Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- Shannon Baseband fmtp SDP Attribute Memory Corruption[6]
- Authored by Google Security Research[7], natashenka[8]
-
Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. When an fmtp attribute is parsed, the integer that represents the payload type is copied into an 8-byte buffer using memcpy with the length of payload type as the length parameter. There are no checks that the payload type is less than 8-bytes long or actually an integer.
- advisories | CVE-2022-26496[9]
- SHA-256 |
51aa5a7a2ca1d9308cad99d6da19581180aa08b8653f1c44406c7c5c7dc253b9
- Download[10] | Favorite[11] | View[12]
Change Mirror[13] Download[14]
Shannon Baseband: Memory corruption when processing fmtp SDP attribute
There is a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. When an fmtp attribute is parsed, the integer that represents the payload type is copied into an 8-byte buffer using memcpy with the length of payload type as the length parameter. There are no checks that the payload type is less than 8-bytes long or actually an integer.
I was not able to reproduce this bug, as most carrier SIP servers filter SDP that contains this error, however there is still risk that some servers won't filter this SDP, or a server gets compromised.
A sample line of SDP that causes the problem is as follows:
a=fmtp:1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA00 0-15
This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2023-03-19.
Related CVE Numbers: CVE-2022-26496.
Found by:Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.
File Tags
- ActiveX[20] (932)
- Advisory[21] (80,900)
- Arbitrary[22] (15,985)
- BBS[23] (2,859)
- Bypass[24] (1,665)
- CGI[25] (1,024)
- Code Execution[26] (7,112)
- Conference[27] (677)
- Cracker[28] (841)
- CSRF[29] (3,311)
- DoS[30] (23,041)
- Encryption[31] (2,359)
- Exploit[32] (50,976)
- File Inclusion[33] (4,190)
- File Upload[34] (951)
- Firewall[35] (821)
- Info Disclosure[36] (2,702)
- Intrusion Detection[37] (879)
- Java[38] (2,993)
- JavaScript[39] (834)
- Kernel[40] (6,513)
- Local[41] (14,349)
- Magazine[42] (586)
- Overflow[43] (12,560)
- Perl[44] (1,419)
- PHP[45] (5,115)
- Proof of Concept[46] (2,301)
- Protocol[47] (3,516)
- Python[48] (1,490)
- Remote[49] (30,407)
- Root[50] (3,546)
- Rootkit[51] (505)
- Ruby[52] (605)
- Scanner[53] (1,633)
- Security Tool[54] (7,838)
- Shell[55] (3,148)
- Shellcode[56] (1,211)
- Sniffer[57] (892)
- Spoof[58] (2,188)
- SQL Injection[59] (16,200)
- TCP[60] (2,390)
- Trojan[61] (687)
- UDP[62] (882)
- Virus[63] (664)
- Vulnerability[64] (31,473)
- Web[65] (9,512)
- Whitepaper[66] (3,741)
- x86[67] (948)
- XSS[68] (17,635)
- Other[69]
File Archives
- May 2023[70]
- April 2023[71]
- March 2023[72]
- February 2023[73]
- January 2023[74]
- December 2022[75]
- November 2022[76]
- October 2022[77]
- September 2022[78]
- August 2022[79]
- July 2022[80]
- June 2022[81]
- Older[82]
Systems
- AIX[83] (426)
- Apple[84] (1,968)
- BSD[85] (372)
- CentOS[86] (57)
- Cisco[87] (1,920)
- Debian[88] (6,732)
- Fedora[89] (1,691)
- FreeBSD[90] (1,244)
- Gentoo[91] (4,307)
- HPUX[92] (878)
- iOS[93] (342)
- iPhone[94] (108)
- IRIX[95] (220)
- Juniper[96] (67)
- Linux[97] (45,427)
- Mac OS X[98] (684)
- Mandriva[99] (3,105)
- NetBSD[100] (256)
- OpenBSD[101] (482)
- RedHat[102] (13,094)
- Slackware[103] (941)
- Solaris[104] (1,609)
- SUSE[105] (1,444)
- Ubuntu[106] (8,531)
- UNIX[107] (9,223)
- UnixWare[108] (185)
- Windows[109] (6,544)
- Other[110]
- Services
- Security Services[121]
- Hosting By
- Rokasec[122]