<<< Date Index >>>     <<< Thread Index >>>

ASA-2007-014: Stack buffer overflow in IAX2 channel driver



               Asterisk Project Security Advisory - ASA-2007-014

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | Stack buffer overflow in IAX2 channel driver    |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Exploitable Stack Buffer Overflow               |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                  |
   |----------------------+-------------------------------------------------|
   |       Severity       | Critical                                        |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | July 12, 2007                                   |
   |----------------------+-------------------------------------------------|
   |     Reported By      | Russell Bryant, Digium, Inc.                    |
   |----------------------+-------------------------------------------------|
   |      Posted On       | July 17, 2007                                   |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | July 17, 2007                                   |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Russell Bryant <russell@xxxxxxxxxx>             |
   |----------------------+-------------------------------------------------|
   |       CVE Name       | CVE-2007-3762                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The Asterisk IAX2 channel driver, chan_iax2, has a       |
   |             | remotely exploitable stack buffer overflow               |
   |             | vulnerability. It occurs when chan_iax2 is passed a      |
   |             | voice or video frame with a data payload larger than 4   |
   |             | kB. This is exploitable by sending a very large RTP      |
   |             | frame to an active RTP port number used by Asterisk when |
   |             | the other end of the call is an IAX2 channel. Exploiting |
   |             | this issue can cause a crash or allow arbitrary code     |
   |             | execution on a remote machine.                           |
   |             |                                                          |
   |             | The specific conditions that trigger the vulnerability   |
   |             | are the following:                                       |
   |             |                                                          |
   |             |   * iax2_write() is called with a frame with the         |
   |             |     following properties                                 |
   |             |                                                          |
   |             |        * a voice or video frame                          |
   |             |                                                          |
   |             |        * Its 4-byte timestamp has the same high 2 bytes  |
   |             |          as the previous frame that was sent             |
   |             |                                                          |
   |             |        * Its format is the one currently expected        |
   |             |                                                          |
   |             |        * Its data payload is larger than 4 kB            |
   |             |                                                          |
   |             | iax2_write() calls iax2_send() to send the frame. Inside |
   |             | of iax2_send(), there is a conditional check to          |
   |             | determine whether the frame should be sent immediately   |
   |             | (the now variable) or queued for transmission later.     |
   |             |                                                          |
   |             | If the frame is going to be transmitted later, an        |
   |             | iax_frame struct is dynamically allocated with a data    |
   |             | buffer that has the exact buffer size needed to          |
   |             | accommodate for the provided ast_frame data. However, if |
   |             | the frame is being sent immediately, it uses a stack     |
   |             | allocated iax_frame, with a data buffer size of 4096     |
   |             | bytes.                                                   |
   |             |                                                          |
   |             | Later, the iax_frame_wrap() function is used to copy the |
   |             | data from the ast_frame struct into the iax_frame        |
   |             | struct. This function assumes the iax_frame data buffer  |
   |             | has enough space for all of the data in the ast_frame.   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | This issue is only exploitable when the system is         |
   |            | configured in such a way that calls between channels that |
   |            | use RTP and IAX2 channels are possible. Also, some        |
   |            | additional protection against arbitrary code execution is |
   |            | provided if the call involves transcoding between audio   |
   |            | formats as this will change the contents of the frame     |
   |            | payload.                                                  |
   |            |                                                           |
   |            | All users that have systems that connect calls between    |
   |            | channels that use RTP and IAX2 channels should            |
   |            | immediately update to versions listed in the corrected in |
   |            | section of this advisory.                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | All versions prior to |
   |                                  |             | 1.2.22                |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.8                 |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | All versions prior to |
   |                                  |             | B.2.2.1               |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | All versions prior to |
   |                                  |             | beta7                 |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | All versions prior to |
   |                                  |             | 0.5.0                 |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | All versions prior to |
   |                                  |             | 1.0.2                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |      Product      |                      Release                       |
   |-------------------+----------------------------------------------------|
   |   Asterisk Open   |          1.2.22 and 1.4.8, available from          |
   |      Source       |    ftp://ftp.digium.com/pub/telephony/asterisk     |
   |-------------------+----------------------------------------------------|
   | Asterisk Business |   B.2.2.1, available from the Asterisk Business    |
   |      Edition      |  Edition user portal on http://www.digium.com or   |
   |                   |                                                    |
   |                   |            via Digium Technical Support            |
   |-------------------+----------------------------------------------------|
   |    AsteriskNOW    | Beta7, available from http://www.asterisknow.org/. |
   |                   | Beta5 and Beta6 users can update using the system  |
   |                   |   update feature in the appliance control panel.   |
   |-------------------+----------------------------------------------------|
   |     Asterisk      |               0.5.0, available from                |
   |     Appliance     |                                                    |
   |   Developer Kit   |      ftp://ftp.digium.com/pub/telephony/aadk/      |
   |-------------------+----------------------------------------------------|
   |  s800i (Asterisk  |                       1.0.2                        |
   |    Appliance)     |                                                    |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://ftp.digium.com/pub/asa/ASA-2007-014.pdf.                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date        |         Editor          |      Revisions Made      |
   |-------------------+-------------------------+--------------------------|
   | July 17, 2007     | russell@xxxxxxxxxx      | Initial Release          |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - ASA-2007-014
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.