Skip to main content

Tags Buffer Overflow

VoIPmonitor: static builds lack memory corruption protections

Published on Mar 15, 2021 in , , , ,

Description

The binaries available for download at https://www.voipmonitor.org/download are built without any memory corruption protection in place. The following is output from the tool hardening-check:

hardening-check voipmonitor:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: no, not found!
 Immediate binding: no, not found!
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: unknown, no -fcf-protection instructions found!

When stack protection together with Fortify Source and other protection mechanisms are in place, exploitation of memory corruption vulnerabilities normally results in a program crash instead of leading to remote code execution. Most modern compilation systems create executable binaries with these features built-in by default. When these features are not used, attackers may easily exploit memory corruption vulnerabilities, such as buffer overflows, to run arbitrary code. In this advisory we will demonstrate how a buffer overflow reported in a separate advisory, could be abused to run arbitrary code because of the lack of standard memory corruption protection in the static build releases of VoIPmonitor.

Read more about VoIPmonitor: static builds lack memory corruption protections

VoIPmonitor: buffer overflow in live sniffer

Published on Mar 15, 2021 in , , , , ,

Description

A buffer overflow was identified in the VoIPmonitor live sniffer feature. The description variable in the function save_packet_sql is defined as a fixed length array of 1024 characters. The description is set to the value of a SIP request or response line. By setting a long request or response line VoIPmonitor will trigger a buffer overflow. The affected code is:

Read more about VoIPmonitor: buffer overflow in live sniffer

sngrep: buffer overflow via malformed SDP media type

Published on Nov 20, 2020 in , , ,

Description

When sending a specially crafted SIP message with a malformed SDP media type, sngrep crashes due to a buffer overflow. The following backtrace was generated during our tests:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7ced859 in __GI_abort () at abort.c:79
#2  0x00007ffff7d583ee in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff7e8207c "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7dfa9ba in __GI___fortify_fail (
    msg=msg@entry=0x7ffff7e82012 "buffer overflow detected") at fortify_fail.c:26
#4  0x00007ffff7df9256 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007ffff7df8b36 in __strcpy_chk (dest=0x7ffff00306f2 "", 
    src=0x7ffff79fcad1 'A' <repeats 200 times>..., destlen=destlen@entry=15)
    at strcpy_chk.c:30
#6  0x0000555555563f72 in strcpy (__src=<optimized out>, __dest=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:90
#7  media_set_type (media=<optimized out>, type=<optimized out>) at media.c:65
#8  0x0000000000000000 in ?? ()

The issue was originally discovered during OpenSIPIt; tracked down and analyzed for severity and impact later.

Read more about sngrep: buffer overflow via malformed SDP media type

Subscribe

Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

Interested in our services? Let's collaborate.
Get in touch

We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.