Sending a malformed Via header to OpenSIPS triggers a segmentation fault when the function calc_tag_suffix is called. A specially crafted Via header which is deemed correct by the parser, will pass uninitialized strings to the function MD5StringArray which leads to the crash. The following is a payload that demonstrates this issue:
OPTIONS sip:127.0.0.1 SIP/2.0<CRLF>
Via: SIP/2.0/\x16UD~PTo :::]<LF>
Via: SIP/2.0/UD~PToD~PTo :::]<LF>
\x16ia: SIP/2.0/UD~PTo ::trA><CRLF>
To:. <sv:>;tga\x91o5;tga=0fe
Impact
Abuse of this vulnerability leads to Denial of Service due to a crash. Since the uninitialized string points to memory location 0x0, no further exploitation appears to be possible. No special network privileges are required to perform this attack, as long as the OpenSIPS configuration makes use of functions such as sl_send_reply or sl_gen_totag that trigger the vulnerable code.
Patches
This issue has been fixed by commit ab611f7.
References
Read more about this issue in the Audit Document section 3.10.
For more information
If you have any questions or comments about this advisory:
Sending a malformed
Viaheader to OpenSIPS triggers a segmentation fault when the functioncalc_tag_suffixis called. A specially craftedViaheader which is deemed correct by the parser, will pass uninitialized strings to the functionMD5StringArraywhich leads to the crash. The following is a payload that demonstrates this issue:Impact
Abuse of this vulnerability leads to Denial of Service due to a crash. Since the uninitialized string points to memory location
0x0, no further exploitation appears to be possible. No special network privileges are required to perform this attack, as long as the OpenSIPS configuration makes use of functions such assl_send_replyorsl_gen_totagthat trigger the vulnerable code.Patches
This issue has been fixed by commit ab611f7.
References
Read more about this issue in the Audit Document section 3.10.
For more information
If you have any questions or comments about this advisory: