漏洞信息详情
SIPp call.cpp文件多个远程栈溢出漏洞
- CNNVD编号:CNNVD-200805-096
- 危害等级: 高危
- CVE编号: CVE-2008-2085
- 漏洞类型: 缓冲区溢出
- 发布时间: 2008-05-12
- 威胁类型: 远程
- 更新时间: 2009-04-08
- 厂 商: icewalkers
- 漏洞来源: Nico Golde nion@d...
漏洞简介
SIPp是免费的开源SIP协议测试工具和通讯生成器。
SIPp在处理畸形请求数据时存在漏洞,远程攻击者可能利用此漏洞控制服务器。
SIPp的call.cpp文件中的get_remote_ip_media()和get_remote_ipv6_media()函数中存在栈溢出漏洞:
122 uint32_t get_remote_ip_media(char *msg)
123 {
124 char pattern[] = \"c=IN IP4 \";
125 char *CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin, *end;
126 char ip[32];
127 CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin = strstr(msg, pattern);
128 if (!CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin) {
129 /* Can\'\'t find what we\'\'re looking at -> return no address */
130 return INADDR_NONE;
131 }
132 CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin += sizeof(\"c=IN IP4 \") - 1;
133 end = strstr(CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin, \"\r\n\");
134 if (!end)
135 return INADDR_NONE;
136 memset(ip, 0, 32);
137 strncpy(ip, CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin, end - CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin);
138 return inet_addr(ip);
139 }
145 uint8_t get_remote_ipv6_media(char *msg, struct in6_addr addr)
146 {
147 char pattern[] = \"c=IN IP6 \";
148 char *CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin, *end;
149 char ip[128];
150
151 memset(&addr, 0, sizeof(addr));
152 memset(ip, 0, 128);
153
154 CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin = strstr(msg, pattern);
155 if (!CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin) {
156 /* Can\'\'t find what we\'\'re looking at -> return no address */
157 return 0;
158 }
159 CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin += sizeof(\"c=IN IP6 \") - 1;
160 end = strstr(CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin, \"\r\n\");
161 if (!end)
162 return 0;
163 strncpy(ip, CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin, end - CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin);
如果远程攻击者发送了特制的SIP消息的话,就可以触发这些溢出,导致拒绝服务或执行任意指令。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://people.debian.org/~nion/nmu-diff/sip-tester-2.0.1-1.1_2.0.1-1.2.patch
参考网址
来源: FEDORA
名称: FEDORA-2008-6219
链接:https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00318.HTML
来源: FEDORA
名称: FEDORA-2008-6210
链接:https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00311.HTML
来源: XF
名称: sipp-getremoteipmedia-bo(42234)
链接:http://xforce.iss.net/xforce/xfdb/42234
来源: BID
名称: 29064
链接:http://www.securityfocus.com/bid/29064
来源: SECUNIA
名称: 30993
链接:http://secunia.com/advisories/30993
来源: SECUNIA
名称: 30095
链接:http://secunia.com/advisories/30095
来源: bugs.debian.org
链接:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479039
来源: VUPEN
名称: ADV-2008-1447
链接:http://www.frsirt.com/english/advisories/2008/1447/references
受影响实体
- Icewalkers Sipp:3.1
补丁
暂无
评论