cbcvebase.
CVE-2016-2385
published 2016-04-11

CVE-2016-2385: Heap-based buffer overflow in the encode_msg function in encode_msg.c in the SEAS module in Kamailio (formerly OpenSER and SER) before 4.3.5 allows remote…

PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
30.52%
98.0th percentile
Heap-based buffer overflow in the encode_msg function in encode_msg.c in the SEAS module in Kamailio (formerly OpenSER and SER) before 4.3.5 allows remote attackers to cause a denial of service (memory corruption and process crash) or possibly execute arbitrary code via a large SIP packet.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiankamailio< kamailio 4.3.4-2 (bookworm)kamailio 4.3.4-2 (bookworm)
kamailiokamailio<= 4.3.4
kamailiokamailio>= 0 < 4.3.4-24.3.4-2
kamailiokamailio>= 0 < 4.3.4-24.3.4-2
kamailiokamailio>= 0 < 4.3.4-24.3.4-2
kamailiokamailio>= 0 < 4.3.4-24.3.4-2
kamailiokamailio>= 0 < 4.3.4-1.1ubuntu2.1+esm24.3.4-1.1ubuntu2.1+esm2
kamailiokamailio>= 0 < 5.1.2-1ubuntu2+esm25.1.2-1ubuntu2+esm2
kamailiokamailio>= 0 < 5.3.2-1ubuntu0.1~esm25.3.2-1ubuntu0.1~esm2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://census-labs.com/media/seas-trigger.packet
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39638.zip
pathencode_msg.c
  • The vulnerable memcpy in encode_msg() copies msg->buf (attacker-controlled SIP packet contents) of length msg->len into a fixed-size heap buffer of ENCODED_MSG_SIZE. Monitor for anomalously large SIP packets (UDP/TCP) directed at Kamailio instances.
  • The destination heap buffer is allocated with shm_malloc(ENCODED_MSG_SIZE); a SIP packet whose length exceeds ENCODED_MSG_SIZE minus the header offset (typically 180 bytes) will overflow the buffer. Alert on SIP messages approaching or exceeding ENCODED_MSG_SIZE.
  • Affected component is the SEAS module of Kamailio 4.3.4 and possibly earlier versions. Instances not loading the SEAS module are not vulnerable.
  • ·For Ubuntu, this issue only affected Ubuntu 16.04 LTS; later Ubuntu releases are not impacted by CVE-2016-2385.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.