Kamailio SIP Server Heap-Based Buffer Overflow Vulnerability in Configuration File Handler

A heap-based buffer overflow vulnerability has been identified in Kamailio SIP Server version 5.5. The issue arises in the Configuration File Handler, specifically within the 'rve_destroy' function of 'src/core/rvalue.c'. This vulnerability is triggered during the parsing and cleanup of module function parameters, where malformed or specially crafted configuration can lead to inconsistent 'rval_expr' structures. The 'rve_destroy' function then reads past the allocated memory, causing a heap-buffer-overflow. This vulnerability requires local access to exploit and has been publicly disclosed, with an available exploit.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the Kamailio process during configuration parsing, before the daemon can fully start. Additionally, the heap-based memory corruption introduced by this vulnerability could potentially be exploited for more serious consequences, such as remote code execution, depending on the attacker's control and the environment.

Reproduction

To reproduce this vulnerability, replace the default 'kamailio-basic.cfg' with a crafted configuration file that triggers the heap-buffer-overflow. Then, start Kamailio with the AddressSanitizer enabled, using the modified configuration file. The AddressSanitizer will report the heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.