[Serusers] [HEADS UP] security vulnerability in ser 0.8.10
Jiri Kuthan
jiri at iptel.org
Sat Jan 18 10:13:09 CET 2003
Maxim,
thanks -- that's a good catch, shame on us. I entered your alert
and patch on ser's webpage under both 'issues' and 'security alerts'.
thanks a lot,
-Jiri
At 02:41 AM 1/18/2003, Maxim Sobolev wrote:
>Folks,
>
>While playing with SER I found that I can trigger repeatable crash when
>doing REGISTER multiple times. Quick glance at the code in question
>revealed that indeed, when constructing reply to REGISTER message,
>SER uses fixed-lengh buffer to put all non-expired contacts for that
>user and doesn't bother to check for overflow. The bug could be easily
>exploited by a complete stranger on servers that don't perform
>authentification of REGISTER requests, and by an user with a valid
>credintals on server that do authentification. Mounting attack leads
>to denial of service.
>
>Attached please find fake REGISTER message, which if sent to open
>server kills it (nc -u my.sip.server 5060 < register.killser),
>and patch to fix the problem.
>
>-Maxim
>
--
Jiri Kuthan http://iptel.org/~jiri/
More information about the sr-users
mailing list