Kamailio Project Kamailio SIP Server Use-After-Free Vulnerability in Configuration File Handler

A heap use-after-free vulnerability has been identified in Kamailio SIP Server version 5.5. The issue arises in the Configuration File Handler, specifically within the `sr_push_yy_state` function of the `src/core/cfg.lex` file. This vulnerability occurs during the parsing of configuration files, particularly when handling `import` or `include` directives. The flaw allows the application to read memory that has already been freed, leading to a process crash and potential memory corruption that could be exploited further.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, where the process crashes during configuration parsing, preventing the server from starting. Additionally, the use-after-free could be leveraged to corrupt memory, disrupt the program's state, and potentially execute arbitrary code or escalate privileges, depending on the heap layout and exploitation strategy.

Reproduction

The vulnerability can be reproduced by crafting a configuration file that includes directives triggering the `sr_push_yy_state` function. This crafted file should be used to replace the default configuration when starting the Kamailio server. Building Kamailio with AddressSanitizer enabled will provide diagnostic information confirming the use-after-free error.