDUs, are marked with asterisks (*). A single implementation may encompass several entity types.

[ER Diagram of H.323 Entities]

Figure: ER Diagram of H.323 Entities

Gatekeeper
A gatekeeper is an optional H.323 entity that provides services such as address translation and network access control for H.323 endpoints. It can also provide other services such as bandwidth management, accounting, and routing. Endpoints and gatekeepers communicate with H.225.0 RAS messages.
(*) Firewall
Since H.323 relies heavily on dynamic ports, basic packet filtering is ill-suited for controlling H.323 traffic as it would require opening every port above 1024. Therefore, most firewall solutions supporting H.323 must at least disassemble the control stream packets (H.245, H.225.0) and dynamically open up the firewall as needed.
Endpoint (EP)
Endpoint is a callable H.323 entity. A terminal, gateway, proxy or multi-point control unit.
(*) Terminal
A terminal, or a client, is an endpoint where H.323 data and signalling traffic originate and terminate.
(*) Gateway
A gateway is an optional H.323 endpoint that is needed between an H.323 network and non H.323 network. It provides translation of traffic and media formats between different networks. Using gateways, H.323 terminals may inter-operate with terminals of other networks.
(*) Proxy
A proxy is an optional H.323 endpoint, basically an H.323/H.323 gateway.
(*) Multi-point Control Unit (MCU)
A multi-point control unit enables multi-point conferences between three or more endpoints. An MCU consists of a required MC and optional MP's. A typical MCU supporting centralised multi-point conferences consists of an MC unit, and an MP that supports audio, video, and data streams.
Multi-point Controller (MC)
A multi-point controller provides a centralised location for multi-point call setup. Call and control signalling are routed through the MC so that endpoints capabilities can be determined and communication parameters negotiated. An MC provides capabilities negotiation with all terminals to establish common levels of communication.
Multi-point Processor (MP)
A multi-point processor centrally processes audio, video, and/or data streams in a multi-point conference. The MP mixes, switches, and performs other processing duties for streams controlled by an MC. It may process one or many media streams depending upon the type of conference it is supporting.

No sample list of implementations is presented herein. H.323 is embraced by major vendors and implementations range from desktop applications to heavy-duty and industrial-grade gateways. A list of vendors with H.323 enabled products may include at least: ASUS, Avaya, Checkpoint, Cisco Systems, CUSeeMe, Ericsson, Hitachi, Hughes Software Systems, IBM, Intel, LG Electronics Inc., Lotus, Lucent, Microsoft, Motorola, Netergy Networks, Nortel, OpenH323, RADVISION, Siemens, SONY, VCON, VTEL and Zydacron.

Additional lists of vendors, specific implementations and related information may be found from the following resources:

  • H.323 Products & Services[11]
  • ITU-T T.35 Manufacturers Codes for H.3xx Devices[12]

A subset of the implementations was chosen as a sample set to be tested during the test-suite creation and pre-release phases. Most likely reasons for omission of a specific product from the sample set include:

  • no evaluation copy of product was available
  • or evaluation copy had a restrictive licence prohibiting evaluation
  • or we were not aware of the product

Injection Vector Survey

In injection vector survey, different methods of delivering the test cases to the implementations under test are identified and analysed. Often, there are several injection methods and one test-suite cannot cover them all, or might miss some vectors not available in all implementations.

Injection Vector Survey
Application protocol Transport protocol Packet
H.225.0 TCP port 1720 H.225.0 Setup-PDU
H.225.0 UDP port 1720 H.225.0 Setup-PDU as in H.323 Annex E

Although H.225.0 call signalling channel may be implemented on top of UDP, all relevant entities must support signalling over TCP port 1720 [4]. Moreover, use of TCP simplifies call tear-down and thus was a logical choice of transport for this test-suite.

Specifications Design

Protocol data unit specifications are used as a basis for generating the test-cases. Starting point for the design of the test-suite is to acquire or create a machine-readable representation of the protocol specification. The test-tool in use utilises a custom dialect of BNF (Backus-Naur Form). BNF is capable of describing the context-free syntax of a specification, but is often insufficient for automated test-case generation. The specification is completed by rules which maintain semantic validity and provide communication channels necessary to simulate the protocol.

The H.225.0 Setup-PDU can be divided in three logical parts:

  • TPKT that encapsulates Q.931 Setup-PDU
  • Q.931 Setup-PDU information elements
  • The ASN.1 PER encoded contents of the Q.931 User-user information element

Although this separation is somewhat artificial, it makes the test-suite documentation easier to follow. In reality, all three parts are sent in single H.225.0 Setup packet.

The following table describes the choices made and default values defined for the TPKT part of the Setup-PDU in this test-material.

TPKT elements
Element Present/Subelement Default value
TPKT-Version Always 0x03
TPKT-Reserved Always 0x00
TPKT-Length Always (2 bytes) Length of message including TPKT

Legend for the second column:

  • "Always" indicates that the the element is present in every test-case if not overwritten or replaced by an exceptional element. For example, if the whole Q.931 message would be replaced by, say ten thousand 'A' characters, none of the Q.931 information elements would be present.
  • "Never" signifies an element that is not covered. However, exceptional elements may appear similar to the element in question.
  • "Only when tested" specifies that if the element is present, it will contain an exceptional element.
  • Other string in this column signifies the name of the sub (or child) element for the element specified in the first column.

The following table describes the choices made and default values defined for the Q.931 part of the Setup-PDU in this test-material.

Q.931 elements
Element Present/Subelement Default value
Protocol discriminator Always 0x08
Call reference Always Test-case number in binary
Message type Always 0x05
Sending complete Never -
Repeat indicator Never -
Bearer capability Always -
- Coding standard ITU-T
- Information transfer capability Speech
- Transfer mode Circuit mode
- Information transfer rate 64kbps
- User information layer 1 protocol G.711 A-law
Extended facility Only when tested Exceptional
Channel identification Never -
Facility Only when tested Exceptional
Progress indicator Never -
Network specific facilities Never -
Notification indicator Only when tested Exceptional
Display Always "test-case" + Test-case number in ASCII
Keypad facility Only when tested "keypad value"
Signal Only when tested Dial tone on
Calling party number Only when tested -
- Type of number Unknown
- Numbering plan ISDN/telephony (E.164)
- Number digits "12345678"
Calling party subaddress Never -
Called party number Only when tested -
- Type of number Unknown
- Numbering plan ISDN/telephony (E.164)
- Number digits "12345678"
Called party subaddress Only when tested -
- Type of subaddress NSAP
- Subaddress information "12345678"
Redirecting Number Never -
Transit network selection Never -
Repeat indicator Never -
Low layer compatibility Never -
High layer compatibility Never -
User-user Always -
- Protocol discriminator 0x05
- User information In separate table

Legend: [see first elements table above]

The following table describes the choices made and default values defined for the User-information element part of the Setup-PDU in this test-material. Due to vast amount of ASN.1 definitions and their possible combinations only the elements always present are listed.

User-Information elements
Element Present/Subelement Default value
H323-UU-PDU Always Setup-UUIE
ProtocolIdentifier Always 0.0.8.2250.0.4
sourceAddress Always -
- H323-ID "c07-h2250v4" in 16-bit unicode
sourceInfo Always -
- vendor VendorIdentifier
- mc False
- undefinedNode False
VendorIdentifier Always -
- T35CountryCode 0x3c
- T35Extension 0x00
- ManufacturerCode 0x00 0x3d
- ProductId "c07-h2250v4 test-suite" 0x00 0x00
- VersionId "1.0" 0x00 0x00
destinationAddress Always Same as sourceAddress
destCallSignalAddress Always -
- IPv4 address 0x7f 0x00 0x00 0x01 (127.0.0.1)
- IPv4 port 0x06 0xb8 (1720)
activeMC Always False
conferenceID Always "globally-uniq-" + 2 bytes test-case number in binary
conferenceGoal Always create
callType Always pointToPoint
sourceCallSignalAddress Always Same as destCallSignalAddress
remoteExtensionAddress Always Same as sourceAddress
callIdentifier Always Same as conferenceID
tokens Always ClearToken
- ClearToken OID 0.0
mediaWaitForConnect Always False
canOverlapSend Always False
multipleCalls Always False
maintainConnection Always False
h245Tunneling Always False

Legend: [see first elements table above]

Erratum: Choice of the default value of "12345678" for telephone numbers may not turn out to be the wisest one. For future iterations of this test-material E.164 numbering scheme should be studied for numbers reserved for test purposes.

Design of Exceptional Elements

An exceptional element is a piece of data designed to provoke undesired behaviour of the test subject. A single test-case contains one or few exceptional elements. An exceptional element can violate the protocol specification, but often it is legal or in the hazy region between legal and illegal constructs. In a nutshell, an exceptional element is an input that might not have been considered properly when implementing the software.

The following table lists the categories of the exceptional elements designed for the test-material:

Exceptional Element Categories
Name Description
ee-4bit 4-bit combinations
ee-8bit Some 8-bit combinations
ee-16bit Some 16-bit combinations
ee-ber-length Exceptional BER Length (L) fields
ee-ber-t-number-shadow Exceptional BER T number fields
ee-bmpstring-256 Exceptional BMP STRINGs up to 512 bytes (16 bits per character)
ee-cut-pdu PDU is cut off before it is supposed to end
ee-empty Omitted element
ee-fmtstring Format strings (e.g. %s%s%s or %.4097d)
ee-h323-url Exceptional H.323-URLs (overflows, format strings, etc)
ee-ipv4-address-binary Exceptional IPv4 addresses in binary
ee-ipv6-address-binary Exceptional IPv6 addresses in binary
ee-isdn-number Exceptional E.164 (ISDN) numbers
ee-octetstring-256 Exceptional OCTET STRINGs up to 256 bytes
ee-overflow-backslash Overflows of "\" up to 128 kbytes
ee-overflow-binary Overflows of 0b00, 0b01, 0b10 and 0b11 up to 33 kbytes
ee-overflow-general 7-bit (0x61) and 8-bit character overflows up to 128 kbytes
ee-overflow-null Overflows of 0x61 and nulls (0x00) mixed
ee-oid OBJECT IDENTIFIER overflows and other exceptional values
ee-oid-underflow OBJECT IDENTIFIER underflows
ee-per-length Exceptional PER length wrapper encodings
ee-q931-message-type Some valid and invalid Q.931 message types

Design of Test-Material

The test-material consists of test-cases simulating hostile input to the implementation under test. A test-case contains one or more exceptional elements, other elements being in their default state. Cases are arranged into test-groups, each covering a certain part of the PDU or similar anomalies. Details for the package of 4497 test messages are presented in the three tables below. Test-groups have been arranged in three collections based on the protocol abstraction that they focus on.

TPKT test-groups
Name Exceptional Elements Start index Test cases
valid n/a 0 1
TPKT ee-empty, ee-8bit, ee-overflow-binary 1 41
TPKT-Version ee-empty, ee-8bit 42 8
TPKT-Reserved ee-empty, ee-8bit 50 8
TPKT-Length ee-16bit 58 7

Legend:

  • "Name" column represents the tag-names of the test-groups. Tags reflect the field and element names in the protocol specification. Tags can be used to follow which parts of the PDU are being tested.
  • "Exceptional Elements" column describes which exceptional element categories are integrated in the test-group.
  • "First Index #" and "Test Cases" columns describe the first test-case number for a test-group, and the number of cases from there on.
Q.931 test-groups
Name Exceptional Elements Start index Test cases
Q931 ee-empty, ee-overflow-binary 65 34
Q931-Discriminator ee-empty, ee-8bit 99 8
Q931-Call-Reference ee-empty, ee-overflow-binary 107 34
Q931-Call-Reference-Length ee-empty, ee-8bit 141 8
Q931-Call-Reference-Value ee-empty, ee-overflow-binary 149 34
Q931-Message-Type ee-empty, ee-8bit, ee-q931-message-type 183 23
Q931-Message-Type-Cut-PDU ee-empty, ee-8bit, ee-q931-message-type, ee-cut-pdu 206 23
Q931-Bearer-Capability ee-empty, ee-overflow-binary 229 34
Q931-Bearer-Capability-Id ee-empty, ee-8bit 263 8
Q931-Bearer-Capability-Length ee-empty, ee-8bit 271 8
Q931-Bearer-Capability-Payload ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 279 49
Q931-Bearer-Octet-3 ee-empty, ee-8bit 328 8
Q931-Bearer-Octet-4 ee-empty, ee-8bit 336 8
Q931-Bearer-Octet-5 ee-empty, ee-8bit 344 8
Q931-Bearer-Octet-Ext ee-8bit, ee-16bit, ee-overflow-binary 352 48
Q931-Facility-Length ee-empty, ee-8bit 400 8
Q931-Facility-PDU ee-empty, ee-8bit, ee-overflow-binary 408 41
Q931-Facility-PDU-InvokeComponent-Sequence ee-ber-t-number-shadow 449 18
Q931-Facility-PDU-InvokeComponent-Length ee-ber-length 467 53
Q931-Facility-PDU-InvokeComponent-Value ee-empty, ee-overflow-binary 520 34
Q931-Notification-Length ee-empty, ee-8bit 554 8
Q931-Notification-Value ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 562 49
Q931-Display ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 611 49
Q931-Display-Id ee-empty, ee-8bit, ee-16bit 660 16
Q931-Display-Length ee-empty, ee-8bit 676 8
Q931-Display-Value-overflow ee-overflow-general, ee-overflow-backslash, ee-overflow-null 684 81
Q931-Display-Value-fmtstring ee-fmtstring 765 32
Q931-Keypad-Facility-Length ee-empty, ee-8bit 797 8
Q931-Keypad-Facility-Value-overflow ee-overflow-general, ee-overflow-backslash, ee-overflow-null 805 81
Q931-Keypad-Facility-Value-fmtstring ee-fmtstring 886 32
Q931-Signal-Length ee-empty, ee-8bit 918 8
Q931-Signal-Value ee-empty, ee-8bit, ee-overflow-null 926 41
Q931-Calling-Party-Number-Length ee-empty, ee-8bit 967 8
Q931-Calling-Party-Number-Payload ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 975 49
Q931-Calling-Number-Octet-3 ee-empty, ee-8bit, ee-16bit 1024 16
Q931-Calling-Number-Digits-overflow ee-isdn-number, ee-overflow-general, ee-overflow-null 1040 74
Q931-Calling-Number-Digits-fmtstring ee-fmtstring 1114 32
Q931-Called-Party-Number-Length ee-empty, ee-8bit 1146 8
Q931-Called-Party-Number-Payload ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 1154 49
Q931-Called-Number-Octet-3 ee-empty, ee-8bit, ee-16bit 1203 16
Q931-Called-Number-Digits-overflow ee-isdn-number, ee-overflow-general, ee-overflow-null 1219 74
Q931-Called-Number-Digits-fmtstring ee-fmtstring 1293 32
Q931-Called-Party-Subaddress-Length ee-empty, ee-8bit 1325 8
Q931-Called-Subaddress-Payload ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 1333 49
Q931-Called-Subaddress-Octet-3 ee-empty, ee-8bit, ee-16bit 1382 16
Q931-Called-Subaddress-Value-overflow ee-isdn-number, ee-overflow-general, ee-overflow-null 1398 74
Q931-Called-Subaddress-Value-fmtstring ee-fmtstring 1472 32
Q931-User-To-User ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 1504 49
Q931-User-To-User-Id ee-empty, ee-8bit 1553 8
Q931-User-To-User-Length ee-empty, ee-16bit 1561 9
Q931-User-To-User-Payload ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 1570 49
Q931-Discriminator-User-To-User ee-empty, ee-8bit, ee-16bit 1619 16

Legend: [see first test-group table above]

User-Information test-groups
Name Exceptional Elements Start index Test cases
User-H323-User-Information ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 1635 49
User-H323-Message-Body-Choices ee-4bit 1684 16
User-Setup-UUIE ee-empty, ee-8bit, ee-overflow-binary 1700 40
User-Setup-UUIE-Cut-PDU ee-cut-pdu 1740 1
User-ProtocolIdentifier-oid ee-oid 1741 54
User-ProtocolIdentifier-oid-underflow ee-oid-underflow 1795 24
User-ProtocolIdentifier-oid-underflow-Cut-PDU ee-oid-underflow, ee-cut-pdu 1819 24
User-SourceAddress ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 1843 49
User-SourceAddress-AliasAddress-E164 ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 1892 49
User-SourceAddress-AliasAddress-E164-Length ee-empty, ee-8bit 1941 8
User-SourceAddress-AliasAddress-E164-Value ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 1949 49
User-SourceAddress-AliasAddress-H323-ID ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 1998 49
User-SourceAddress-AliasAddress-H323-ID-Length ee-empty, ee-8bit 2047 8
User-SourceAddress-AliasAddress-H323-ID-Value-overflow ee-empty, ee-bmpstring-256, ee-overflow-general, ee-overflow-null 2055 95
User-SourceAddress-AliasAddress-H323-ID-Value-fmtstring ee-fmtstring 2150 32
User-SourceAddress-AliasAddress-H323-URL-Length ee-per-length 2182 20
User-SourceAddress-AliasAddress-H323-URL-Value-overflow ee-overflow-general, ee-overflow-null 2202 65
User-SourceAddress-AliasAddress-H323-URL-Value-url ee-h323-url 2267 176
User-SourceAddress-AliasAddress-H323-URL-Value-fmtstring ee-fmtstring 2443 32
User-SourceInfo-EndpointType ee-empty, ee-8bit, ee-16bit 2475 16
User-SourceInfo-EndpointType-VendorIdentifier-Vendor-T35CountryCode ee-empty, ee-8bit 2491 8
User-SourceInfo-EndpointType-VendorIdentifier-Vendor-T35Extension ee-empty, ee-8bit, ee-16bit 2499 16
User-SourceInfo-EndpointType-VendorIdentifier-Vendor-ManufacturerCode ee-empty, ee-16bit 2515 9
User-SourceInfo-EndpointType-VendorIdentifier-ProductId ee-empty, ee-overflow-binary 2524 34
User-SourceInfo-EndpointType-VendorIdentifier-ProductId-Length ee-empty, ee-8bit 2558 8
User-SourceInfo-EndpointType-VendorIdentifier-ProductId-Value ee-empty, ee-octetstring-256 2566 18
User-SourceInfo-EndpointType-VendorIdentifier-VersionId ee-empty, ee-overflow-binary 2584 34
User-SourceInfo-EndpointType-VendorIdentifier-VersionId-Length ee-empty, ee-8bit 2618 8
User-SourceInfo-EndpointType-VendorIdentifier-VersionId-Value ee-empty, ee-octetstring-256 2626 18
User-SourceInfo-EndpointType-TerminalInfo ee-empty, ee-8bit, ee-16bit 2644 16
User-SourceInfo-EndpointType-TerminalInfo-NonstandardObject-oid ee-oid 2660 54
User-SourceInfo-EndpointType-TerminalInfo-NonstandardObject-oid-underflow ee-oid-underflow 2714 24
User-SourceInfo-EndpointType-TerminalInfo-NonstandardData ee-empty, ee-overflow-general 2738 28
User-DestinationAddress ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 2766 49
User-DestinationAddress-AliasAddress-E164 ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 2815 49
User-DestinationAddress-AliasAddress-E164-Length ee-empty, ee-8bit 2864 8
User-DestinationAddress-AliasAddress-E164-Value ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 2872 49
User-DestinationAddress-AliasAddress-H323-ID ee-empty, ee-8bit, ee-16bit, ee-overflow-binary 2921 49
User-DestinationAddress-AliasAddress-H323-ID-Length ee-empty, ee-8bit 2970 8
User-DestinationAddress-AliasAddress-H323-ID-Value-overflow ee-empty, ee-bmpstring-256, ee-overflow-general, ee-overflow-null 2978 95
User-DestinationAddress-AliasAddress-H323-ID-Value-fmtstring ee-fmtstring 3073 32
User-DestinationAddress-AliasAddress-H323-URL-Length ee-per-length 3105 20
User-DestinationAddress-AliasAddress-H323-URL-Value-overflow ee-overflow-general, ee-overflow-null 3125 65
User-DestinationAddress-AliasAddress-H323-URL-Value-url ee-h323-url 3190 176
User-DestinationAddress-AliasAddress-H323-URL-Value-fmtstring ee-fmtstring 3366 32
User-DestCallSignalAddress-TransportAddress ee-empty, ee-8bit, ee-overflow-binary 3398 41
User-DestCallSignalAddress-TransportAddress-IP ee-empty, ee-ipv4-address-binary 3439 44
User-DestCallSignalAddress-TransportAddress-IP-Cut-PDU ee-cut-pdu 3483 1
User-DestCallSignalAddress-TransportAddress-Port ee-empty, ee-16bit 3484 9
User-DestCallSignalAddress-TransportAddress-Port-Cut-PDU ee-cut-pdu 3493 1
User-DestCallSignalAddress-TransportAddress-IP6 ee-empty, ee-ipv6-address-binary 3494 30
User-DestCallSignalAddress-TransportAddress-Port6 ee-empty, ee-16bit 3524 9
User-DestCallSignalAddress-TransportAddress-NonStandardObject-oid ee-oid 3533 54
User-DestCallSignalAddress-TransportAddress-NonStandardObject-oid-underflow ee-oid-underflow 3587 24
User-DestCallSignalAddress-TransportAddress-NonStandardData ee-empty, ee-overflow-general 3611 28
User-Setup-UUIE-Extension ee-empty, ee-8bit, ee-overflow-binary 3639 41
User-SourceCallSignalAddress ee-empty, ee-per-length 3680 21
User-SourceCallSignalAddress-TransportAddress ee-empty, ee-8bit, ee-overflow-binary 3701 41
User-SourceCallSignalAddress-TransportAddress-NonStandardObject-oid ee-oid 3742 54
User-SourceCallSignalAddress-TransportAddress-NonStandardObject-oid-underflow ee-oid-underflow 3796 24
User-SourceCallSignalAddress-TransportAddress-NonStandardData ee-empty, ee-overflow-general 3820 28
User-RemoteExtensionAddress ee-empty, ee-per-length 3848 21
User-RemoteExtensionAddress-H323-URL-Value ee-h323-url 3869 182
User-CallIdentifier ee-empty, ee-per-length 4051 21
User-CallIdentifier-GloballyUniqueID ee-overflow-general 4072 28
User-Tokens ee-empty, ee-per-length 4100 21
User-Tokens-Payload ee-empty, ee-overflow-binary 4121 34
User-ClearToken-oid ee-oid 4155 54
User-ClearToken-TypedCertificate-oid ee-oid 4209 54
User-ClearToken-TypedCertificate-certificate ee-overflow-general 4263 28
User-MediaWaitForConnect ee-empty, ee-per-length 4291 21
User-MediaWaitForConnect-Payload ee-empty, ee-overflow-binary 4312 34
User-CanOverlapSend ee-empty, ee-per-length 4346 21
User-CanOverlapSend-Payload ee-empty, ee-overflow-binary 4367 34
User-H323-UU-PDU-Extension ee-empty, ee-8bit, ee-overflow-binary 4401 41
User-H245Tunneling ee-empty, ee-per-length 4442 21
User-H245Tunneling-Payload ee-empty, ee-overflow-binary 4463 34

Legend: [see first test-group table above]

Implementation

Test-runs were conducted against the chosen sample of implementations. Specifications, exceptional elements, semantic rules, injectors and instrumentation were integrated as a test-tool configuration to enable automatic execution of the tests.

Injection

The test-tool provides communication rules for test-case injection. H.225.0-Setup PDUs can be injected using a simple TCP injector. A TCP-session will be established for each test-case. Session tear-down assumes that implementations terminate the call (test-case) when the associated TCP-session is closed.

Instrumentation

The implementation under test is monitored for undesired behaviour that could have security implications. Instrumentation methods can roughly be divided to two categories.

Out-of-Band Instrumentation on the target platform includes debuggers, resource monitoring or custom made tools used to extract information from the implementation under test. Unfortunately, the modern trend of abusing the try-catch -type of constructs easily masks the exceptions generated by stack and memory corruption. Catching these hidden exceptions relies on the debugging skills of the developers themselves. This is often the preferred form of instrumentation.

In In-Band Instrumentation the implementation is monitored via the injection vector, ie. the same interface used to deliver the test-cases. While not checked for protocol conformance, absent or malformed responses can often reveal anomalous conditions such as denial of service. Also, ability to accept subsequent test-cases is a straightforward indicator of the performance on the previous test-case. Especially with embedded devices, this form of instrumentation may be the only option easily available.

Valid-case instrumentation will be bundled with this test-material. In this rather crude method for in-band instrumentation, a valid PDU (valid-case) that should result in a valid reply is sent to the subject between real test-cases until a response is received. Hence, if no response from the subject is detected, it has failed. This method is especially convenient when testing black-box hardware implementations.

The valid-case was designed as a conforming Setup message. In normal call initiation process this message should result in Call Proceeding, Alerting and eventually Connect replies from the communication peers. Only reception of any single reply is instrumented and required for successful continuation of a test-run.

Results

Results from the test-runs are summarised herein. Tables below represent the observations from feeding the test-material against the chosen subject software. Product names of the actual subjects are omitted to protect the innocent. Results are presented in a tabular form with test-cases divided into test-groups based on the exceptional element types utilised and PDU fields under examination.

Each failed test-case represents at minimum a denial of service type chance of exploiting the found vulnerability. In most cases, they represent memory corruption, stack corruption or other fatal error conditions. Some of these may lead exposure to typical buffer overflow exploits, allowing running of arbitrary code or modification of the target system.

The verdict failed is granted if any of the following criteria is met and a single test-case can be identified to be responsible:

  • A device undergoes a fatal failure and stops functioning normally.
  • A process or a device crashes or hangs and needs to be restarted manually.
  • A process or a device crashes and restarts automatically.
  • A process consumes almost all CPU and/or memory resources for an exceptionally long or indefinite time.

If no single test-case can be identified but similar effects are observed, the verdict is inconclusive.

Sometimes, a subject gets corrupted so badly or is fundamentally so unstable that there is no way to collect accurate test-results for the whole test-run. Untested regions are marked as unknown.

Otherwise, the verdict is passed.

Observed failures in TPKT test-groups
Test-group / Test-run # 001 002 003 004 005 006 007 008
valid - - - - - - - -
TPKT - - - X - - - -
TPKT-Version - - - I - - - -
TPKT-Reserved - - - I - - - -
TPKT-Length - - - I - X - -

Legend:

  • nnn: Each different test-run (tr-nnn) represents a different tested implementation.
  • X: Verdict is failed
  • I: Verdict is inconclusive
  • -: Verdict is passed
  • ?: Verdict is unknown
Observed failures in Q.931 test-groups
Test-group / Test-run # 001 002 003 004 005 006 007 008
Q931 - - - X - - X -
Q931-Discriminator - - - X - - - -
Q931-Call-Reference - - - X - - X -
Q931-Call-Reference-Length - - - I - - - -
Q931-Call-Reference-Value - - - I - - X -
Q931-Message-Type - - - I - - - -
Q931-Message-Type-Cut-PDU - - - I - - - -
Q931-Bearer-Capability - - X I - - X -
Q931-Bearer-Capability-Id - - - I - - - -
Q931-Bearer-Capability-Length - - - I - - - -
Q931-Bearer-Capability-Payload - - - I - - X -
Q931-Bearer-Octet-3 - - - I - - - -
Q931-Bearer-Octet-4 - - - I - - - -
Q931-Bearer-Octet-5 - - - I - - - -
Q931-Bearer-Octet-Ext - - - I - - X -
Q931-Facility-Length - - - - - - - -
Q931-Facility-PDU - - - - - - X -
Q931-Facility-PDU-InvokeComponent-Sequence - - X - - - X -
Q931-Facility-PDU-InvokeComponent-Length - - X - - - X -
Q931-Facility-PDU-InvokeComponent-Value - - - - - - X -
Q931-Notification-Length - - - - - - - -
Q931-Notification-Value - - X - - - X -
Q931-Display - - X - - - X -
Q931-Display-Id - - - - - - - -
Q931-Display-Length - - - - - - X -
Q931-Display-Value-overflow - - X - - - X -
Q931-Display-Value-fmtstring - - - - - - X -
Q931-Keypad-Facility-Length - - - - - - - -
Q931-Keypad-Facility-Value-overflow - - X - - - X -
Q931-Keypad-Facility-Value-fmtstring - - - - - - X -
Q931-Signal-Length - - - - - - - -
Q931-Signal-Value - - - - - - X -
Q931-Calling-Party-Number-Length - - - - X - - -
Q931-Calling-Party-Number-Payload - - - - X - X -
Q931-Calling-Number-Octet-3 - - - - - - - -
Q931-Calling-Number-Digits-overflow - - X - X - X -
Q931-Calling-Number-Digits-fmtstring - - - - - - ? -
Q931-Called-Party-Number-Length - - - - X - ? -
Q931-Called-Party-Number-Payload - - - - X - ? -
Q931-Called-Number-Octet-3 - - - - - - ? -
Q931-Called-Number-Digits-overflow - - X - X - ? -
Q931-Called-Number-Digits-fmtstring - - - - - - ? -
Q931-Called-Party-Subaddress-Length - - - - - - ? -
Q931-Called-Subaddress-Payload - - - - - - ? -
Q931-Called-Subaddress-Octet-3 - - - - - - ? -
Q931-Called-Subaddress-Value-overflow - - X - - - ? -
Q931-Called-Subaddress-Value-fmtstring - - - - - - ? -
Q931-User-To-User - - - - - - X -
Q931-User-To-User-Id - - - - - - - -
Q931-User-To-User-Length - - - - - - - -
Q931-User-To-User-Payload - - - - - - X -
Q931-Discriminator-User-To-User - - - - - - - -

Legend: [see first result table above]

Observed failures in User-Information test-groups
Test-group / Test-run # 001 002 003 004 005 006 007 008
User-H323-User-Information - - X - - - X -
User-H323-Message-Body-Choices - - - - - - - -
User-Setup-UUIE - - - - - - X -
User-Setup-UUIE-Cut-PDU - - - - - - - -
User-ProtocolIdentifier-oid X - X - - - X -
User-ProtocolIdentifier-oid-underflow X - - - - - X -
User-ProtocolIdentifier-oid-underflow-Cut-PDU X - - - - - X -
User-SourceAddress X - X - - - X -
User-SourceAddress-AliasAddress-E164 X - X - - - X -
User-SourceAddress-AliasAddress-E164-Length - - - - - - ? -
User-SourceAddress-AliasAddress-E164-Value X - - - - - ? -
User-SourceAddress-AliasAddress-H323-ID X - X - - - ? -
User-SourceAddress-AliasAddress-H323-ID-Length - - X - - - ? -
User-SourceAddress-AliasAddress-H323-ID-Value-overflow X - X - - - ? -
User-SourceAddress-AliasAddress-H323-ID-Value-fmtstring X - X - - - ? -
User-SourceAddress-AliasAddress-H323-URL-Length - - - - - - ? -
User-SourceAddress-AliasAddress-H323-URL-Value-overflow X X X - - - ? -
User-SourceAddress-AliasAddress-H323-URL-Value-url X X X - - - ? -
User-SourceAddress-AliasAddress-H323-URL-Value-fmtstring X X X - - - ? -
User-SourceInfo-EndpointType - - - - - - ? -
User-SourceInfo-EndpointType-VendorIdentifier-Vendor-T35CountryCode - - - - - - ? -
User-SourceInfo-EndpointType-VendorIdentifier-Vendor-T35Extension - - - - - - ? -
User-SourceInfo-EndpointType-VendorIdentifier-Vendor-ManufacturerCode - - - - - - ? -
User-SourceInfo-EndpointType-VendorIdentifier-ProductId X - X - - - ? -
User-SourceInfo-EndpointType-VendorIdentifier-ProductId-Length - - - - - - ? -
User-SourceInfo-EndpointType-VendorIdentifier-ProductId-Value - - - - - - ? -
User-SourceInfo-EndpointType-VendorIdentifier-VersionId X - - - - - ? -
User-SourceInfo-EndpointType-VendorIdentifier-VersionId-Length - - - - - - ? -
User-SourceInfo-EndpointType-VendorIdentifier-VersionId-Value - - - - - - ? -
User-SourceInfo-EndpointType-TerminalInfo - - - - - - ? -
User-SourceInfo-EndpointType-TerminalInfo-NonstandardObject-oid X - X - - - ? -
User-SourceInfo-EndpointType-TerminalInfo-NonstandardObject-oid-underflow X - - - - - ? -
User-SourceInfo-EndpointType-TerminalInfo-NonstandardData X - X - - - ? -
User-DestinationAddress X - X - - - X -
User-DestinationAddress-AliasAddress-E164 X - - - - - ? -
User-DestinationAddress-AliasAddress-E164-Length - - - - - - ? -
User-DestinationAddress-AliasAddress-E164-Value X - - - - - ? -
User-DestinationAddress-AliasAddress-H323-ID X - - - - - ? -
User-DestinationAddress-AliasAddress-H323-ID-Length - - X - X - ? -
User-DestinationAddress-AliasAddress-H323-ID-Value-overflow X - X - - - ? -
User-DestinationAddress-AliasAddress-H323-ID-Value-fmtstring X - X - - - ? -
User-DestinationAddress-AliasAddress-H323-URL-Length - - - - - - ? -
User-DestinationAddress-AliasAddress-H323-URL-Value-overflow X X X - - - ? -
User-DestinationAddress-AliasAddress-H323-URL-Value-url X X X - - - ? -
User-DestinationAddress-AliasAddress-H323-URL-Value-fmtstring X X X - - - ? -
User-DestCallSignalAddress-TransportAddress X - - - - - ? -
User-DestCallSignalAddress-TransportAddress-IP - - - - - - - -
User-DestCallSignalAddress-TransportAddress-IP-Cut-PDU - - - - - - - -
User-DestCallSignalAddress-TransportAddress-Port - - - - - - - -
User-DestCallSignalAddress-TransportAddress-Port-Cut-PDU - - - - - - - -
User-DestCallSignalAddress-TransportAddress-IP6 - - - - - - - -
User-DestCallSignalAddress-TransportAddress-Port6 - - - - - - - -
User-DestCallSignalAddress-TransportAddress-NonStandardObject-oid X - X - - - X -
User-DestCallSignalAddress-TransportAddress-NonStandardObject-oid-underflow X - - - - - ? -
User-DestCallSignalAddress-TransportAddress-NonStandardData X - X - - - ? -
User-Setup-UUIE-Extension X - - - X - X -
User-SourceCallSignalAddress - - - - X - X -
User-SourceCallSignalAddress-TransportAddress X - - - X - ? -
User-SourceCallSignalAddress-TransportAddress-NonStandardObject-oid X - - - X - ? -
User-SourceCallSignalAddress-TransportAddress-NonStandardObject-oid-underflow X - - - - - ? -
User-SourceCallSignalAddress-TransportAddress-NonStandardData X - - - X - ? -
User-RemoteExtensionAddress - - - - X - ? -
User-RemoteExtensionAddress-H323-URL-Value X X - - - - ? -
User-CallIdentifier - - - - - - ? -
User-CallIdentifier-GloballyUniqueID X - - - - - ? -
User-Tokens - - - - - - ? -
User-Tokens-Payload X - - - - - ? -
User-ClearToken-oid X - - - - - ? -
User-ClearToken-TypedCertificate-oid X - - - - - ? -
User-ClearToken-TypedCertificate-certificate X - - - - - ? -
User-MediaWaitForConnect - - - - - - ? -
User-MediaWaitForConnect-Payload X - - - - - ? -
User-CanOverlapSend - - - - - - ? -
User-CanOverlapSend-Payload X - - - - - ? -
User-H323-UU-PDU-Extension X - - - - - X -
User-H245Tunneling - - - - - - X -
User-H245Tunneling-Payload X - - - - - X -

Legend: [see first result table above]

Please note that if a subject fails in a format string (fmtstring) test-group, the failure may be triggered by a very long format string causing an overflow condition. Should implementation have failed format string category, but not previous overflow category, then implementation is more or very likely to contain real format string type of vulnerability.

The results are further summarised in the table below.

Results Summary
Test-run # Total test-cases Failed test-cases Total groups Failed groups (inconclusive)
tr-001 4497 188 134 45
tr-002 4497 266 134 7
tr-003 4497 221 134 33
tr-004 4497 N 134 4(15)
tr-005 4497 61 134 13
tr-006 4497 2 134 1
tr-007 4497 N 134 N
tr-008 4497 0 134 0

Legend:

  • N: We were unable to determine the exact number of failures. See the more detailed tables above.

Verification via Exploits

To support the vulnerability reporting process, typically one exploit per implementation is refined and included in the respective vulnerability report. The exploit is only intended for demonstration purposes and is harmless as it is. Simplest of them only executes some harmless commands in the target system, typically with the privileges of the vulnerable process. Some only provide a demonstration by causing a Denial of Service (DoS) against the software.

Test-Material Package

Package Information

Test-material is distributed as a JAR-package. The package comprises of the following elements:

  • Test-cases (PDUs), located in testcases/ directory
  • Java code (source and compiled) for feeding the test-cases against the system under test.
  • LICENSE.TXT - GNU General Public License (GPL) version 2
  • README.TXT - Very short instructions

Licence and Copyright

The test-material is licenced under GNU General Public License (GPL) version 2, at no charge. This is done in order to ensure that vendors and their customers may freely utilise the test-material. Standard GPL terms for no warranty and no liability apply.

We recommend some additional guidelines, although these do not restrict the test-material licence. These guidelines can be found from the "Test-suite releases in Theory and Practice" document.

Usage

A prerequisite for using the test-material is a properly configured and started application, preferably not in an open network. Please heed that if PSTN connected gateways are tested, the test-cases may cross network boundaries.

The test-material can be used either with the bundled injection code [Using with Java] or with an external injector [Using without Java].

Using with Java

Java Runtime is a prerequisite for running the bundled Java code. This package has been tested on Java 2 Platform, Standard Edition (J2SE) version 1.4. [13]

Usage examples for the injection code bundled in the JAR packages:

java -jar c07-h2250v4-r1.jar --help
This command displays the built-in help for the available command line options. Options such as selecting the valid-case instrument, a specific range of test-cases, showing the reply from subject or non-standard destination port are high-lighted therein.
java -jar c07-h2250v4-r1.jar --host hostname --validcase
Run all test-cases against hostname address (TCP port 1720) with recommended defaults for all delays. A valid case (test-case# 0) is injected between the real test-cases and a reply to it is awaited for. Please note that some implementations may not respond to our valid case as it is. These options were used for collection of results presented herein when applicable.

Using without Java

The test-cases (PDUs) are in raw binary format and can be used by any suitable delivery software, such as nc (netcat). The individual test-cases can be extracted from the JAR-package with tools such as unzip, winzip or jar. Refer to the manual pages and product documentation of the respective tools for additional information.

Download

Use of latest release (highest number) is recommended. Older releases are provided for completeness and reproduction.

Release 2

Release 2 fixes the test material release 1 errata.

Release 1

Erratum: See see Appendix A for description of missing ASN.1 extension marker bug in the Release 1.

Notes

Instrumenting via --validcase command line argument may not work with all subject implementations due to conflicting interpretation of the specifications. However, instrumenting via ability to establish subsequent sessions should provide comparable results.

We observed an injector deadlock condition when using J2SE (build 1.4.0-b92) JVM on a multiprocessor machine, with minimal delays and when the injection target was on a loop-back device. However, this condition was not observed on any other platform nor with default delay values.

If a test-run is aborted and resumed without resetting the subject software, call identifier information hard-coded within the test-cases may appear recycled and may cause cases being rejected as existing sessions. However, it should be safe to assume that sane implementations do not associate calls beyond lifetime of the TCP session.

Conclusions

Although this test-suite only scratches the surface of the complex H.323 family of protocols, the failure rate was alarming. Many of the implementations available for evaluation failed to perform in a robust manner under the test. Some failures had information security implications, and should be considered as vulnerabilities. In order to achieve a robustness baseline for H.323 products this test-material should be adopted for their evaluation and development.

Acknowledgements

We wish to express our gratitude to individual vendors who worked with us to protect their customers. We are in debt to Sonera Corporation for providing us facilities and support in determing the impact of the test-suite. We thank OSS Nokalva for pointing out a PER encoding bug which led to the discovery of a missing extension marker in the pr1 and subsequent r1 versions of the test-material. Last, but not least, we are grateful to NISCC for their patient help, advice and active role during the vulnerability process.

Vulnerability Management

Prior Public Vulnerabilities

The most common sources for vulnerability information and exploits were covered and cross checked for potential and already known vulnerabilities in the implementations of the chosen protocol. Typical sources for finding out about existing vulnerabilities are databases and mailing-lists. Search-engines may also reveal information on past vulnerabilities.

Following prior vulnerabilities were identified as H.323 related:

  • "Microsoft ISA Server H.323 Memory Leak Denial of Service Vulnerability" [14]
  • "Microsoft NetMeeting Remote Desktop Sharing DoS Vulnerability" [15]

These vulnerabilities were considered during the test-suite design, but reproducibility with this test-material was not verified. During the pre-release phase, additional vulnerabilities were identified:

  • "Ethereal Q.931 Protocol Dissector Denial of Service Vulnerability" [16]

The Vulnerability Process

During the prerelease phase all verified vulnerabilities were reported to the respective vendors. The vulnerability reports were tracked by the NISCC in role of an independent coordinator and advisor. [17] An attempt was made to seek a channel to distribute the test material to vendors whose products we were not able to obtain for testing. A grace period of approximately 12 months was kept between the initial vendor notification and public release. After the announcement of NISCC vulnerability advisory, an additional two-week delay was held before releasing this test-suite.

Advisories and Vendor Statements

Vendor statements or security advisories issued in order to address the vulnerabilities uncovered by this test-suite are collected. Advisories that we are aware of are listed here-in:

References

[1]
"PROTOS - Security Testing of Protocol Implementations". University of Oulu. http://www.ee.oulu.fi/research/ouspg/protos.
[2]
"H.323 Information Site". Packetizer (TM). http://www.packetizer.com/iptel/h323/.
[3]
ITU-T. (2000). "Recommendation H.323 - Packet-based multimedia communications systems. Version 4". International Telecommunication Union. http://standard.pictel.com/ftp/avc-site/till_0012/0011_Gen/H323v4-final_010206.zip.
[4]
ITU-T. (2000). "Recommendation H.225.0 - Call signalling protocols and media stream packetization for packet-based multimedia communication systems. Version 4". International Telecommunication Union. http://standard.pictel.com/ftp/avc-site/till_0012/0q011_Gen/H2250v4-final_010317.zip.
[5]
A. Karim. (1999). "Vulnerabilities And Security Limitations of Current IP Telephony Systems". Ohio State University. http://www.cis.ohio-state.edu/~jain/cis788-99/h323/index.html.
[6]
ITU-T. (2002). "H.323v4 Implementors' Guide". International Telecommunication Union. http://www.itu.int/itudoc/itu-t/com16/implgd/h323var_ww9.zip.
[7]
ITU-T. (1998). "Recommendation Q.931 - ISDN user-network interface layer 3 specification for basic call control". International Telecommunication Union. http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-Q.931-199805-I.
[8]
ITU-T. (1998). "Recommendation Q.932 - Generic procedures for the control of ISDN supplementary services". International Telecommunication Union. http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-Q.932-199805-I.
[9]
M. T. Rose, D. E. Cass. (1987). "RFC1006 - ISO Transport Service on top of the TCP Version 3". Northrop Research and Technology Center. http://www.ietf.org/rfc/rfc1006.txt.
[10]
ITU-T. (1997). "Recommendation X.691 - ASN.1 encoding rules - Specification of Packed Encoding Rules (PER)". International Telecommunication Union. http://www.itu.int/ITU-T/studygroups/com17/languages/X.691_1297.pdf.
[11]
"H.323 Products & Services". H.323 Forum. http://www.h323forum.org/products/.
[12]
"ITU-T T.35 Manufacturers Codes for H.3xx Devices". DELTA Protocol Test Solutions. http://www.delta-info.com/Protocol_Test/Manufacturer_codes.html.
[13]
"Java[tm] 2 Platform, Standard Edition v 1.4 Overview". Sun Microsystems. http://java.sun.com/j2se/1.4/.
[14]
Peter Grundl. (2001). "Microsoft ISA Server H.323 Memory Leak Denial of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/3196.
[15]
Kirk Corey. (2000). "Microsoft NetMeeting Remote Desktop Sharing DoS Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/1798.
[16]
Gerald Combs et al.. (2003). "Ethereal Q.931 Protocol Dissector Denial of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/9249.
[17]
"National Infrastructure Security Co-ordination Centre". http://www.niscc.gov.uk/.

Appendix A: Release Errata

Erratum: In pr1 version of test-material the TCP socket was not drained of incoming data before closing. This might have caused the test program to terminate the TCP connection prematurely by sending an RST packet (instead of FIN). A workaround was implemented in r1 version. The workaround may cause following error messages, which in most cases can be ignored:

#0: Connect success.
#0: Injecting test case, 226 bytes.
#0: Waiting 100 ms for reply...42 bytes received
#0: Waiting 50 ms before closing connection.
#0: ERROR: Stream closed.
#1: Connect success.
#1: Injecting test case, 0 bytes.
#1: Waiting 100 ms for reply...0 bytes received
#1: Waiting 50 ms before closing connection.
#1: ERROR: Stream closed.

Using --oldtcp switch will get rid of those ERRORs, but you might miss some data sent by the subject.

Erratum: In pr1 version of test-material an ASN.1 extension marker was missing in ClearToken specification causing one byte to be left out in certain test-cases. In test-case data, this resulted to zero length (empty) tokenOIDs instead of intended ones (0.0). This bug was fixed in test-material version r2. Original pre-release version 1 has been released as release version 1 for reproduction of the presented results. For description of the error, see below.

Here is the test case 1742 decoded by Ethereal 0.9.3 with H.323 plugin
in which I made some markings ("****************"). In the
hexdump, TPKT starts at offset 0x36, Q.931 at 0x3a and User-to-user at
0x55.

[snip]
TPKT
    Version: 3
    Reserved: 0
    Length: 223
Q.931
    Protocol discriminator: Q.931
    Call reference value length: 2
    Call reference value: 06CE
    Message type: SETUP (0x05)
    Bearer capability
        Information element: Bearer capability
        Length: 3
        Coding standard: ITU-T standardized coding
        Information transfer capability: Speech
        Transfer mode: Circuit mode
        Information transfer rate: 64 kbit/s
        User information layer 1 protocol: Recommendation G.711 A-law
    Display
        Information element: Display
        Length: 15
        Display information: test-case 1742\000
    User-user
        Information element: User-user
        Length: 189
        Protocol discriminator: X.208 and X.209 coded user information
ITU-T Recommendation H.225.0
    h323_uu_pdu (H323-UU-PDU)
        h323_message_body (setup)
            setup
                protocolIdentifier: 0.0         **************** (1)
                sourceAddress (AliasAddress)
                    Item 0 (h323_ID)
                        h323_ID: c07-h2250v4
                sourceInfo (EndpointType)
                    vendor (VendorIdentifier)
                        vendor (H221NonStandard)
                            t35CountryCode: 60
                            t35Extension: 0
                            manufacturerCode: 61
                        productId: c07-h2250v4 test-suite
                        versionId: 1.0
                    terminal (TerminalInfo)
                    mc: False
                    undefinedNode: False
                destinationAddress (AliasAddress)
                    Item 0 (h323_ID)
                        h323_ID: c07-h2250v4
                destCallSignalAddress (ipAddress)
                    ipAddress
                        ip: 127.0.0.1 (127.0.0.1)
                        port: 1720
                activeMC: False
                conferenceID: 676C6F62-616C-6C79-2D75-6E69712D06CE
                conferenceGoal (create)
                    create: create
                callType (pointToPoint)
                    pointToPoint: pointToPoint
                sourceCallSignalAddress (ipAddress)
                    ipAddress
                        ip: 127.0.0.1 (127.0.0.1)
                        port: 1720
                remoteExtensionAddress (h323_ID)
                    h323_ID: c07-h2250v4
                callIdentifier (CallIdentifier)
                    guid: 676C6F62-616C-6C79-2D75-6E69712D06CE
                tokens (ClearToken)
                    Item 0 (H235-ClearToken)
                        tokenOID:            **************** (2)
                mediaWaitForConnect: False
                canOverlapSend: False
                multipleCalls: False
                maintainConnection: False
        h245Tunneling: False

0030  fa f0 86 74 00 00 03 00 00 df 08 02 06 ce 05 04   ...t............
0040  03 80 90 a3 28 0f 74 65 73 74 2d 63 61 73 65 20   ....(.test-case 
0050  31 37 34 32 00 7e 00 bd 05 20 b8 01 00 01 40 0a   1742.~... ....@.
0060  00 63 00 30 00 37 00 2d 00 68 00 32 00 32 00 35   .c.0.7.-.h.2.2.5
0070  00 30 00 76 00 34 22 c0 3c 00 00 3d 17 63 30 37   .0.v.4".<..=.c07
0080  2d 68 32 32 35 30 76 34 20 74 65 73 74 2d 73 75   -h2250v4 test-su
0090  69 74 65 00 00 04 31 2e 30 00 00 00 01 40 0a 00   ite...1.0....@..
00a0  63 00 30 00 37 00 2d 00 68 00 32 00 32 00 35 00   c.0.7.-.h.2.2.5.
00b0  30 00 76 00 34 00 7f 00 00 01 06 b8 00 67 6c 6f   0.v.4........glo
00c0  62 61 6c 6c 79 2d 75 6e 69 71 2d 06 ce 00 5f 4d   bally-uniq-..._M
00d0  80 07 00 7f 00 00 01 06 b8 18 40 0a 00 63 00 30   ..........@..c.0
00e0  00 37 00 2d 00 68 00 32 00 32 00 35 00 30 00 76   .7.-.h.2.2.5.0.v
00f0  00 34 11 00 67 6c 6f 62 61 6c 6c 79 2d 75 6e 69   .4..globally-uni
0100  71 2d 06 ce 04 01 00 01 00 01 00 01 00 01 00 01   q-..............
0110  00 02 80 01 00                                    .....           
[snap]


In this test-case the Protocol identifier OID is somewhat exceptional:
protocolIdentifier: 0.0         **************** (1)
This OID encodes as: 0x01 0x00 (length, {0.0} becomes 0x00) and can be 
found at offsets 0x5b-0x5c

Then there is the tokenOID:
tokens (ClearToken)
    Item 0 (H235-ClearToken)
        tokenOID:            **************** (2)

TokenOID should also be {0.0} (encoded as 0x01 0x00) similar to the
protocol identifier OID. The specs say the following.

- From H.225.0v4 ASN.1 specs:

[snip]
tokens   SEQUENCE OF ClearToken OPTIONAL,
[snap]

In H.323v3 implementors' guide they included the tokenOID in
the ClearToken structure (which was defined in H.235):

[snip]
ClearToken ::= SEQUENCE  -- a `token' may contain multiple value types.
      {
            tokenOID         OBJECT IDENTIFIER,
            timeStamp        TimeStamp OPTIONAL,
            password         Password OPTIONAL,
            dhkey            DHset OPTIONAL,
            challenge        ChallengeString OPTIONAL,
            random           RandomVal OPTIONAL,
            certificate            TypedCertificate OPTIONAL,
            generalID        Identifier OPTIONAL,
            nonStandard      NonStandardParameter OPTIONAL,
            . . .

      }

 -- An object identifier should be placed in the tokenOID field when a
 -- ClearToken is included directly in a message (as opposed to being
 -- encrypted).  In all other cases, an application should use the
 -- object identifier { 0 0 } to indicate that the tokenOID value is
 -- not present.
[snap]


tokens (ClearToken)
    Item 0 (H235-ClearToken)
        tokenOID:            **************** (2)

So this is encoded in offsets 0x104-0x108:

0x04 0x01 0x00 0x01 0x00 

0x04: open type length
0x01: SEQUENCE-OF count, one ClearToken
0x00: SEQUENCE bitfield, zero optional elements present
0x01: length of tokenOID
0x00: tokenOID {0.0}

This is wrong. It took me a while but I found the problem. It was in
the encoding of the SEQUENCE. As you see above, ClearToken has 8
optional elements and an extension marker. In PER the basic encoding
for sequence is a preamble bitfield which has one bit for each
optional element PLUS one bit for extension marker... Well guess who
had left out the extension bit? :D

8 elements + extension bit = 9 bits. Then we need 7 bit padding before
OID encoding and it all becomes like this:

0x05 0x01 0x00 0x00 0x01 0x00

So it was not a zero length OID, it was a wrongly encoded SEQUENCE
bitfield... Will be corrected for the next (pre)release. I guess I had
just bypassed the missing OID in the Ethereal output because if you
clicked on it it highlighted "0x01 0x00" in the hexdump -- a correctly
encoded OID {0.0} :)

Can you believe it? All this hassle was caused by just one bit :)

[This page is CSS2 enabled. Your browser might not fully support it]