Exploit for Heap-based Buffer Overflow in Pjsip CVE-2022-24793 CVE-2023-27585 CVE-2026-32945

Name: Exploit for Heap-based Buffer Overflow in Pjsip CVE-2022-24793 CVE-2023-27585 CVE-2026-32945
Rating: 5 (116 reviews)
2026-04-06 | CVSS 9.8
## https://sploitus.com/exploit?id=79061C23-4CF0-5FA2-9C56-9286C54D9E03
# CVE-2026-32945

PJSIP DNS Compression Pointer Heap OOB Read (Remote DoS)

## Description

`get_name_len()` and `get_name()` in `pjlib-util/src/pjlib-util/dns.c` read a
2-byte DNS compression pointer via `pj_memcpy(&offset, p, 2)` without checking
that both bytes lie within the packet buffer. When a `0xC0` byte (compression
pointer marker) is the very last byte of a DNS response, the `memcpy` reads one
byte past the heap allocation boundary.

A single 20-byte crafted DNS response triggers the OOB read and crashes any
PJSIP application (including Asterisk and FreeSWITCH) that resolves a domain
through a network-controlled DNS server.

ASan confirms: `heap-buffer-overflow READ of size 2, 0 bytes after 20-byte
region` in `get_name_len()`.

This is the third DNS parser CVE in pjproject's `dns.c` since 2022 (after
CVE-2022-24793 and CVE-2023-27585). The CVE-2022-24793 fix added length checks
throughout the parser but missed the compression pointer path.

Affected: pjproject <= 2.16. Fixed in pjproject 2.17 (commit 5311aee).

## Usage

```bash
# Standalone ASan harness (no pjproject installation required):
./run.sh

# Or build and run manually:
gcc -fsanitize=address,undefined -g -O0 harness.c -o harness
./harness

# Network PoC -- rogue DNS server:
python3 poc.py --port 5353
# Then point a PJSIP application at the rogue server:
#   pjsua --nameserver 127.0.0.1:5353 sip:user@target.example

# Docker (builds pjproject 2.16 from source with ASan):
docker compose build
docker compose run harness
```

## Requirements

- For standalone harness: `gcc` with AddressSanitizer support
- For network PoC: Python 3 (stdlib only, no external dependencies)
- For Docker: Docker + Docker Compose

## Files

| File | Description |
|------|-------------|
| `harness.c` | Standalone ASan harness -- reimplements vulnerable `get_name_len()` with exact pjproject types |
| `harness_pjlib.c` | Alternative harness calling real `pj_dns_parse_packet()` (for Docker) |
| `poc.py` | Rogue DNS server -- responds to any query with the crafted 20-byte packet |
| `run.sh` | Builds and runs the ASan harness |
| `Dockerfile` | Builds pjproject 2.16 from source with ASan |
| `docker-compose.yml` | Docker setup for the pjlib harness |
| `proof_output.txt` | Full ASan output from live verification |

## References

- https://github.com/pjsip/pjproject/security/advisories/GHSA-jr2p-p2w4-rr9q
- https://github.com/pjsip/pjproject/commit/5311aee398ae9d623829a6bad7b679a193c9e199

## Legal Notice

This project is released under the GNU GPLv3.

It is provided for defensive security research, education, and authorized
testing. Do not use this code against systems or services without explicit
permission from the owner.

Unauthorized use may violate applicable law. The authors do not grant permission
to test third-party systems and are not responsible for misuse.

See the LICENSE file for warranty and liability terms.