#188: Malformed/fuzzed sip invite msgs will crash client
-----------------------------+----------------------------------------------
Reporter: carlitoburgante | Owner: vadim
Type: defect | Status: new
Priority: major | Milestone: QuteCom 2.2-RC2
Component: 3rd party libs | Version: 2.2-RC3
Keywords: security crash |
-----------------------------+----------------------------------------------
(Build QuteCom 2.2 rev49cd2a2682c9-20081218143907 used)
When sending fuzzed/malformed sip invite messages to the Qutecom client,
several crashes will occur in the following areas:
* phapi.dll:10013924 cmp dl,[ecx] from thread 5840 caused access violation
* phapi.dll:10013917 mov eax,[edx+0x4] from thread 2412 caused access
violation
Below shows the crash areas and test case numbers associated with the
crash
python sulley/s_utils/crashbin_explorer.py sessions/Qutecom.crashbin
[8] phapi.dll:10013924 cmp dl,[ecx] from thread 5840 caused access
violation
24726, 25529, 25538, 25539, 25540, 25643, 25699, 25701,
[28] phapi.dll:10013917 mov eax,[edx+0x4] from thread 2412 caused access
violation
46, 4449, 4450, 4451, 4493, 4494, 4495, 4537, 4538, 4539, 4581,
4582, 4583, 5337, 5338, 5339, 8985, 8986, 8987, 9741, 9742, 9743, 21084,
21085, 21086, 24730, 24731,
Below are the debug process captures/stack unwinds of test scenarios
(24726, 25529, 25538) and (46, 4449, 4450) in which should help pinpoint
area to resolve.
C:\voiper-0.06>python sulley/s_utils/crashbin_explorer.py
sessions/Qutecom.cras
hbin -t 24726
phapi.dll:10013924 cmp dl,[ecx] from thread 5840 caused access violation
when attempting to read from 0x00000000
CONTEXT DUMP
EIP: 10013924 cmp dl,[ecx]
EAX: 02cd1ba8 ( 46996392) -> 192.168.3.104 (heap)
EBX: 01e384e8 ( 31687912) -> D2)Xxx-C (heap)
ECX: 00000000 ( 0) -> N/A
EDX: 02cd1e31 ( 46997041) ->
!081337expires192.168.3.104en5060192.168.3.104 R
p&0$max-forwardsa: #7 (heap)
EDI: 00000000 ( 0) -> N/A
ESI: 02cdae98 ( 47034008) -> Xh0act?`PKmethod]S&sipQ$c"
sip.`,5060*subject(rp
ort6UDP4 (heap)
EBP: 00000000 ( 0) -> N/A
ESP: 03f2fe80 ( 66256512) -> h?a S8 $'t^p+()`|&)`+()(|&)(|&)Hp #'p$'p
$'4%x2)
D84%8)x (stack)
+00: 02cc9d00 ( 46963968) -> INVITE sip:tes...@192.168.3.104 SIP/2.0
(heap)
+04: 02cd1b68 ( 46996328) ->
S4cbranch192.168.3.101192.168.3.104e192.168.3.1
04methodUDPX FDsomefromtagvalC!A8O70HMP (heap)
+08: 1002613f ( 268591423) -> N/A
+0c: 02ce5320 ( 47076128) -> 0P h...@!fsdp0tdpassword (heap)
+10: 010ffd38 ( 17825080) ->
k\80gu[ugk\z],h)g...@kg7#a^9cd2a2682c9\u[p^[i^ut
eComx-|\...@^]8` (heap)
+14: 00272420 ( 2565152) -> N/A
disasm around:
0x10013905 call 0x100137c0
0x1001390a add esp,0x8
0x1001390d test eax,eax
0x1001390f jnz 0x1001396a
0x10013911 mov edx,[edi+0xac]
0x10013917 mov eax,[edx+0x4]
0x1001391a mov edi,[eax+0xc]
0x1001391d mov eax,[esi+0xc]
0x10013920 mov ecx,edi
0x10013922 mov dl,[eax]
0x10013924 cmp dl,[ecx]
0x10013926 jnz 0x10013942
0x10013928 test dl,dl
0x1001392a jz 0x1001393e
0x1001392c mov dl,[eax+0x1]
0x1001392f cmp dl,[ecx+0x1]
0x10013932 jnz 0x10013942
0x10013934 add eax,0x2
0x10013937 add ecx,0x2
0x1001393a test dl,dl
0x1001393c jnz 0x10013922
SEH unwind:
03f2ffdc -> MSVCR80.dll:78138ced
ffffffff -> kernel32.dll:7c839ad8
C:\voiper-0.06>
C:\voiper-0.06>python sulley/s_utils/crashbin_explorer.py
sessions/Qutecom.cras
hbin -t 25529
phapi.dll:10013924 cmp dl,[ecx] from thread 444 caused access violation
when attempting to read from 0x00000000
CONTEXT DUMP
EIP: 10013924 cmp dl,[ecx]
EAX: 099710b0 ( 160895152) -> 192.168.3.104 (heap)
EBX: 01e384e8 ( 31687912) -> 2)Xxx-C (heap)
ECX: 00000000 ( 0) -> N/A
EDX: 09973231 ( 160903729) ->
FINVITEHmethodJH282L2X2N192.168.3.104nQmaddrS2x2
U2W5060Y192.168.3.104\H^3(a"Negativa"d<sip (heap)
EDI: 00000000 ( 0) -> N/A
ESI: 099714d0 ( 160896208) ->
z9hG4bK6h9po42dw0v5zlxeb18rftsncyga3mqkaaaa:aaaa
:aaaa:aaaa:aaaa:aaaa:aaaa:aaaaXm192.168.3.101aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:
aaaagnzf3h0qm4o26sbxvia7wept (heap)
EBP: 00000000 ( 0) -> N/A
ESP: 03f2fe80 ( 66256512) -> !?a8 $'tp+()`|&)`+()(|&)(|&)Hp #'p$'p
$'I#4%#x2)
D84%8)x (stack)
+00: 099721d0 ( 160899536) -> INVITE sip:tes...@192.168.3.104 SIP/2.0
(heap)
+04: 09970a98 ( 160893592) -> umenUx2676x2hp68r (heap)
+08: 1002613f ( 268591423) -> N/A
+0c: 09970ab0 ( 160893616) -> x2676x2hp68r64434p:testeu (heap)
+10: 010ffd38 ( 17825080) ->
K\80gu[ugK\z],h)g...@kg7#a^9cd2a2682c9\u[p^[i^ut
eComx-|\...@^]8` (heap)
+14: 00272420 ( 2565152) -> N/A
disasm around:
0x10013905 call 0x100137c0
0x1001390a add esp,0x8
0x1001390d test eax,eax
0x1001390f jnz 0x1001396a
0x10013911 mov edx,[edi+0xac]
0x10013917 mov eax,[edx+0x4]
0x1001391a mov edi,[eax+0xc]
0x1001391d mov eax,[esi+0xc]
0x10013920 mov ecx,edi
0x10013922 mov dl,[eax]
0x10013924 cmp dl,[ecx]
0x10013926 jnz 0x10013942
0x10013928 test dl,dl
0x1001392a jz 0x1001393e
0x1001392c mov dl,[eax+0x1]
0x1001392f cmp dl,[ecx+0x1]
0x10013932 jnz 0x10013942
0x10013934 add eax,0x2
0x10013937 add ecx,0x2
0x1001393a test dl,dl
0x1001393c jnz 0x10013922
SEH unwind:
03f2ffdc -> MSVCR80.dll:78138ced
ffffffff -> kernel32.dll:7c839ad8
C:\voiper-0.06>python sulley/s_utils/crashbin_explorer.py
sessions/Qutecom.cras
hbin -t 25538
phapi.dll:10013924 cmp dl,[ecx] from thread 1540 caused access violation
when attempting to read from 0x00000000
CONTEXT DUMP
EIP: 10013924 cmp dl,[ecx]
EAX: 0989ffb0 ( 160038832) -> 192.168.3.104 (heap)
EBX: 01e384e8 ( 31687912) -> |2)Xxx-C (heap)
ECX: 00000000 ( 0) -> N/A
EDX: 098e2b31 ( 160312113) ->
p*...@+subject"+67*0#")hval+f"Negativa".tester13
37U: C:\ (heap)
EDI: 00000000 ( 0) -> N/A
ESI: 0266cbe8 ( 40291304) ->
*,aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaaff^xgxg
CANCELSIP/2.0ffCANCELUDPbranch (heap)
EBP: 00000000 ( 0) -> N/A
ESP: 03f2fe80 ( 66256512) -> 0f ?ap#8 $'tp+()`|&)`+()(|&)(|&)Hp #'p$'p
$'|4%x
X2)D84%8)x (stack)
+00: 02663008 ( 40251400) -> INVITE sip:tes...@192.168.3.104 SIP/2.0
(heap)
+04: 098d2098 ( 160243864) ->
p#4l192.168.3.104.a...@gaggfhxg"8tOietOie0DS;]8@
gxgxgxgxg (heap)
+08: 1002613f ( 268591423) -> N/A
+0c: 098e2370 ( 160310128) -> /f...@**) "+0/HEL sip:tes...@192.16 (heap)
+10: 010ffd38 ( 17825080) ->
~\80gu[ug~\z],h)gphgS@/~g7#A^9cd2a2682c9\u[p^[i^
uteComx-|\...@^]8` (heap)
+14: 00272420 ( 2565152) -> N/A
disasm around:
0x10013905 call 0x100137c0
0x1001390a add esp,0x8
0x1001390d test eax,eax
0x1001390f jnz 0x1001396a
0x10013911 mov edx,[edi+0xac]
0x10013917 mov eax,[edx+0x4]
0x1001391a mov edi,[eax+0xc]
0x1001391d mov eax,[esi+0xc]
0x10013920 mov ecx,edi
0x10013922 mov dl,[eax]
0x10013924 cmp dl,[ecx]
0x10013926 jnz 0x10013942
0x10013928 test dl,dl
0x1001392a jz 0x1001393e
0x1001392c mov dl,[eax+0x1]
0x1001392f cmp dl,[ecx+0x1]
0x10013932 jnz 0x10013942
0x10013934 add eax,0x2
0x10013937 add ecx,0x2
0x1001393a test dl,dl
0x1001393c jnz 0x10013922
SEH unwind:
03f2ffdc -> MSVCR80.dll:78138ced
ffffffff -> kernel32.dll:7c839ad8
C:\voiper-0.06>python sulley/s_utils/crashbin_explorer.py
sessions/Qutecom.cras
hbin -t 46
phapi.dll:10013917 mov eax,[edx+0x4] from thread 2412 caused access
violation
when attempting to read from 0x00000004
CONTEXT DUMP
EIP: 10013917 mov eax,[edx+0x4]
EAX: 00000000 ( 0) -> N/A
EBX: 01e384d8 ( 31687896) -> 2)Xxx-C (heap)
ECX: 0000000f ( 15) -> N/A
EDX: 00000000 ( 0) -> N/A
EDI: 0991d1a8 ( 160551336) -> gsxxip:tes...@192.16 (heap)
ESI: 099167d8 ( 160524248) -> 0P"CANCEL
SIP/2.0&xhxj$ttlp*2.0!(UDPg.`act,CANCE
L2xf0`m6fh4:jb8v7yxnu3o0szil (heap)
EBP: 00000000 ( 0) -> N/A
ESP: 03f2fe80 ( 66256512) -> (?a8 $'t[`+()P|&)P+()|&)|&)8` #'`$'`
$',H4%h2)D(
4%()x (stack)
+00: 0991c1f8 ( 160547320) -> INVITE sip:tes...@192.168.3.104 SIP/2.0
(heap)
+04: 0991b228 ( 160543272) -> e`k192.168.3.104 nlkntsxxgnxgliuxP{xHe
~xg0E-xg-7
1...@h^ (heap)
+08: 1002613f ( 268591423) -> N/A
+0c: 0991d1a8 ( 160551336) -> gsxxip:tes...@192.16 (heap)
+10: 010ffd38 ( 17825080) ->
80K\h80gm[ug80K\z],h)g...@hg7#ap^9cd2a2682c9\m[]
[iP^PuteComx-|[^]8Pp (heap)
+14: 00272420 ( 2565152) -> N/A
disasm around:
0x100138fb jz 0x10013911
0x100138fd mov eax,[esi+0xc]
0x10013900 mov ecx,[esi+0x4]
0x10013903 push eax
0x10013904 push ecx
0x10013905 call 0x100137c0
0x1001390a add esp,0x8
0x1001390d test eax,eax
0x1001390f jnz 0x1001396a
0x10013911 mov edx,[edi+0xac]
0x10013917 mov eax,[edx+0x4]
0x1001391a mov edi,[eax+0xc]
0x1001391d mov eax,[esi+0xc]
0x10013920 mov ecx,edi
0x10013922 mov dl,[eax]
0x10013924 cmp dl,[ecx]
0x10013926 jnz 0x10013942
0x10013928 test dl,dl
0x1001392a jz 0x1001393e
0x1001392c mov dl,[eax+0x1]
0x1001392f cmp dl,[ecx+0x1]
SEH unwind:
03f2ffdc -> MSVCR80.dll:78138ced
ffffffff -> kernel32.dll:7c839ad8
C:\voiper-0.06>python sulley/s_utils/crashbin_explorer.py
sessions/Qutecom.cras
hbin -t 4449
phapi.dll:10013917 mov eax,[edx+0x4] from thread 4636 caused access
violation
when attempting to read from 0x00000004
CONTEXT DUMP
EIP: 10013917 mov eax,[edx+0x4]
EAX: 00000000 ( 0) -> N/A
EBX: 01e384e8 ( 31687912) -> 2)Xxx-C (heap)
ECX: 0000000f ( 15) -> N/A
EDX: 00000000 ( 0) -> N/A
EDI: 08f22af0 ( 150088432) -> 1*11 20xreceived (heap)
ESI: 08f1cfe8 ( 150065128) -> *`1p1H8)))8*(*prportFFP (heap)
EBP: 00000000 ( 0) -> N/A
ESP: 03f2fe80 ( 66256512) -> *?a*8 $'t1p+()`|&)`+()(|&)(|&)Hp #'p$'p
$'@4...@x(
2)D84%8)x (stack)
+00: 08f21000 ( 150081536) -> INVITE sip:tes...@192.168.3.104 SIP/2.0
(heap)
+04: 08f22ad8 ( 150088408) -> *umen1*11 2 (heap)
+08: 1002613f ( 268591423) -> N/A
+0c: 08f22af0 ( 150088432) -> 1*11 20xreceived (heap)
+10: 010ffd38 ( 17825080) ->
\80gu[ug\z],h)gp...@g7#a^9cd2a2682c9\u[p^[i^utec
omx-|@\...@^]8` (heap)
+14: 00272420 ( 2565152) -> N/A
disasm around:
0x100138fb jz 0x10013911
0x100138fd mov eax,[esi+0xc]
0x10013900 mov ecx,[esi+0x4]
0x10013903 push eax
0x10013904 push ecx
0x10013905 call 0x100137c0
0x1001390a add esp,0x8
0x1001390d test eax,eax
0x1001390f jnz 0x1001396a
0x10013911 mov edx,[edi+0xac]
0x10013917 mov eax,[edx+0x4]
0x1001391a mov edi,[eax+0xc]
0x1001391d mov eax,[esi+0xc]
0x10013920 mov ecx,edi
0x10013922 mov dl,[eax]
0x10013924 cmp dl,[ecx]
0x10013926 jnz 0x10013942
0x10013928 test dl,dl
0x1001392a jz 0x1001393e
0x1001392c mov dl,[eax+0x1]
0x1001392f cmp dl,[ecx+0x1]
SEH unwind:
03f2ffdc -> MSVCR80.dll:78138ced
ffffffff -> kernel32.dll:7c839ad8
C:\voiper-0.06>python sulley/s_utils/crashbin_explorer.py
sessions/Qutecom.cras
hbin -t 4450
phapi.dll:10013917 mov eax,[edx+0x4] from thread 3360 caused access
violation
when attempting to read from 0x00000004
CONTEXT DUMP
EIP: 10013917 mov eax,[edx+0x4]
EAX: 00000000 ( 0) -> N/A
EBX: 01e384e8 ( 31687912) -> 2)Xxx-C (heap)
ECX: 0000000f ( 15) -> N/A
EDX: 00000000 ( 0) -> N/A
EDI: 098de3e8 ( 160293864) -> >e Vf=(<gx\Documents and S (heap)
ESI: 098eb580 ( 160347520) -> g8"f(kschemas-upnp-
org:device-1-0$LeLe6schemas-u
pnp-org:device-1-0...@}_p (heap)
EBP: 00000000 ( 0) -> N/A
ESP: 03f2fe80 ( 66256512) -> @h?a8 $'t4p+()`|&)`+()(|&)(|&)Hp #'p$'p
$'4%xp2)
D84%8)x (stack)
+00: 098df640 ( 160298560) -> INVITE sip:tes...@192.168.3.104 SIP/2.0
(heap)
+04: 098c1b68 ( 160177000) ->
J?KXm-,tnexxgq...@+xgpgtoie@*to...@c8;]...@4xxgp (h
eap)
+08: 1002613f ( 268591423) -> N/A
+0c: 098de3e8 ( 160293864) -> >e Vf=(<gx\Documents and S (heap)
+10: 010ffd38 ( 17825080) ->
.\80gu[ug.\z],h)g(h...@e6g7#a^9cd2a2682c9\u[p^[i^
uteComx-|\...@^]8` (heap)
+14: 00272420 ( 2565152) -> N/A
disasm around:
0x100138fb jz 0x10013911
0x100138fd mov eax,[esi+0xc]
0x10013900 mov ecx,[esi+0x4]
0x10013903 push eax
0x10013904 push ecx
0x10013905 call 0x100137c0
0x1001390a add esp,0x8
0x1001390d test eax,eax
0x1001390f jnz 0x1001396a
0x10013911 mov edx,[edi+0xac]
0x10013917 mov eax,[edx+0x4]
0x1001391a mov edi,[eax+0xc]
0x1001391d mov eax,[esi+0xc]
0x10013920 mov ecx,edi
0x10013922 mov dl,[eax]
0x10013924 cmp dl,[ecx]
0x10013926 jnz 0x10013942
0x10013928 test dl,dl
0x1001392a jz 0x1001393e
0x1001392c mov dl,[eax+0x1]
0x1001392f cmp dl,[ecx+0x1]
SEH unwind:
03f2ffdc -> MSVCR80.dll:78138ced
ffffffff -> kernel32.dll:7c839ad8
C:\voiper-0.06>
--
Ticket URL: <http://trac.qutecom.org/ticket/188>
QuteCom <http://trac.qutecom.org>
_______________________________________________
QuteCom-dev mailing list
QuteCom-dev@lists.qutecom.org
http://lists.qutecom.org/mailman/listinfo/qutecom-dev
