Hyperion Avenue Labs Founder Patrick Kelley finds flaw in VoIP system

If you run a NMAP network scan against the IP of the phone server, it
will crash the Altigen’s Gateway service, rendering the system useless
until rebooted. All information saved in the phone system at the time
is lost.

Port 5061 crashes due to HEAP Overflow. Following message:

Application popup: Microsoft Visual C++ Debug Library : Debug Error!
Program: C:\AltiServ\Exe\altigateway.exe
HEAP CORRUPTION DETECTED: after Normal block (#13414021) at 0x08E1C270.
CRT detected that the application wrote to memory after end of heap buffer.

Specifics:
ANY workstations running NMAP on the LAN with knowledge of the phone
system’s IP address.
Special permissions are not needed.
Crash occurs with 15 seconds of scanning on a 100 Mb line.

Exploitation:
This is remotely exploitable from anywhere on the Internet with access
to ANY Altigen service port.

Platform:
Windows Server 2008, fully updated, firewall enabled with ports opened
for Altigen services.

Solution:
Vendor is releasing patch for this issue in next revision. Binding
outbound traffic to just PRI/Trunk seems to mitigate the issue.