[vuln.sg] AGEphone SIP Packet Handling "sscanf()" Buffer Overflow

A vulnerability has been found in AGEphone. When exploited, the vulnerability allows execution of arbitrary code with privileges of the AGEphone user via a single specially-crafted UDP SIP packet.

AGEphone uses the unsafe "sscanf()" function when processing a UDP SIP packet received via its SIP session port. This can cause a stack-based buffer overflow when a specially-crafted SIP packet is received.

The vulnerability occurs in "sipd.dll" in a function that resembles the following:

function_100115D0(char *receivedSIPdata)
{
	DWORD value;
	char buffer1[20];
	char buffer2[40];
	
	if(receivedSIPdata != NULL)
	{
		// Skip leading SPACE and TAB characters
		while(*receivedSIPdata != NULL)
		{
			if(*receivedSIPdata == 0x20 || *receivedSIPdata == 0x09)
				receivedSIPdata++;
			else
				break;
		}
		
		if(strnicmp(receivedSIPdata, "SIP/", 4) == 0)
		{
			// BUFFER OVERFLOW when string read into buffer1 or buffer2 is overly long!!!
			
			sscanf(receivedSIPdata, "%s %d %s\r\n", buffer1, value, buffer2);
			return value;
		}
		else if(strnicmp(receivedSIPdata, "INVITE", 6) == 0)
		{
			...
		}
		else if(...)		// Other else-if statements to determine the SIP command
		{
		}
	}
}

Example SIP UDP packet that can trigger the buffer overflow:

SIP/AAAAAAAA[approx-68-bytes]AAAAAA 1 A
From: test
To: test

Or:

SIP/A 1 AAAAAAAA[approx-48-bytes]AAAAAA
From: test
To: test

The following POC code will exploit the vulnerability in AGEphone to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2.

NOTE: A different SIP port will be assigned to each installation of AGEphone. You must specify the SIP PORT number of the target when testing using this POC.

Usage : AGEphoneExp.exe <destIP> <destSIP_PORT>

Example:
AGEphoneExp.exe 192.168.1.111 16100

2006-07-21 - Vulnerability Discovered.
2006-07-22 - Initial Vendor Notification.
2006-07-24 - Vendor Released Fixed Version.
2006-07-25 - Public Release.