Vulnerabilities > CVE-2013-1864 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The Portable Tool Library (aka PTLib) before 2.10.10, as used in Ekiga before 4.0.1, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted PXML document containing a large number of nested entity references, aka a "billion laughs attack."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 | |
| Application | 8 | |
| Application | 1 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Denial of Service NASL id EKIGA_4_0_1.NASL description According to the version in its SIP banner, the installed version of Ekiga on the remote host is earlier than 4.0.1 and thus contains a version of the ptlib library that fails to conduct proper length checks during XML expansion. A remote, unauthenticated attacker could exploit this issue to consume extreme amounts of CPU and memory through the use of a specially crafted XML document. last seen 2020-06-01 modified 2020-06-02 plugin id 66033 published 2013-04-19 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66033 title Ekiga < 4.0.1 ptlib XML Expansion Recursion DoS NASL family SuSE Local Security Checks NASL id SUSE_11_PWLIB-140127.NASL description This update fixes a XML DoS vulnerability in pwlib. CVE-2013-1864 has been assigned to this issue. last seen 2020-06-05 modified 2014-02-17 plugin id 72536 published 2014-02-17 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72536 title SuSE 11.3 Security Update : pwlib (SAT Patch Number 8838) NASL family Fedora Local Security Checks NASL id FEDORA_2013-2998.NASL description New upstream ekiga 4.0.1 release - Core fixes - Fix crash when quitting ekiga while receiving presence information - Fix crash when quitting ekiga right after starting it (before STUN ending) - Fix crash when disabling an account while icons in roster are changing - Fix crash when receiving call a second time - Fix crash in XML parsing in case of malicious code (CVE-2012-5621) - Fix increasing CPU usage after hours of usage caused by endless OPTIONS - Several fixes for H.323 : - fix H.323 parsing - add the username in authentication - fix unregistering the gatekeeper - fix registration - assign gk_name only if success - do not propose adding an H.323 account if the protocol is not built-in - Fix registration for registrars accepting the last Contact item offered - Allow to change the REGISTER compatibility mode of an existing registration - Fix impossibility to hangup active call after a missed call - Fix busy or call forwarding on busy occuring when connection is released - Fix subscribing/unsubscribing when enabling and disabling SIP accounts - Do not show is-typing messages sent by other programs during chatting - Stop ongoing registration when remove account - Use meaningful names for ALSA sub-devices - Allow to enter contact addresses without host part, and choose the host later - Increase number of characters shown in device names - Use a better icon for call history in addressbook - Show the address instead of last seen 2020-03-17 modified 2013-03-04 plugin id 64984 published 2013-03-04 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64984 title Fedora 18 : ekiga-4.0.1-1.fc18 / opal-3.10.10-1.fc18 / ptlib-2.10.10-1.fc18 (2013-2998)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099553.html
- http://osvdb.org/91439
- http://seclists.org/oss-sec/2013/q1/674
- http://secunia.com/advisories/52659
- http://sourceforge.net/p/opalvoip/code/28856
- http://www.ekiga.org/news/2013-02-21/ekiga-4.0.1-stable-available
- http://www.securityfocus.com/bid/58520
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82885
- https://www.suse.com/support/update/announcement/2014/suse-su-20140237-1.html