Full Disclosure mailing list archives

AST-2008-001: Crash from transfer using BYE with Also header


From: Asterisk Security Team <security () asterisk org>
Date: Wed, 02 Jan 2008 17:57:50 -0400

                Asterisk Project Security Advisory - AST-2008-001

    +------------------------------------------------------------------------+
    |       Product       | Asterisk                                         |
    |---------------------+--------------------------------------------------|
    |       Summary       | Remote Crash Vulnerability in SIP channel driver |
    |---------------------+--------------------------------------------------|
    | Nature of Advisory  | Denial of Service                                |
    |---------------------+--------------------------------------------------|
    |   Susceptibility    | Remote Unauthenticated Sessions                  |
    |---------------------+--------------------------------------------------|
    |      Severity       | Critical                                         |
    |---------------------+--------------------------------------------------|
    |   Exploits Known    | No                                               |
    |---------------------+--------------------------------------------------|
    |     Reported On     | December 26, 2007                                |
    |---------------------+--------------------------------------------------|
    |     Reported By     | Grey VoIP (bugs.digium.com user greyvoip)        |
    |---------------------+--------------------------------------------------|
    |      Posted On      | January 2, 2008                                  |
    |---------------------+--------------------------------------------------|
    |   Last Updated On   | January 2, 2008                                  |
    |---------------------+--------------------------------------------------|
    |  Advisory Contact   | Joshua Colp <jcolp () digium com>                   |
    |---------------------+--------------------------------------------------|
    |      CVE Name       |                                                  |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    | Description | The handling of the BYE with Also transfer method was    |
    |             | broken during the development of Asterisk 1.4. If a      |
    |             | transfer attempt is made using this method the system    |
    |             | will immediately crash upon handling the BYE message due |
    |             | to trying to copy data into a NULL pointer. It is        |
    |             | important to note that a dialog must have already been   |
    |             | established and up in order for this to happen.          |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    | Resolution | A fix has been added so that the BYE with Also transfer   |
    |            | method now properly allocates and uses the transfer data  |
    |            | structure. It will no longer try to copy data into a NULL |
    |            | pointer and will operate properly.                        |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    |                           Affected Versions                            |
    |------------------------------------------------------------------------|
    |          Product           |   Release   |                             |
    |                            |   Series    |                             |
    |----------------------------+-------------+-----------------------------|
    |    Asterisk Open Source    |    1.0.x    | Unaffected                  |
    |----------------------------+-------------+-----------------------------|
    |    Asterisk Open Source    |    1.2.x    | Unaffected                  |
    |----------------------------+-------------+-----------------------------|
    |    Asterisk Open Source    |    1.4.x    | All versions prior to       |
    |                            |             | 1.4.17                      |
    |----------------------------+-------------+-----------------------------|
    | Asterisk Business Edition  |    A.x.x    | Unaffected                  |
    |----------------------------+-------------+-----------------------------|
    | Asterisk Business Edition  |    B.x.x    | Unaffected                  |
    |----------------------------+-------------+-----------------------------|
    | Asterisk Business Edition  |    C.x.x    | All versions prior to       |
    |                            |             | C.1.0-beta8                 |
    |----------------------------+-------------+-----------------------------|
    |        AsteriskNOW         | pre-release | All versions prior to beta7 |
    |----------------------------+-------------+-----------------------------|
    |     Asterisk Appliance     |     SVN     | All versions prior to       |
    |       Developer Kit        |             | Asterisk 1.4 revision 95946 |
    |----------------------------+-------------+-----------------------------|
    | s800i (Asterisk Appliance) |    1.0.x    | All versions prior to       |
    |                            |             | 1.0.3.4                     |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    |                              Corrected In                              |
    |------------------------------------------------------------------------|
    |    Product    |                        Release                         |
    |---------------+--------------------------------------------------------|
    | Asterisk Open |                 1.4.17, available from                 |
    |    Source     |   http://downloads.digium.com/pub/telephony/asterisk   |
    |---------------+--------------------------------------------------------|
    |   Asterisk    |                         C.1.0                          |
    |   Business    |                                                        |
    |    Edition    |                                                        |
    |---------------+--------------------------------------------------------|
    |  AsteriskNOW  |   Beta7, available from http://www.asterisknow.org/.   |
    |               |                                                        |
    |               |   Beta5 and Beta6 users can update using the system    |
    |               |     update feature in the appliance control panel.     |
    |---------------+--------------------------------------------------------|
    |   Asterisk    |  Asterisk 1.4 revision 95946. Available by performing  |
    |   Appliance   |            an svn update of the AADK tree.             |
    | Developer Kit |                                                        |
    |---------------+--------------------------------------------------------|
    |     s800i     |                        1.0.3.4                         |
    |   (Asterisk   |                                                        |
    |  Appliance)   |                                                        |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    |      Links       | http://bugs.digium.com/view.php?id=11637            |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    | Asterisk Project Security Advisories are posted at                     |
    | http://www.asterisk.org/security                                       |
    |                                                                        |
    | This document may be superseded by later versions; if so, the latest   |
    | version will be posted at                                              |
    | http://downloads.digium.com/pub/security/AST-2008-001.pdf and          |
    | http://downloads.digium.com/pub/security/AST-2008-001.html             |
    +------------------------------------------------------------------------+

    +------------------------------------------------------------------------+
    |                            Revision History                            |
    |------------------------------------------------------------------------|
    |       Date       |       Editor       |         Revisions Made         |
    |------------------+--------------------+--------------------------------|
    | 2008-01-02       | Joshua Colp        | Initial Release                |
    +------------------------------------------------------------------------+

                Asterisk Project Security Advisory - AST-2008-001
               Copyright (c) 2007 Digium, Inc. All Rights Reserved.
   Permission is hereby granted to distribute and publish this advisory in its
                            original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Current thread: