what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

yate-dos.txt

yate-dos.txt
Posted May 3, 2007
Authored by Yuri Gushin

Yate version 1.1.0 suffers from a denial of service vulnerability due to a null pointer reference.

tags | advisory, denial of service
advisories | CVE-2007-1693
SHA-256 | bf971e0d8192dbc7b4a1f344f636029f44bae424d1afdfc4430a2a296f1f7ee1

yate-dos.txt

Change Mirror Download
Yate 1.1.0 Denial of Service Vulnerability



Risk: Medium


Background:


Yate (Yet Another Telephony Engine) is a production-ready next-generation telephony engine.

More information about this application could be obtained from the following site:

http://yate.null.ro/


Description:


The SIP channel module of Yate contains a denial of service vulnerability, introduced by a
null pointer dereference, which could be provoked by having the SIP module process SIP messages
containing the "Call-Info" header, without the "purpose" parameter as part of its value.

The flaw can be seen in the following source code snippet:

File: yate/modules/ysipchan.cpp
Lines: 1585 - 1594

1: const SIPHeaderLine* hl = m_tr->initialMessage()->getHeader("Call-Info");
2: if (hl) {
3: const NamedString* type = hl->getParam("purpose");
4: if (!type || *type == "info")
5: mp type->addParam("caller_info_uri",*type);
6: else if (*type == "icon")
7: m->addParam("caller_icon_uri",*type);
8: else if (*type == "card")
9: m->addParam("caller_card_uri",*type);
10: }

Once the "Call-Info" header is found in the SIP message (line 1), there is an attempt to extract
the "purpose" parameter (line 3).
Afterwards, a decision is made to set the "caller_info_uri" parameter (line 5) to the value of the
"Call-Info" header, though due to a programming error, instead of assigning the parameter with the
header value, it is being assigned with the value of the "purpose" parameter - allowing for a null
pointer dereference, when the call to getParam() (line 3) returns 0 in case of a missing "purpose" parameter.


Analysis:

Exploiting this vulnerability could allow for denial of service to Yate and disruption of the VoIP
infrastructure.

By default no authentication is required to exploit this vulnerability, allowing for spoofed UDP SIP
messages to trigger the flaw.


Radware DefensePro IPS Solution:

Radware DefensePro customers are protected against this vulnerability since the release of signature
database version 0006.0030.00 by RWID's 7334,7338 and 7342.


Detection:

Radware Security Operations Center has confirmed the existence of this vulnerability in Yate 1.1.0.
Previous versions are also suspected to be vulnerable.


Workaround:

A workaround for this vulnerability is currently not known.


Vendor Response:

The maintainers of Yate addressed this vulnerability with the release of Yate 1.2.0.


CVE Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-1693 to this issue.


Disclosure Timeline:

March 25, 2007 - Initial vendor notification
March 25, 2007 - Initial vendor response
March 26, 2007 - Vendor fixes flaw in CVS
April 16, 2007 - Vendor releases fixed version
April 30, 2007 - Attack database release
May 1, 2007 - Advisory release


Credit:

Yuri Gushin, Radware Security Operations Center


Legal Information:

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing
based on currently available information. Use of the information constitutes acceptance for use in
an AS IS condition. There are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close