CVE-2007-1693

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

	SecuriTeam™ in Your Inbox

	E-mail this CVE-2007-1693 to a friend

New vulnerability?
New tool?
Tell us

Credit:
The information has been provided by Yuri Gushin.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Check for CVE-2007-1693

Vulnerability Assessment and Management.
Automated Pen Testing for 50 to 50,000 nodes
beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Yate version 1.1.0

Immune Systems:
* Yate version 1.2.0

The flaw can be seen in the following source code snippet:

File: yate/modules/ysipchan.cpp
Lines: 1585 - 1594

1: const SIPHeaderLine* hl = m_tr->initialMessage()->getHeader("Call-Info");
2: if (hl) {
3: const NamedString* type = hl->getParam("purpose");
4: if (!type || *type == "info")
5: mp type->addParam("caller_info_uri",*type);
6: else if (*type == "icon")
7: m->addParam("caller_icon_uri",*type);
8: else if (*type == "card")
9: m->addParam("caller_card_uri",*type);
10: }

Once the "Call-Info" header is found in the SIP message (line 1), there is an attempt to extract the "purpose" parameter (line 3). Afterwards, a decision is made to set the "caller_info_uri" parameter (line 5) to the value of the "Call-Info" header, though due to a programming error, instead of assigning the parameter with the header value, it is being assigned with the value of the "purpose" parameter - allowing for a null pointer dereference, when the call to getParam() (line 3) returns 0 in case of a missing "purpose" parameter.

CVE Information:
CVE-2007-1693

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus