Tags › Sngrep
sngrep: stack overflow via malformed SDP connection address
Published on Nov 20, 2020 in sngrep, denial of service, security advisory
- Fixed versions: 1.4.8
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2020-04-sngrep-malformed-connection-address/
- Reproduction tools: https://github.com/EnableSecurity/advisories/tree/master/ES2020-04-sngrep-malformed-connection-address
- Tested vulnerable versions: 1.4.7
- Timeline:
- Report date: 2020-09-16
- sngrep confirmed issue + patch: 2020-09-16
- sngrep release with fix: 2020-11-10
- Enable Security advisory: 2020-11-20
Description
When sending a specially crafted SIP message with a malformed SDP connection address, sngrep crashes due to a stack overflow. The following backtrace was generated during our tests:
(gdb) bt
#0 __GI_raise (sig=sig@entry=6)
at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7ced859 in __GI_abort () at abort.c:79
#2 0x00007ffff7d583ee in __libc_message (
action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7e8207c "*** %s ***: terminated\n")
at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7dfa9ba in __GI___fortify_fail (
msg=msg@entry=0x7ffff7e82064 "stack smashing detected")
at fortify_fail.c:26
#4 0x00007ffff7dfa986 in __stack_chk_fail () at stack_chk_fail.c:24
#5 0x0000555555560651 in sip_parse_msg_media (msg=0x7ffff0046c60,
payload=<optimized out>) at sip.c:740
#6 0x3131313131313131 in ?? ()
#7 0x3131313131313131 in ?? ()
The issue was originally discovered during OpenSIPIt; tracked down and analyzed for severity and impact later.
…
sngrep: buffer overflow via malformed SDP media type
Published on Nov 20, 2020 in sngrep, buffer overflow, denial of service, security advisory
- Fixed versions: 1.4.8
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2020-03-sngrep-malformed-media-type/
- Reproduction tools: https://github.com/EnableSecurity/advisories/tree/master/ES2020-03-sngrep-malformed-media-type
- Tested vulnerable versions: 1.4.7
- Timeline:
- Report date: 2020-09-16
- sngrep confirmed issue + patch: 2020-09-16
- sngrep release with fix: 2020-11-10
- Enable Security advisory: 2020-11-20
Description
When sending a specially crafted SIP message with a malformed SDP media type, sngrep crashes due to a buffer overflow. The following backtrace was generated during our tests:
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7ced859 in __GI_abort () at abort.c:79
#2 0x00007ffff7d583ee in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7e8207c "*** %s ***: terminated\n")
at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7dfa9ba in __GI___fortify_fail (
msg=msg@entry=0x7ffff7e82012 "buffer overflow detected") at fortify_fail.c:26
#4 0x00007ffff7df9256 in __GI___chk_fail () at chk_fail.c:28
#5 0x00007ffff7df8b36 in __strcpy_chk (dest=0x7ffff00306f2 "",
src=0x7ffff79fcad1 'A' <repeats 200 times>..., destlen=destlen@entry=15)
at strcpy_chk.c:30
#6 0x0000555555563f72 in strcpy (__src=<optimized out>, __dest=<optimized out>)
at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:90
#7 media_set_type (media=<optimized out>, type=<optimized out>) at media.c:65
#8 0x0000000000000000 in ?? ()
The issue was originally discovered during OpenSIPIt; tracked down and analyzed for severity and impact later.
…