SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

Two buffer overflows in RTP Codec Payload Handling


Arrow  SecurityAlert : 3763
Arrow  CVE : CVE-2008-1289
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Given : Yes
Arrow  Credit : Joshua Colp
Arrow  Published : 24.03.2008

Arrow  Affected Software : Asterisk Open Source



Arrow  Advisory Text :  

Asterisk Project Security Advisory - AST-2008-002

+-----------------------------------------------------------------------
-+
| Product | Asterisk
|

|--------------------+--------------------------------------------------
-|
| Summary | Two buffer overflows in RTP Codec Payload
|
| | Handling
|

|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Exploitable Buffer Overflow
|

|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote Unauthenticated Sessions
|

|--------------------+--------------------------------------------------
-|
| Severity | Critical
|

|--------------------+--------------------------------------------------
-|
| Exploits Known | No
|

|--------------------+--------------------------------------------------
-|
| Reported On | March 11, 2008
|

|--------------------+--------------------------------------------------
-|
| Reported By | Mu Security Research Team
|

|--------------------+--------------------------------------------------
-|
| Posted On | March 18, 2008
|

|--------------------+--------------------------------------------------
-|
| Last Updated On | March 18, 2008
|

|--------------------+--------------------------------------------------
-|
| Advisory Contact | Joshua Colp <jcolp (at) digium (dot) com [email
concealed]> |

|--------------------+--------------------------------------------------
-|
| CVE Name | CVE-2008-1289
|

+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | Two buffer overflows exist in the RTP payload handling
|
| | code of Asterisk. Both overflows can be caused by an
|
| | INVITE or any other SIP packet with SDP. The request may
|
| | need to be authenticated depending on configuration of
|
| | the Asterisk installation.
|
| |
|
| | The first overflow is caused by sending a payload number
|
| | that surpasses the programmed maximum payload number of
|
| | 256. This causes an invalid memory write outside of the
|
| | buffer. While this does not allow the attacker to write
|
| | arbitrary data it does allow the attacker to write a 0
|
| | to other memory locations.
|
| |
|
| | The second overflow is caused by sending more than 32
|
| | RTP payloads. This causes a buffer on the stack to
|
| | overflow allowing the attacker to write values between 0
|
| | and 256 (the maximum payload number) to memory locations
|
| | after the buffer.
|

+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | Two fixes have been added to check the provided data to
|
| | ensure it does not exceed static buffer sizes.
|
| |
|
| | When removing internal information regarding an RTP
|
| | payload the given payload number will now be checked to
|
| | make sure it does not exceed the maximum acceptable
|
| | payload number.
|
| |
|
| | When reading RTP payloads from SDP a maximum limit of 32
|
| | in total will be enforced. Any further RTP payloads will
|
| | be discarded.
|

+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Affected Versions
|

|-----------------------------------------------------------------------
-|
| Product | Release |
|
| | Series |
|

|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.0.x | Unaffected
|

|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.2.x | Unaffected
|

|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.18.1
|
| | | and 1.4.19-rc3
|

|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.6.x | All versions prior to
|
| | | 1.6.0-beta6
|

|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | A.x.x | Unaffected
|

|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | B.x.x | Unaffected
|

|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | C.x.x | All versions prior to C.1.6.1
|

|----------------------------+---------+--------------------------------
-|
| AsteriskNOW | 1.0.x | All versions prior to 1.0.2
|

|----------------------------+---------+--------------------------------
-|
| Asterisk Appliance | SVN | All versions prior to Asterisk
|
| Developer Kit | | 1.4 revision 109386
|

|----------------------------+---------+--------------------------------
-|
| s800i (Asterisk Appliance) | 1.1.x | All versions prior to 1.1.0.2
|

+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Corrected In
|

|-----------------------------------------------------------------------
-|
| Product | Release
|

|---------------+-------------------------------------------------------
-|
| Asterisk Open | 1.4.18.1/1.4.19-rc3/1.6.0-beta6, available from
|
| Source | http://downloads.digium.com/pub/telephony/asterisk
|

|---------------+-------------------------------------------------------
-|
| Asterisk | C.1.6.1
|
| Business |
|
| Edition |
|

|---------------+-------------------------------------------------------
-|
| AsteriskNOW | 1.0.2, available from http://www.asterisknow.org/
|
| |
|
| | Current users can update using the system update
|
| | feature in the appliance control panel.
|

|---------------+-------------------------------------------------------
-|
| Asterisk | Asterisk 1.4 revision 109386. Available by performing
|
| Appliance | an svn update of the AADK tree.
|
| Developer Kit |
|

|---------------+-------------------------------------------------------
-|
| s800i | 1.1.0.2
|
| (Asterisk |
|
| Appliance) |
|

+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Links |
|

+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at
|
| http://www.asterisk.org/security
|
|
|
| This document may be superseded by later versions; if so, the latest
|
| version will be posted at
|
| http://downloads.digium.com/pub/security/AST-2008-002.pdf and
|
| http://downloads.digium.com/pub/security/AST-2008-002.html
|

+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History
|

|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made
|

|------------------+--------------------+-------------------------------
-|
| 2008-03-18 | Joshua Colp | Initial Release
|

+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2008-002
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in
its
original, unaltered form.





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...

Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication

PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

Copyright © SecurityReason.com. All Rights Reserved.