18 Jan
2003
18 Jan
'03
1:41 a.m.
Folks,
While playing with SER I found that I can trigger repeatable crash when doing REGISTER multiple times. Quick glance at the code in question revealed that indeed, when constructing reply to REGISTER message, SER uses fixed-lengh buffer to put all non-expired contacts for that user and doesn't bother to check for overflow. The bug could be easily exploited by a complete stranger on servers that don't perform authentification of REGISTER requests, and by an user with a valid credintals on server that do authentification. Mounting attack leads to denial of service.
Attached please find fake REGISTER message, which if sent to open server kills it (nc -u my.sip.server 5060 < register.killser), and patch to fix the problem.
-Maxim