Vulnerability Research Advisory

AGEphone "sipd.dll" SIP Packet Handling Buffer Overflow

by Tan Chew Keong
Release Date: 2006-07-25

   [en] [jp]


A vulnerability has been found in AGEphone. When exploited, the vulnerability allows execution of arbitrary code with privileges of the AGEphone user via a single specially-crafted UDP SIP packet.

Tested Versions

AGEphone for Windows version 1.24 and 1.38.1


This advisory discloses a buffer overflow vulnerability in AGEphone.

AGEphone uses the unsafe "sscanf()" function when processing a UDP SIP packet received via its SIP session port. This can cause a stack-based buffer overflow when a specially-crafted SIP packet is received.

The vulnerability occurs in "sipd.dll" in a function that resembles the following:

function_100115D0(char *receivedSIPdata)
	DWORD value;
	char buffer1[20];
	char buffer2[40];
	if(receivedSIPdata != NULL)
		// Skip leading SPACE and TAB characters
		while(*receivedSIPdata != NULL)
			if(*receivedSIPdata == 0x20 || *receivedSIPdata == 0x09)
		if(strnicmp(receivedSIPdata, "SIP/", 4) == 0)
			// BUFFER OVERFLOW when string read into buffer1 or buffer2 is overly long!!!
			sscanf(receivedSIPdata, "%s %d %s\r\n", buffer1, value, buffer2);
			return value;
		else if(strnicmp(receivedSIPdata, "INVITE", 6) == 0)
		else if(...)		// Other else-if statements to determine the SIP command

Example SIP UDP packet that can trigger the buffer overflow:

SIP/AAAAAAAA[approx-68-bytes]AAAAAA 1 A
From: test
To: test


SIP/A 1 AAAAAAAA[approx-48-bytes]AAAAAA
From: test
To: test

POC / Test Code

The following POC code will exploit the vulnerability in AGEphone to execute the harmless calculator (calc.exe). The POC has been successfully tested on English Windows XP SP2.

NOTE: A different SIP port will be assigned to each installation of AGEphone. You must specify the SIP PORT number of the target when testing using this POC.

Usage : AGEphoneExp.exe <destIP> <destSIP_PORT>

AGEphoneExp.exe 16100

Patch / Workaround

Update to version 1.40.

Disclosure Timeline

2006-07-21 - Vulnerability Discovered.
2006-07-22 - Initial Vendor Notification.
2006-07-24 - Vendor Released Fixed Version.
2006-07-25 - Public Release.

For further enquries, comments, suggestions or bug reports, simply email them to