CORE-2006-0327: IAXclient truncated frames vulnerabilities
Core Security Technologies - Corelabs Advisory
http://www.coresecurity.com/corelabs/
IAXclient truncated frames vulnerabilities
Date Published: 2006-06-09
Last Update: 2006-06-09
Advisory ID: CORE-2006-0327
Bugtraq ID: 18307
CVE Name: N/A
Title: IAXclient truncated frames vulnerabilities
Class: Input Validation Error
Remotely Exploitable: Yes
Locally Exploitable: Yes
Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=548&idxseccion=10
Vendors contacted:
2006-06-05: Initial notification to vendor
2006-06-05: Vendor acknowledgment received
2006-06-05: Draft advisory and technical details provided to vendor
2006-06-05: Fixes committed to IAXclient source tree repository
2006-06-06: Notified third-party vendors that use the IAXclient library
Release Mode: COORDINATED RELEASE
*Vulnerability Description:*
IAXclient is an open source library that implements the IAX2 VoIP
protocol used by the Asterisk IP PBX and several VoIP software phones.
Two vulnerabilities have been found in the library that may grant
attackers remote execution of arbitrary code on systems using software
packages that rely on it to implement the IAX2 protocol support.
*Vulnerable Packages:*
Although this vulnerability was discovered and tested in the IDE FISK
software phone other software packages that use the IAXclient library
may be vulnerable. Software phones that implement the IAX2 protocol
using the IAXclient library:
- IDE FISK (confirmed vulnerable)
versions <= 1.35
- IaxComm (confirmed vulnerable)
versions < 1.2.0
- KIAX (confirmed vulnerable)
versions <= 0.8.5
- LoudHush
versions <= 1.3.6
- DIAX
- Ziaxphone, a softphone for the Zaurus PDA
- IAX Phone
- X-lite
- MediaX
- Extreme Networks ePhone
The Asterisk open source PBX is NOT VULNERABLE to these flaws because it
uses a different function to read and process IAX packets received form
the network that properly discards truncated packets.
*Solution/Vendor Information:*
Software packages using an IAXclient library built from source code
dated June 6th, 2006 or newer are not vulnerable.
A fix was committed to the IAXclient SVN source tree on June 5th, 2006.
To fix your client package obtain a current version of IAXclient from
the source repository an recompile the library.
Software phones not vulnerable
- IDE FISK 1.37
- LoudHush 1.3.7
- IaxComm 1.2.0
- KIAX 0.8.51
*Credits:*
Damian Saura, Alejandro Lozanoff, Eduardo Koch, Norberto Kueffner and
Ivan Arce from Core Security Technologies discovered and tested these
vulnerabilities.
We would like to thank IAXclient maintainer Steve K for responding to
our bug report diligently and for his quickness in addressing the issue
and releasing a fix.
*Technical Description - Exploit/Concept Code:*
The Inter-Asterisk Exchange (IAX) protocol provides control and
transmission of streaming media over IP networks. IAX can be used with
any type of streaming media including video and still images but is
targeted primarily at the control of VoIP calls. [1]
The IAX protocol relies on a single UDP port for all its communications
(4569/udp). The protocol uses a 15-bit identification number (call
number) to multiplex several streams over the same UDP port.
IAX messages are called frames. Several basic frame types are described
in the protocol specification draft[1]. Two types of IAX frames are of
interest in this case: the IAX full frame and the IAX mini-frame which
are defined in file iaxclient/lib/libiax2/src/iax2.h
/* Full frames are always delivered reliably */
struct ast_iax2_full_hdr {
unsigned short scallno; /* Source call number -- high bit must be 1 */
unsigned short dcallno; /* Destination call number -- high bit is 1 if
retransmission */
unsigned int ts; /* 32-bit timestamp in milliseconds (from 1st
transmission) */
unsigned char oseqno; /* Packet number (outgoing) */
unsigned char iseqno; /* Packet number (next incoming expected) */
char type; /* Frame type */
unsigned char csub; /* Compressed subclass */
unsigned char iedata[0];
} __PACKED;
/* Mini header is used only for voice frames -- delivered unreliably */
struct ast_iax2_mini_hdr {
unsigned short callno; /* Source call number -- high bit must be 0, rest
must be non-zero */
unsigned short ts; /* 16-bit Timestamp (high 16 bits from last
ast_iax2_full_hdr) */
/* Frametype implicitly VOICE_FRAME */
/* subclass implicit from last ast_iax2_full_hdr */
unsigned char data[0];
} __PACKED;
Parsing of IAX packets received over the network is done in
iax_net_process() function implemented in
iaxclient/lib/libiax2/src/iax.c. The following excerpts are from
revision 536 of the file.
struct iax_event *iax_net_process(unsigned char *buf, int len, struct
sockaddr_in *sin)
{
struct ast_iax2_full_hdr *fh = (struct ast_iax2_full_hdr *)buf;
struct ast_iax2_mini_hdr *mh = (struct ast_iax2_mini_hdr *)buf;
struct iax_session *session;
if (ntohs(fh->scallno) & IAX_FLAG_FULL) {
/* Full size header */
[A] if (len < sizeof(struct ast_iax2_full_hdr)) {
DEBU(G "Short header received from %s\n", inet_ntoa(sin->sin_addr));
IAXERROR "Short header received from %s\n", inet_ntoa(sin->sin_addr));
}
/* We have a full header, process appropriately */
session = iax_find_session(sin, ntohs(fh->scallno) & ~IAX_FLAG_FULL,
ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS, 1);
if (!session)
session = iax_txcnt_session(fh, len-sizeof(struct ast_iax2_full_hdr),
sin, ntohs(fh->scallno) & ~IAX_FLAG_FULL, ntohs(fh->dcallno) &
~IAX_FLAG_RETRANS);
if (session)
return iax_header_to_event(session, fh, len - sizeof(struct
ast_iax2_full_hdr), sin);
DEBU(G "No session?\n");
return NULL;
} else {
[B] if (len < sizeof(struct ast_iax2_mini_hdr)) {
DEBU(G "Short header received from %s\n", inet_ntoa(sin->sin_addr));
IAXERROR "Short header received from %s\n", inet_ntoa(sin->sin_addr));
}
/* Miniature, voice frame */
session = iax_find_session(sin, ntohs(fh->scallno), 0, 0);
if (session)
return iax_miniheader_to_event(session, mh, len - sizeof(struct
ast_iax2_mini_hdr));
DEBU(G "No session?\n");
return NULL;
}
}
The 'len' argument is received from the iax_net_read() function
implemented in the same file. Its value is set to the return value of a
call to the recvfrom(2) function -the number of bytes read from the
network. The 'buf' argument is a pointer to a fixed-size buffer
allocated in the stack with the data read in the iax_net_read() function.
The function performs length checks at [A] and [B] to make sure that the
received packet is not a truncated full-frame or mini-frame
respectively, but processing of possibly undersized packets continues
after output of error messages. This will provide two exploitable
security flaws further down the execution flow.
IAX2 truncated full-frame vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the case of [A] a full-frame packet is processed with the following
execution flow:
iax_net_read()
iax_net_process()
iax_find_session()
iax_txcnt_session()
iax_header_to_event()
The iax_txcnt_session is implemented in the same file:
static struct iax_session *iax_txcnt_session(struct ast_iax2_full_hdr
*fh, int datalen,
struct sockaddr_in *sin, short callno, short dcallno)
{
int subclass = uncompress_subclass(fh->csub);
unsigned char buf[ 65536 ]; /* allocated on stack with same size as
iax_net_read() */
struct iax_ies ies;
struct iax_session *cur;
if ((fh->type != AST_FRAME_IAX) || (subclass != IAX_COMMAND_TXCNT) ||
(!datalen)) {
return NULL; /* special handling for TXCNT only */
}
[C] memcpy(buf, fh->iedata, datalen); /* prepare local buf for
iax_parse_ies() */
if (iax_parse_ies(&ies, buf, datalen)) {
return NULL; /* Unable to parse IE's */
}
...
The 'datalen' argument receives the value passed by iax_net_process()
calculated as datalen = len-sizeof(struct ast_iax2_full_hdr) which will
be become less than 0 if a truncated full frame packet was read from the
network.
Later in [C] the memcpy using a possibly negative value of 'datalen'
will trigger a buffer overflow on the fixed-sized buffer 'buf' in the
stack. A 11-byte UDP packet can be crafted to to trigger the
vulnerability and execute arbitrary code on vulnerable systems.
The iax_header_to_event() function suffers from a similar problem (in
this case a heap overflow) due to its use of a combination of malloc(2),
memset(2) and memcpy(2) using a possibly negative length argument
IAX2 truncated mini-frame vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Similarly, in the case of [B], mini-frame packets are processed
following this execution flow:
iax_net_read()
iax_net_process()
iax_find_session()
iax_miniheader_to_event()
An excerpt from the iax_miniheader_to_event() funtion, implemente in the
same file is shown below:
static struct iax_event *iax_miniheader_to_event(struct iax_session
*session,
struct ast_iax2_mini_hdr *mh,
int datalen)
{
struct iax_event *e;
unsigned int ts;
int updatehistory = 1;
e = (struct iax_event *)malloc(sizeof(struct iax_event) + datalen);
if (e) {
if (session->voiceformat > 0) {
e->etype = IAX_EVENT_VOICE;
e->session = session;
e->subclass = session->voiceformat;
e->datalen = datalen;
if (datalen) {
#ifdef EXTREME_DEBUG
DEBU(G "%d bytes of voice\n", datalen);
#endif
[D] memcpy(e->data, mh->data, datalen);
}
ts = (session->last_ts & 0xFFFF0000) | ntohs(mh->ts);
return schedule_delivery(e, ts, updatehistory);
The memcpy in [D] will trigger buffer overflow of heap-allocated data if
the 'datalen' argument has a value of less than 0. A 3-byte UDP packet
(1-byte shorter than a mini-frame packet) can be crafted to trigger the
overflow and execute arbitrary code on vulnerable systems.
*Workaround:*
Block inbound packets to port 4569/udp at the perimeter. This workaround
will prevent IAX-based VoIP solutions from working with VoIP services
outside the boundaries of the filtered network. Particularly, IAX
software phones will be unable to communicate with IAX2 PBXs or
termination services across the network perimeter.
*Additional information and References*
[1] Inter-Asterisk Exchange (IAX) version 2 protocol
(draft-mspencer-iax2-01) http://www.cornfed.com/iax.pdf
*About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/
*About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide. The company’s flagship
product, CORE IMPACT, is the first automated penetration testing product
for assessing specific information security threats to an organization.
Penetration testing evaluates overall network security and identifies
what resources are exposed. It enables organizations to determine if
current security investments are detecting and preventing attacks.
Core augments its leading technology solution with world-class security
consulting services, including penetration testing, software security
auditing and related training.
Based in Boston, MA. and Buenos Aires, Argentina, Core Security
Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com
*DISCLAIMER:*
The contents of this advisory are copyright (c) 2006 CORE Security
Technologies and (c) 2006 Corelabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
$Id: IAXclient-advisory.txt,v 1.3 2006/05/18 21:46:58 iarce Exp $