Product: PWLib is a moderately large C++ class library that originated many years ago as a method to produce applications that run on both Microsoft Windows and Unix X-Windows systems. It also was to have a Macintosh port as well, but this never eventuated. The library is used extensively by many companies for both commercial and Open Source products. The motivation in making PWLib available as Open Source was primarily to support the OpenH323 project, but it is definitely useful as a stand-alone library.
Scope: Remote Denial of Service
- [2007-05-14] Vulnerability discovered
- [2007-07-09] Vendor contacted
- [2007-08-15] Ekiga patched
- [2007-09-11] Vulnerability published
- [2007-09-27] Pwlib patched
Author: Jose Miguel Esparza
Affected versions: Pwlib <= 1.10.0 (also the applications which use this library, for example Ekiga <= 2.0.7)
Description: Theres is a bug in the implementation of the method vsprintf of the PString class in the Pwlib library that can cause the applications using it to crash. This function does not support arguments with more than 1000 characters. Ekiga, for example, is vulnerable to it by sending a long SIP address to the application.
- File: contain.cxx
- Function: PString.vsprintf
More information: this function makes the assumption that there is less than 1000 characters of formatted output.
OpalTransportAddress SIPURL::GetHostAddress() const
PString addr = paramVars("transport", "udp") + '$';
addr += paramVars["maddr"];
addr += hostname;
if (port != 0)
Proof of Concept: ekiga207_dos.py