18 Jan
2003
18 Jan
'03
9:13 a.m.
Maxim,
thanks -- that's a good catch, shame on us. I entered your alert
and patch on ser's webpage under both 'issues' and 'security alerts'.
thanks a lot,
-Jiri
At 02:41 AM 1/18/2003, Maxim Sobolev wrote:
Folks,
While playing with SER I found that I can trigger repeatable crash when
doing REGISTER multiple times. Quick glance at the code in question
revealed that indeed, when constructing reply to REGISTER message,
SER uses fixed-lengh buffer to put all non-expired contacts for that
user and doesn't bother to check for overflow. The bug could be easily
exploited by a complete stranger on servers that don't perform
authentification of REGISTER requests, and by an user with a valid
credintals on server that do authentification. Mounting attack leads
to denial of service.
Attached please find fake REGISTER message, which if sent to open
server kills it (nc -u my.sip.server 5060 < register.killser),
and patch to fix the problem.
-Maxim
--
Jiri Kuthan http://iptel.org/~jiri/