AST-2008-002: Two buffer overflows in RTP Codec Payload Handling

               Asterisk Project Security Advisory - AST-2008-002

   +------------------------------------------------------------------------+
   | Product | Asterisk |
   |--------------------+---------------------------------------------------|
   | Summary | Two buffer overflows in RTP Codec Payload |
   | | Handling |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Exploitable Buffer Overflow |
   |--------------------+---------------------------------------------------|
   | Susceptibility | Remote Unauthenticated Sessions |
   |--------------------+---------------------------------------------------|
   | Severity | Critical |
   |--------------------+---------------------------------------------------|
   | Exploits Known | No |
   |--------------------+---------------------------------------------------|
   | Reported On | March 11, 2008 |
   |--------------------+---------------------------------------------------|
   | Reported By | Mu Security Research Team |
   |--------------------+---------------------------------------------------|
   | Posted On | March 18, 2008 |
   |--------------------+---------------------------------------------------|
   | Last Updated On | March 18, 2008 |
   |--------------------+---------------------------------------------------|
   | Advisory Contact | Joshua Colp <jcolp_at_digium.com> |
   |--------------------+---------------------------------------------------|
   | CVE Name | CVE-2008-1289 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Two buffer overflows exist in the RTP payload handling |
   | | code of Asterisk. Both overflows can be caused by an |
   | | INVITE or any other SIP packet with SDP. The request may |
   | | need to be authenticated depending on configuration of |
   | | the Asterisk installation. |
   | | |
   | | The first overflow is caused by sending a payload number |
   | | that surpasses the programmed maximum payload number of |
   | | 256. This causes an invalid memory write outside of the |
   | | buffer. While this does not allow the attacker to write |
   | | arbitrary data it does allow the attacker to write a 0 |
   | | to other memory locations. |
   | | |
   | | The second overflow is caused by sending more than 32 |
   | | RTP payloads. This causes a buffer on the stack to |
   | | overflow allowing the attacker to write values between 0 |
   | | and 256 (the maximum payload number) to memory locations |
   | | after the buffer. |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Two fixes have been added to check the provided data to |
   | | ensure it does not exceed static buffer sizes. |
   | | |
   | | When removing internal information regarding an RTP |
   | | payload the given payload number will now be checked to |
   | | make sure it does not exceed the maximum acceptable |
   | | payload number. |
   | | |
   | | When reading RTP payloads from SDP a maximum limit of 32 |
   | | in total will be enforced. Any further RTP payloads will |
   | | be discarded. |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Affected Versions |
   |------------------------------------------------------------------------|
   | Product | Release | |
   | | Series | |
   |----------------------------+---------+---------------------------------|
   | Asterisk Open Source | 1.0.x | Unaffected |
   |----------------------------+---------+---------------------------------|
   | Asterisk Open Source | 1.2.x | Unaffected |
   |----------------------------+---------+---------------------------------|
   | Asterisk Open Source | 1.4.x | All versions prior to 1.4.18.1 |
   | | | and 1.4.19-rc3 |
   |----------------------------+---------+---------------------------------|
   | Asterisk Open Source | 1.6.x | All versions prior to |
   | | | 1.6.0-beta6 |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition | A.x.x | Unaffected |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition | B.x.x | Unaffected |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition | C.x.x | All versions prior to C.1.6.1 |
   |----------------------------+---------+---------------------------------|
   | AsteriskNOW | 1.0.x | All versions prior to 1.0.2 |
   |----------------------------+---------+---------------------------------|
   | Asterisk Appliance | SVN | All versions prior to Asterisk |
   | Developer Kit | | 1.4 revision 109386 |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) | 1.1.x | All versions prior to 1.1.0.2 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Corrected In |
   |------------------------------------------------------------------------|
   | Product | Release |
   |---------------+--------------------------------------------------------|
   | Asterisk Open | 1.4.18.1/1.4.19-rc3/1.6.0-beta6, available from |
   | Source | http://downloads.digium.com/pub/telephony/asterisk |
   |---------------+--------------------------------------------------------|
   | Asterisk | C.1.6.1 |
   | Business | |
   | Edition | |
   |---------------+--------------------------------------------------------|
   | AsteriskNOW | 1.0.2, available from http://www.asterisknow.org/ |
   | | |
   | | Current users can update using the system update |
   | | feature in the appliance control panel. |
   |---------------+--------------------------------------------------------|
   | Asterisk | Asterisk 1.4 revision 109386. Available by performing |
   | Appliance | an svn update of the AADK tree. |
   | Developer Kit | |
   |---------------+--------------------------------------------------------|
   | s800i | 1.1.0.2 |
   | (Asterisk | |
   | Appliance) | |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Links | |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at |
   | http://www.asterisk.org/security |
   | |
   | This document may be superseded by later versions; if so, the latest |
   | version will be posted at |
   | http://downloads.digium.com/pub/security/AST-2008-002.pdf and |
   | http://downloads.digium.com/pub/security/AST-2008-002.html |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Revision History |
   |------------------------------------------------------------------------|
   | Date | Editor | Revisions Made |
   |------------------+--------------------+--------------------------------|
   | 2008-03-18 | Joshua Colp | Initial Release |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-002
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Received on Mar 19 2008