lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 11 Oct 2007 22:49:48 +0200
From: S21sec Labs <labs@...sec.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: S21SEC-037-en: OPAL SIP Protocol Remote Denial of Service

##############################################################
                      - S21Sec Advisory -
##############################################################

        Title:  OPAL SIP Protocol Remote Denial of Service
            ID:  S21SEC-037-en
Severity:  Medium - Remote DoS
   History:  11.Jun.2007 Vulnerability discovered
             	  09.Jul.2007 Vendor contacted
                   15.Aug.2007 Patched
                   17.Sep.2007 New version released

      Scope:  Remote Denial of Service
Platforms:  Any
      Author:  Jose Miguel Esparza (jesparza@...sec.com)
          URL:  http://www.s21sec.com/avisos/s21sec-037-en.txt
  Release:  Public


[ SUMMARY ]

OPAL (Open Phone Abstraction Layer) is an implementation of various  
telephony and video communication
protocols for use over packet based networks. It's based on code from  
the OpenH323 project and adds new
features such as a stream based architecture, better support for re- 
use or removal of sub-components,
and explicit support for additional protocols.


[ AFFECTED VERSIONS ]

Following versions are affected with this issue:

     - OPAL 2.2.8 and prior.

Some applications which use this library are affected too:

     - Ekiga 2.0.9 and prior.


[ DESCRIPTION ]

File:  sippdu.cxx
Function:  SIP_PDU::Read(OpalTransport & transport)
Instruction:  entityBody[contentLength] = '\0';

An insufficient input validation of the Content-Length field of a SIP  
request cause the application to
crash due to a memory mismanagement.


[ WORKAROUND ]

A patch in the url http://openh323.cvs.sourceforge.net/openh323/opal/ 
src/sip/sippdu.cxx?r1=2.83.2.19&r2=2.83.2.20
is available, but upgrading to new version 2.2.10 is recommended.


[ ACKNOWLEDGMENTS ]

This vulnerability have been found and researched by:

     - Jose Miguel Esparza <jesparza@...sec.com> S21sec labs


[ ADDITIONAL INFORMATION ]

This vulnerability has been discovered during the development of the  
network fuzzer Malybuzz, available in the url
http://malybuzz.sourceforge.net/


[ REFERENCES ]

* OpenH323 Project
   http://openh323.sourceforge.net/

* Ekiga
   http://ekiga.org

* S21Sec
   http://www.s21sec.com
   http://blog.s21sec.com

* Malybuzz
   http://malybuzz.sourceforge.net/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ