Hi, We are working on a new stateful fuzzing framework and found 2 Bugs in QuteCom 2.2 (revg-20100116203101), running on Ubuntu 9.10:
1) A memory corruption can be triggered after an attacker initiate several (>50) SIP calls in a short period of time. QuteCom will get into ringing mode for several of these calls in parallel, and when the user subsequently tries to hang-up on all the incoming calls by continously clicking the hangup-button, the error gets triggered, and QuteCom crashes either with a Segmentation Fault or a 'double free or corruption' - error e.g.: sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in (warn) 08:58:48 [Common] void handle_pcm_errors(snd_pcm_t*, int, __jmp_buf_tag*): overrunSuccess (warn) 08:58:48 [Common] void handle_pcm_errors(snd_pcm_t*, int, __jmp_buf_tag*): overrunSuccess sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in sVoIP_phapi_handle_invite_in *** glibc detected *** qutecom: double free or corruption (fasttop): 0xb4928938 *** ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6[0x1b72ff1] /lib/tls/i686/cmov/libc.so.6[0x1b746f2] /lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0x1b777cd] /usr/lib/libstdc++.so.6(_ZdlPv+0x21)[0x6c0b6f1] /usr/lib/libstdc++.so.6(_ZNSs4_Rep10_M_destroyERKSaIcE+0x1d)[0x6be935d] qutecom(_ZN10LinuxSoundD0Ev+0xcb)[0x8370e6b] qutecom(_ZN5SoundD0Ev+0x34)[0x836dd24] qutecom(_ZN14PhoneCallState21stopSoundIncomingCallEv+0x39)[0x83d2f89] qutecom(_ZN20PhoneCallStateClosed7executeER9PhoneCallb+0x1c)[0x83d323c] qutecom(_ZN9PhoneCall8setStateEN18EnumPhoneCallState14PhoneCallStateE+0x17a)[0x83d087a] qutecom(_ZN9PhoneLine17setPhoneCallStateEiN18EnumPhoneCallState14PhoneCallStateERK10SipAddress+0x287)[0x83db167] qutecom(_ZN12SipCallbacks33phoneCallStateChangedEventHandlerER10SipWrapperiN18EnumPhoneCallState14PhoneCallStateERKSs+0x23e)[0x84ccc3e] qutecom(_ZN5boost6detail8function26void_function_obj_invoker4INS_3_bi6bind_tIvNS_4_mfi3mf4Iv12SipCallbacksR10SipWrapperiN18EnumPhoneCallState14PhoneCallStateERKSsEENS3_5list5INS3_5valueIPS7_EENS_3argILi1EEENSJ_ILi2EEENSJ_ILi3EEENSJ_ILi4EEEEEEEvS9_iSB_SD_E6invokeERNS1_15function_bufferES9_iSB_SD_+0x39)[0x84cd849] qutecom(_ZNK5boost9function4IvR10SipWrapperiN18EnumPhoneCallState14PhoneCallStateERKSsEclES2_iS4_S6_+0x48)[0x83880d8] qutecom(_ZN5boost7signal4IvR10SipWrapperiN18EnumPhoneCallState14PhoneCallStateERKSsNS_10last_valueIvEEiSt4lessIiENS_8functionIFvS2_iS4_S6_EEEEclES2_iS4_S6_+0x518)[0x83886c8] qutecom(_ZN14PhApiCallbacks12callProgressEP19OWPL_CALLSTATE_INFO+0x186)[0x8383b36] qutecom[0x8386a62] /usr/lib/qutecom/libphapi.so(owplFireEvent+0x57)[0x765c37] /usr/lib/qutecom/libphapi.so(owplFireCallEvent+0x6f)[0x76629f] /usr/lib/qutecom/libphapi.so(phRejectCall+0xbd)[0x75e66d] /usr/lib/qutecom/libphapi.so(owplCallReject+0x24)[0x761a84] qutecom(_ZN12PhApiWrapper10rejectCallEi+0x2d)[0x8373c7d] qutecom(_ZN9PhoneLine10rejectCallEi+0x29)[0x83dad79] qutecom(_ZN9PhoneCall5closeEv+0x86)[0x83d0d06] qutecom(_ZN10CPhoneCall16hangUpThreadSafeEv+0x20)[0x84a4be0] qutecom(_ZN5boost6detail8function26void_function_obj_invoker0INS_3_bi6bind_tIvNS_4_mfi3mf0Iv10CPhoneCallEENS3_5list1INS3_5valueIPS7_EEEEEEvE6invokeERNS1_15function_bufferE+0x1d)[0x84a5d9d] qutecom(_ZNK5boost9function0IvEclEv+0x2c)[0x81dd00c] qutecom(_ZN12ThreadEvent0IFvvEE8callbackEv+0x20)[0x82f3c20] qutecom(_ZN6Thread9runEventsEv+0x69)[0x83265d9] qutecom(_ZN10WengoPhone3runEv+0x82)[0x839cfa2] qutecom(_ZN6Thread9runThreadEv+0x4a)[0x8325eaa] qutecom(_ZN5boost6detail11thread_dataINS_3_bi6bind_tIvNS_4_mfi3mf0Iv6ThreadEENS2_5list1INS2_5valueIPS6_EEEEEEE3runEv+0x27)[0x83277b7] /usr/lib/libboost_thread-mt.so.1.38.0(thread_proxy+0x5d)[0x168c1d] /lib/tls/i686/cmov/libpthread.so.0[0x52380e] /lib/tls/i686/cmov/libc.so.6(clone+0x5e)[0x1bd48de] ======= Memory map: ======== 00110000-00139000 r-xp 00000000 08:01 155639 /usr/lib/qutecom/libowutil.so 00139000-0013a000 r--p 00028000 08:01 155639 /usr/lib/qutecom/libowutil.so 0013a000-0013b000 rw-p 00029000 08:01 155639 /usr/lib/qutecom/libowutil.so 0013b000-00147000 r-xp 00000000 08:01 132768 /usr/lib/i686/cmov/libavutil.so.49.15.0 00147000-00148000 r--p 0000b000 08:01 132768 /usr/lib/i686/cmov/libavutil.so.49.15.0 00148000-00149000 rw-p 0000c000 08:01 132768 /usr/lib/i686/cmov/libavutil.so.49.15.0 00149000-0014c000 rw-p 00000000 00:00 0 0014c000-00150000 r-xp 00000000 08:01 155634 /usr/lib/qutecom/libphapiutil.so 00150000-00151000 r--p 00003000 08:01 155634 /usr/lib/qutecom/libphapiutil.so 00151000-00152000 rw-p 00004000 08:01 155634 /usr/lib/qutecom/libphapiutil.so 00152000-00155000 r-xp 00000000 08:01 155637 /usr/lib/qutecom/libowbase.so 00155000-00156000 r--p 00002000 08:01 155637 /usr/lib/qutecom/libowbase.so 00156000-00157000 rw-p 00003000 08:01 155637 /usr/lib/qutecom/libowbase.so 00157000-0015a000 r-xp 00000000 08:01 155640 /usr/lib/qutecom/libpsiidle.so 0015a000-0015b000 r--p 00002000 08:01 155640 /usr/lib/qutecom/libpsiidle.so 0015b000-0015c000 rw-p 00003000 08:01 155640 /usr/lib/qutecom/libpsiidle.so 0015c000-0015e000 r-xp 00000000 08:01 8854 /usr/lib/libXinerama.so.1.0.0 0015e000-0015f000 rw-p 00001000 08:01 8854 /usr/lib/libXinerama.so.1.0.0 0015f000-00172000 r-xp 00000000 08:01 9472 /usr/lib/libboost_thread-mt.so.1.38.0 00172000-00173000 r--p 00013000 08:01 9472 /usr/lib/libboost_thread-mt.so.1.38.0 00173000-00174000 rw-p 00014000 08:01 9472 /usr/lib/libboost_thread-mt.so.1.38.0 00174000-00217000 r-xp 00000000 08:01 9270 /usr/lib/libgnutls.so.26.14.10 00217000-0021b000 r--p 000a2000 08:01 9270 /usr/lib/libgnutls.so.26.14.10 0021b000-0021c000 rw-p 000a6000 08:01 9270 /usr/lib/libgnutls.so.26.14.10 0021c000-00248000 r-xp 00000000 08:01 155632 /usr/lib/qutecom/libwebcam.so 00248000-00249000 ---p 0002c000 08:01 155632 /usr/lib/qutecom/libwebcam.so 00249000-0024a000 r--p 0002c000 08:01 155632 /usr/lib/qutecom/libwebcam.so 0024a000-0024b000 rw-p 0002d000 08:01 155632 /usr/lib/qutecom/libwebcam.so 0024b000-0025d000 r-xp 00000000 08:01 9356 /usr/lib/libboost_signals-mt.so.1.38.0 0025d000-0025e000 r--p 00011000 08:01 9356 /usr/lib/libboost_signals-mt.so.1.38.0 0025e000-0025f000 rw-p 00012000 08:01 9356 /usr/lib/libboost_signals-mt.so.1.38.0 0025f000-00314000 r-xp 00000000 08:01 24708 /lib/libglib-2.0.so.0.2200.3 00314000-00315000 r--p 000b4000 08:01 24708 /lib/libglib-2.0.so.0.2200.3 00315000-00316000 rw-p 000b5000 08:01 24708 /lib/libglib-2.0.so.0.2200.3 00316000-00443000 r-xp 00000000 08:01 21323 /lib/i686/cmov/libcrypto.so.0.9.8 00443000-0044b000 r--p 0012c000 08:01 21323 /lib/i686/cmov/libcrypto.so.0.9.8 0044b000-00458000 rw-p 00134000 08:01 21323 /lib/i686/cmov/libcrypto.so.0.9.8 00458000-0045c000 rw-p 00000000 00:00 0 0045c000-0049d000 r-xp 00000000 08:01 11677 /usr/lib/libQtXml.so.4.5.2 0049d000-0049e000 r--p 00041000 08:01 11677 /usr/lib/libQtXml.so.4.5.2 0049e000-0049f000 rw-p 00042000 08:01 11677 /usr/lib/libQtXml.so.4.5.2 0049f000-004ac000 r-xp 00000000 08:01 9476 /usr/lib/liblber-2.4.so.2.5.1 004ac000-004ad000 r--p 0000c000 08:01 9476 /usr/lib/liblber-2.4.so.2.5.1 004ad000-004ae000 rw-p 0000d000 08:01 9476 /usr/lib/liblber-2.4.so.2.5.1 004b0000-004b7000 r-xp 00000000 08:01 12098 /lib/tls/i686/cmov/librt-2.10.1.so 004b7000-004b8000 r--p 00006000 08:01 12098 /lib/tls/i686/cmov/librt-2.10.1.so 004b8000-004b9000 rw-p 00007000 08:01 12098 /lib/tls/i686/cmov/librt-2.10.1.so 004b9000-004ca000 r-xp 00000000 08:01 155641 /usr/lib/qutecom/libowmemorydump.so 004ca000-004cb000 r--p 00010000 08:01 155641 /usr/lib/qutecom/libowmemorydump.so 004cb000-004cc000 rw-p 00011000 08:01 155641 /usr/lib/qutecom/libowmemorydump.so 004cc000-004dc000 r-xp 00000000 08:01 10376 /lib/tls/i686/cmov/libresolv-2.10.1.so 004dc000-004dd000 r--p 00010000 08:01 10376 /lib/tls/i686/cmov/libresolv-2.10.1.so 004dd000-004de000 rw-p 00011000 08:01 10376 /lib/tls/i686/cmov/libresolv-2.10.1.so 004de000-004e0000 rw-p 00000000 00:00 0 004e0000-0051c000 r-xp 00000000 08:01 24709 /usr/lib/libgobject-2.0.so.0.2200.3 0051c000-0051d000 r--p 0003b000 08:01 24709 /usr/lib/libgobject-2.0.so.0.2200.3 0051d000-0051e000 rw-p 0003c000 08:01 24709 /usr/lib/libgobject-2.0.so.0.2200.3 0051e000-00533000 r-xp 00000000 08:01 9874 /lib/tls/i686/cmov/libpthread-2.10.1.so 00533000-00534000 r--p 00014000 08:01 9874 /lib/tls/i686/cmov/libpthread-2.10.1.so 00534000-00535000 rw-p 00015000 08:01 9874 /lib/tls/i686/cmov/libpthread-2.10.1.so 00535000-00537000 rw-p 00000000 00:00 0 00537000-00577000 r-xp 00000000 08:01 9212 /usr/lib/libboost_program_options-mt.so.1.38.0 00577000-00579000 r--p 0003f000 08:01 9212 /usr/lib/libboost_program_options-mt.so.1.38.0 00579000-0057a000 rw-p 00041000 08:01 9212 /usr/lib/libboost_program_options-mt.so.1.38.0 0057a000-005cb000 r-xp 00000000 08:01 12972 /usr/lib/libQtSvg.so.4.5.2 005cb000-005cc000 r--p 00051000 08:01 12972 /usr/lib/libQtSvg.so.4.5.2 005cc000-005cd000 rw-p 00052000 08:01 12972 /usr/lib/libQtSvg.so.4.5.2 005ce000-00610000 r-xp 00000000 08:01 9031 /usr/lib/libcurl.so.4.1.1 00610000-00611000 r--p 00041000 08:01 9031 /usr/lib/libcurl.so.4.1.1 00611000-00612000 rw-p 00042000 08:01 9031 /usr/lib/libcurl.so.4.1.1 00612000-00681000 r-xp 00000000 08:01 12340 /usr/lib/libQtDBus.so.4.5.2 00681000-00682000 ---p 0006f000 08:01 12340 /usr/lib/libQtDBus.so.4.5.2 00682000-00683000 r--p 0006f000 08:01 12340 /usr/lib/libQtDBus.so.4.5.2 00683000-00684000 rw-p 00070000 08:01 12340 /usr/lib/libQtDBus.so.4.5.2Aborted * The following scenario causes QuteCom to crash: QuteCom is registered to a SIP proxy. If QuteCom then initiates a Call to the attacker, QuteCom will crash if the attacker accepts the call and immediately afterwards terminates it by sending a BYE message. The crash is triggered if the victim now clicks on QuteCom's Hang-Up button. (warn) 14:02:25 [PhApi] : osip: /build/buildd/qutecom-2.2~rc3.hg396~dfsg1/wifo/libosip2/src/osip2/osip_dialog.c:355: Remote UA is not compliant: missing a tag in response! (error) 14:02:25 [PhApi] : osip: /build/buildd/qutecom-2.2~rc3.hg396~dfsg1/wifo/eXosip/src/eXosip.c:3708: eXosip: No call here? (error) 14:02:25 [PhApi] : osip: /build/buildd/qutecom-2.2~rc3.hg396~dfsg1/wifo/eXosip/src/eXosip.c:3708: eXosip: No call here? (warn) 14:02:25 [PhApi] : osip: /build/buildd/qutecom-2.2~rc3.hg396~dfsg1/wifo/eXosip/src/jcallback.c:1394: The dialog has been replaced with the new one fro 200ok. Regards, Clemens Hlauschek _______________________________________________ QuteCom-dev mailing list [email protected] http://lists.qutecom.org/mailman/listinfo/qutecom-dev
