SIPp 3.6 Local Buffer Overflow via Command-line Arguments

Vulnerability

SIPp versions 3.6 and earlier contain a local buffer overflow vulnerability in command-line argument handling. The bug resides in sipp.cpp where the strcpy function is used to copy user-supplied input from the -3pcc, -i, and -log_file parameters into fixed-size buffers without bounds checking. An oversized argument causes strcpy to write beyond the buffer boundary, leading to memory corruption [1][4].

Exploitation

A local attacker can trigger the vulnerability by launching SIPp with an excessively long argument to any of the affected parameters. No authentication or special privileges are required beyond local access to the system. The exploit-db proof-of-concept demonstrates that supplying 300 'A' characters to -3pcc, -i, or -log_file reliably crashes the application, as shown by the AddressSanitizer stack trace pointing to strcpy in sipp.cpp [3].

Impact

Successful exploitation allows the attacker to crash the SIPp application (denial of service) or potentially execute arbitrary code with the privileges of the user running SIPp. The vulnerability is classified as a local buffer overflow with high severity, as it can lead to full compromise of the affected process [4].

Mitigation

Upgrade to SIPp version 3.7.6 or later, which introduced a StringBuilder class as a safer replacement for snprintf and likely addresses the unsafe strcpy usage [1]. No official workaround is documented; users of versions 3.6 and earlier should update immediately. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.