############################################################## - S21Sec Advisory - ############################################################## Title: OPAL SIP Protocol Remote Denial of Service ID: S21SEC-037-en Severity: Medium - Remote DoS History: 11.Jun.2007 Vulnerability discovered 09.Jul.2007 Vendor contacted 15.Aug.2007 Patched 17.Sep.2007 New version released Scope: Remote Denial of Service Platforms: Any Author: Jose Miguel Esparza (jesparza@s21sec.com) URL: http://www.s21sec.com/avisos/s21sec-037-en.txt Release: Public [ SUMMARY ] OPAL (Open Phone Abstraction Layer) is an implementation of various telephony and video communication protocols for use over packet based networks. It's based on code from the OpenH323 project and adds new features such as a stream based architecture, better support for re- use or removal of sub-components, and explicit support for additional protocols. [ AFFECTED VERSIONS ] Following versions are affected with this issue: - OPAL 2.2.8 and prior. Some applications which use this library are affected too: - Ekiga 2.0.9 and prior. [ DESCRIPTION ] File: sippdu.cxx Function: SIP_PDU::Read(OpalTransport & transport) Instruction: entityBody[contentLength] = '\0'; An insufficient input validation of the Content-Length field of a SIP request cause the application to crash due to a memory mismanagement. [ WORKAROUND ] A patch in the url http://openh323.cvs.sourceforge.net/openh323/opal/ src/sip/sippdu.cxx?r1=2.83.2.19&r2=2.83.2.20 is available, but upgrading to new version 2.2.10 is recommended. [ ACKNOWLEDGMENTS ] This vulnerability have been found and researched by: - Jose Miguel Esparza S21sec labs [ ADDITIONAL INFORMATION ] This vulnerability has been discovered during the development of the network fuzzer Malybuzz, available in the url http://malybuzz.sourceforge.net/ [ REFERENCES ] * OpenH323 Project http://openh323.sourceforge.net/ * Ekiga http://ekiga.org * S21Sec http://www.s21sec.com http://blog.s21sec.com * Malybuzz http://malybuzz.sourceforge.net/