SIPp是免费的开源SIP协议测试工具和通讯生成器。 SIPp在处理畸形请求数据时存在漏洞,远程攻击者可能利用此漏洞控制服务器。 SIPp的call.cpp文件中的get_remote_ip_media()和get_remote_ipv6_media()函数中存在栈溢出漏洞: 122 uint32_t get_remote_ip_media(char *msg) 123 { 124 char pattern[] = "c=IN IP4 "; 125 char *begin, *end; 126 char ip[32]; 127 begin = strstr(msg, pattern); 128 if (!begin) { 129 /* Can't find what we're looking at -> return no address */ 130 return INADDR_NONE; 131 } 132 begin += sizeof("c=IN IP4 ") - 1; 133 end = strstr(begin, "\r\n"); 134 if (!end) 135 return INADDR_NONE; 136 memset(ip, 0, 32); 137 strncpy(ip, begin, end - begin); 138 return inet_addr(ip); 139 } 145 uint8_t get_remote_ipv6_media(char *msg, struct in6_addr addr) 146 { 147 char pattern[] = "c=IN IP6 "; 148 char *begin, *end; 149 char ip[128]; 150 151 memset(&addr, 0, sizeof(addr)); 152 memset(ip, 0, 128); 153 154 begin = strstr(msg, pattern); 155 if (!begin) { 156 /* Can't find what we're looking at -> return no address */ 157 return 0; 158 } 159 begin += sizeof("c=IN IP6 ") -...
SIPp是免费的开源SIP协议测试工具和通讯生成器。 SIPp在处理畸形请求数据时存在漏洞,远程攻击者可能利用此漏洞控制服务器。 SIPp的call.cpp文件中的get_remote_ip_media()和get_remote_ipv6_media()函数中存在栈溢出漏洞: 122 uint32_t get_remote_ip_media(char *msg) 123 { 124 char pattern[] = "c=IN IP4 "; 125 char *begin, *end; 126 char ip[32]; 127 begin = strstr(msg, pattern); 128 if (!begin) { 129 /* Can't find what we're looking at -> return no address */ 130 return INADDR_NONE; 131 } 132 begin += sizeof("c=IN IP4 ") - 1; 133 end = strstr(begin, "\r\n"); 134 if (!end) 135 return INADDR_NONE; 136 memset(ip, 0, 32); 137 strncpy(ip, begin, end - begin); 138 return inet_addr(ip); 139 } 145 uint8_t get_remote_ipv6_media(char *msg, struct in6_addr addr) 146 { 147 char pattern[] = "c=IN IP6 "; 148 char *begin, *end; 149 char ip[128]; 150 151 memset(&addr, 0, sizeof(addr)); 152 memset(ip, 0, 128); 153 154 begin = strstr(msg, pattern); 155 if (!begin) { 156 /* Can't find what we're looking at -> return no address */ 157 return 0; 158 } 159 begin += sizeof("c=IN IP6 ") - 1; 160 end = strstr(begin, "\r\n"); 161 if (!end) 162 return 0; 163 strncpy(ip, begin, end - begin); 如果远程攻击者发送了特制的SIP消息的话,就可以触发这些溢出,导致拒绝服务或执行任意指令。