Pwlib/Ekiga Denial of Service

ID: CVE-2007-04897  BID-25642

Product: PWLib is a moderately large C++ class library that originated many years ago as a method to produce applications that run on both Microsoft Windows and Unix X-Windows systems. It also was to have a Macintosh port as well, but this never eventuated. The library is used extensively by many companies for both commercial and Open Source products. The motivation in making PWLib available as Open Source was primarily to support the OpenH323 project, but it is definitely useful as a stand-alone library.

Scope: Remote Denial of Service

Severity: Low-Medium

Timeline:

  • [2007-05-14] Vulnerability discovered
  • [2007-07-09] Vendor contacted
  • [2007-08-15] Ekiga patched
  • [2007-09-11] Vulnerability published
  • [2007-09-27] Pwlib patched
     

Platforms: Any

Author: Jose Miguel Esparza

Affected versions: Pwlib <= 1.10.0 (also the applications which use this library, for example Ekiga <= 2.0.7)

Description: Theres is a bug in the implementation of the method vsprintf of the PString class in the Pwlib library that can cause the applications using it to crash. This function does not support arguments with more than 1000 characters. Ekiga, for example, is vulnerable to it by sending a long SIP address to the application.

Details:

For Pwlib:

  • File:  contain.cxx
  • Function:  PString.vsprintf
  • More information: this function makes the assumption that there is less than 1000 characters of formatted output.

For Ekiga:

OpalTransportAddress SIPURL::GetHostAddress() const
{
PString addr = paramVars("transport", "udp") + '$';
if (paramVars.Contains("maddr"))
addr += paramVars["maddr"];
else
addr += hostname;
if (port != 0)
addr.sprintf(":%u", port);
return addr;
}

 

Workaround: Upgrade to 2.0.9 for Ekiga and 1.10.1 for Pwlib or apply the Ekiga or Pwlib patch.

Proof of Concept: ekiga207_dos.py