by Tan Chew Keong
Release Date: 2006-07-25
A vulnerability has been found in AGEphone. When exploited, the vulnerability allows execution of arbitrary code with privileges of the AGEphone user via a single specially-crafted UDP SIP packet.
AGEphone for Windows version 1.24 and 1.38.1
This advisory discloses a buffer overflow vulnerability in AGEphone.
AGEphone uses the unsafe "sscanf()" function when processing a UDP SIP packet received via its SIP session port. This can cause a stack-based buffer overflow when a specially-crafted SIP packet is received.
The vulnerability occurs in "sipd.dll" in a function that resembles the following:
if(receivedSIPdata != NULL)
// Skip leading SPACE and TAB characters
while(*receivedSIPdata != NULL)
if(*receivedSIPdata == 0x20 || *receivedSIPdata == 0x09)
if(strnicmp(receivedSIPdata, "SIP/", 4) == 0)
// BUFFER OVERFLOW when string read into buffer1 or buffer2 is overly long!!!
sscanf(receivedSIPdata, "%s %d %s\r\n", buffer1, value, buffer2);
else if(strnicmp(receivedSIPdata, "INVITE", 6) == 0)
else if(...) // Other else-if statements to determine the SIP command
Example SIP UDP packet that can trigger the buffer overflow:
SIP/AAAAAAAA[approx-68-bytes]AAAAAA 1 A
SIP/A 1 AAAAAAAA[approx-48-bytes]AAAAAA
POC / Test Code
The following POC code will exploit the vulnerability in AGEphone to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2.
NOTE: A different SIP port will be assigned to each installation of AGEphone. You must specify the SIP PORT number of the target when testing using this POC.
Usage : AGEphoneExp.exe <destIP> <destSIP_PORT>
AGEphoneExp.exe 192.168.1.111 16100
Patch / Workaround
Update to version 1.40.
2006-07-21 - Vulnerability Discovered.
2006-07-22 - Initial Vendor Notification.
2006-07-24 - Vendor Released Fixed Version.
2006-07-25 - Public Release.