18 Jan
2003
18 Jan
'03
1:41 a.m.
Folks,
While playing with SER I found that I can trigger repeatable crash when
doing REGISTER multiple times. Quick glance at the code in question
revealed that indeed, when constructing reply to REGISTER message,
SER uses fixed-lengh buffer to put all non-expired contacts for that
user and doesn't bother to check for overflow. The bug could be easily
exploited by a complete stranger on servers that don't perform
authentification of REGISTER requests, and by an user with a valid
credintals on server that do authentification. Mounting attack leads
to denial of service.
Attached please find fake REGISTER message, which if sent to open
server kills it (nc -u my.sip.server 5060 < register.killser),
and patch to fix the problem.
-Maxim