OpenSER 'parse_config' Parse_Expression函数远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192356 漏洞类型 缓冲区溢出
发布时间 2006-12-26 更新时间 2006-12-28
CVE编号 CVE-2006-6749 CNNVD-ID CNNVD-200612-523
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://cxsecurity.com/issue/WLB-2006120151
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-523
|漏洞详情
OpenSER1.1.0中的parse_config中parse_expression函数存在缓冲区溢出,攻击者可以通过长的str参数来制造未知的影响。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
____

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2006.042
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2006.042
Advisory Published:      2006-12-26 12:44 UTC

Issue Id (internal):     OpenPKG-SI-20061226.01
Issue First Created:     2006-12-26
Issue Last Modified:     2006-12-26
Issue Revision:          11
________________________________________________________________________
____

Subject Name:            OpenSER
Subject Summary:         SIP router
Subject Home:            http://www.openser.org/
Subject Versions:        * <= 1.1.0

Vulnerability Id:        BID:21706
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           local system
Attack Impact:           arbitrary code execution

Description:
    A buffer overflow was discovered [0] in the "parse_expression"
    function of the "permissions" module of the SIP router OpenSER [1],
    versions up to and including 1.1.0. The OpenSER "permissions" module
    is used to determine if a SIP call has appropriate permission to be
    established. The "parse_expression" function is used during parsing
    of the modules local allow/deny configuration files.
    
    The buffer overflow is triggered by parsing a configuration
    line expression consisting of more than 500 characters and
    potentially could lead to the execution of arbitrary code under
    the privileges of the OpenSER process. Successfully exploiting the
    vulnerability requires that the local attacker has write access
    to the configuration files used with the configuration functions
    "allow_routing", "allow_register" and "allow_refer_to".

References:
    [0] http://www.securityfocus.com/archive/1/455097
    [1] http://www.openser.org/
________________________________________________________________________
____

Primary Package Name:    openser
Primary Package Home:    http://openpkg.org/go/package/openser

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Enterprise       E1.0-SOLID        openser-1.1.0-E1.0.1
________________________________________________________________________
____

For security reasons, this document was digitally signed with the
OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34)
which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
________________________________________________________________________
____

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH <http://openpkg.com/>

iD8DBQFFkQsHZwQuyWG3rjQRApGOAKCVVCW9h1gKay9HA1isBkPhxpgxxACfWJNq
jUBWsY4pWZ+WaOv7IQjnrMQ=
=IyjS
-----END PGP SIGNATURE-----
|参考资料

来源:BUGTRAQ
名称:20061226[OpenPKG-SA-2006.042]OpenPKGSecurityAdvisory(openser)
链接:http://www.securityfocus.com/archive/1/archive/1/455300/100/0/threaded
来源:OPENPKG
名称:OpenPKG-SA-2006
链接:http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.042.html
来源:XF
名称:openser-parseconfig-bo(31035)
链接:http://xforce.iss.net/xforce/xfdb/31035
来源:BID
名称:21706
链接:http://www.securityfocus.com/bid/21706
来源:BUGTRAQ
名称:20061220OpenSER1.1.0parse_configbufferoverflowvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/455097/100/0/threaded
来源:VUPEN
名称:ADV-2006-5167
链接:http://www.frsirt.com/english/advisories/2006/5167
来源:SREASON
名称:2083
链接:http://securityreason.com/securityalert/2083