Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request: FreeSWITCH regex substitution 3 buffer overflows
From: Michael Tokarev <mjt () tls msk ru>
Date: Tue, 02 Jul 2013 00:46:26 +0400

Hello.

Yesterday I started thinking for the first time about some VOIP
solution for our office, and come across FreeSWITCH software --
www.freeswitch.org.  After talking on IRC a bit, I decided to
take a look at the source, because a question asked by one of
the users looked interesting to me.

And immediately I discovered 3 buffer overflows in the _first_
function I ever saw in the source of this software.

http://jira.freeswitch.org/browse/FS-5566 - it is the original
 bugreport which looked innocent enough initially.

http://jira.freeswitch.org/secure/attachment/18855/0001-regex_subst-allow-n-in-regex-substitutions-and-fix-3.patch --
 this is a patch of mine that fixes initial bug and also 3
 buffer overflows I found when dealing with the issue.

Some context.  FreeSWITCH's routing mechanism is based almost
entirely on regular expressions and uses substring matches
in the core routing (dialplan).  So the regexps are matched
against untrusted input (which is especially mentioned in the
docs).  But ofcourse users aren't easy with writing regexps
correctly, always constraining the length of the input
properly.

So, if there are any references to unconstrained input in
any dialplan expressions -- that is, instead of \d{10},
\d+ is used, we're getting a remotely triggerable buffer
overflows with good potential of remote code execution.

As simple as that.

It _looks_ like the default configuration isn't affected
since apparently all regexes there are constrained.  But
we can't be sure for all user configs.

I haven't studied actual potential for code execution,
but from a quick view it appears quite possible.

Thanks,

/mjt


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]