項目 |
|
攻撃 |
リモート |
攻撃ポート |
5060 |
対象OS |
Unix/Windows |
CVE |
CVE-2005-4466 |
MS |
|
PAM |
|
SIP Proxy i3sipmsg.dll buffer overflow (SIP_Proxy_Overflow)
About this signature or vulnerability
RealSecure Server Sensor, RealSecure Network Sensor:
This signature detects an overflow in the way The Interaction SIP Proxy routes incoming SIP messages.
Default risk level
High
Sensors that have this signature
RealSecure Server Sensor: XPU 24.31, RealSecure Network Sensor: XPU 24.31
Systems affected
Windows NT: 4.0, Windows: 98, Windows: 98 Second Edition, Windows 2000: Any version, Windows: Me, Windows: XP, Windows 2003: Any version, SIP Proxy: 3.0.010
Type
Unauthorized Access Attempt
Vulnerability description
SIP Proxy from Interaction is a SIP (Session Initiation Protocol) application for Microsoft Windows operating systems. SIP Proxy version 3.0.010 is vulnerable to a denial of service attack, caused by a heap-based buffer overflow in i3sipmsg.dll. By sending a specially-crafted request containing 2900 bytes of encoded space (0x20) or TAB (0x9) characters as the SIP version in a REGISTER request line, a remote attacker could overflow a buffer and cause the application to crash. It is also possible for an attacker to exploit this vulnerability to execute arbitrary code on the system.
How to remove this vulnerability
No remedy available as of December 2005.
検証環境
優先度 |
OS |
IP |
Intruder: |
Windows2000 |
192.168.221.11 |
Victim: |
Windows2000 |
192.168.221.180 |
センサー |
ProvenitaM10 |
XPU1.7.0 |
実証コード
C:\tool>i3sip.pl
Interactive SIP proxy heap corruption POC
By Behrang Fouladi, Hat-Squad Security Team
Usage: perl C:\tool\BrightStor_Discovery_UDP_Overflow_i3sip.pl <target> <size>
C:\tool>i3sip.pl 192.168.221.180 44444
Interactive SIP proxy heap corruption POC
By Behrang Fouladi, Hat-Squad Security Team
Exploit Sent to 192.168.221.180...
The SIP Proxy should crash now.
トレース
イベント一覧
優先度 |
シグネチャ名 |
知件数 |
High |
SIP_Proxy_Overflow |
3 |
Low |
SIP_Version_Not2 |
5 |
イベント詳細