[NEWS] Yate SIP Denial of Service Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Yate SIP Denial of Service Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://yate.null.ro/> Yate (Yet Another Telephony Engine) is "a
production-ready next-generation telephony engine". The SIP channel module
of Yate contains a denial of service vulnerability, introduced by a null
pointer dereference, which could be provoked by having the SIP module
process SIP messages containing the "Call-Info" header, without the
"purpose" parameter as part of its value.

DETAILS

Vulnerable Systems:
* Yate version 1.1.0

Immune Systems:
* Yate version 1.2.0

The flaw can be seen in the following source code snippet:

File: yate/modules/ysipchan.cpp
Lines: 1585 - 1594

1: const SIPHeaderLine* hl =
m_tr->initialMessage()->getHeader("Call-Info");
2: if (hl) {
3: const NamedString* type = hl->getParam("purpose");
4: if (!type || *type == "info")
5: mp type->addParam("caller_info_uri",*type);
6: else if (*type == "icon")
7: m->addParam("caller_icon_uri",*type);
8: else if (*type == "card")
9: m->addParam("caller_card_uri",*type);
10: }

Once the "Call-Info" header is found in the SIP message (line 1), there is
an attempt to extract the "purpose" parameter (line 3). Afterwards, a
decision is made to set the "caller_info_uri" parameter (line 5) to the
value of the "Call-Info" header, though due to a programming error,
instead of assigning the parameter with the header value, it is being
assigned with the value of the "purpose" parameter - allowing for a null
pointer dereference, when the call to getParam() (line 3) returns 0 in
case of a missing "purpose" parameter.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1693>
CVE-2007-1693


ADDITIONAL INFORMATION

The information has been provided by <mailto:YuriG@xxxxxxxxxxx> Yuri
Gushin.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages