<<< Date Index >>>     <<< Thread Index >>>

AST-2008-005: HTTP Manager ID is predictable



               Asterisk Project Security Advisory - AST-2008-005

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | HTTP Manager ID is predictable                  |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | An attacker could hijack a manager session      |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | All users using the HTTP manager port           |
   |----------------------+-------------------------------------------------|
   |       Severity       | Minor                                           |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | No                                              |
   |----------------------+-------------------------------------------------|
   |     Reported On      | February 25, 2008                               |
   |----------------------+-------------------------------------------------|
   |     Reported By      | Dino A. Dai Zovi < ddz AT theta44 DOT org >     |
   |----------------------+-------------------------------------------------|
   |      Posted On       | March 18, 2008                                  |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | March 18, 2008                                  |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Tilghman Lesher < tlesher AT digium DOT com >   |
   |----------------------+-------------------------------------------------|
   |       CVE Name       | CVE-2008-1390                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Due to the way that manager IDs are calculated, this     |
   |             | 32-bit integer is likely to have a much larger than      |
   |             | average number of 1s, which greatly reduces the number   |
   |             | of guesses an attacker would have to make to             |
   |             | successfully predict the manager ID, which is used       |
   |             | across multiple HTTP queries to hold manager state.      |
   |             |                                                          |
   |             | "The issue is the generation of session ids in the       |
   |             | AsteriskGUI HTTP server.                                 |
   |             |                                                          |
   |             | When using Glibc, the implementation and state of rand() |
   |             | and random() is                                          |
   |             |                                                          |
   |             | shared. Asterisk uses random() to issue MD5 digest       |
   |             | authentication                                           |
   |             |                                                          |
   |             | challenges and rand() bitwise-ORed with a malloc'd       |
   |             | pointer to generate                                      |
   |             |                                                          |
   |             | AsteriskGUI session identifiers. An attacker can         |
   |             | synchronize with                                         |
   |             |                                                          |
   |             | random() by retrieving 32 successive challenges and      |
   |             | predict all subsequent                                   |
   |             |                                                          |
   |             | output of calls to random() and rand(). Because a        |
   |             | pointer returned by                                      |
   |             |                                                          |
   |             | malloc has at best 21 bits of entropy, the attacker will |
   |             | on average only                                          |
   |             |                                                          |
   |             | need to guess 1448 session identifiers in order to steal |
   |             | an established                                           |
   |             |                                                          |
   |             | session.                                                 |
   |             |                                                          |
   |             | "The crux of the problem is that under Glibc, the        |
   |             | implementation of rand()                                 |
   |             |                                                          |
   |             | and random() is shared. rand() is just an alias to       |
   |             | random(). This means                                     |
   |             |                                                          |
   |             | that they all come from the same randomizer with the     |
   |             | same state.                                              |
   |             |                                                          |
   |             | "A remote attacker can synchronize with all subsequent   |
   |             | output of a remote                                       |
   |             |                                                          |
   |             | system's random() state by just observing or retrieving  |
   |             | 32 successive                                            |
   |             |                                                          |
   |             | outputs. They can easily do this by generating 32 MD5    |
   |             | digest                                                   |
   |             |                                                          |
   |             | authentication challenges. At this point, they will be   |
   |             | able to predict                                          |
   |             |                                                          |
   |             | all subsequent output of random() and rand().            |
   |             |                                                          |
   |             | "The memory address returned by calloc() is also not     |
   |             | sufficiently random.                                     |
   |             |                                                          |
   |             | In practice, it will be in low memory, immediately       |
   |             | following the executable.                                |
   |             |                                                          |
   |             | In addition, the buffer returned will be 8-byte aligned. |
   |             | This means that                                          |
   |             |                                                          |
   |             | the high order 8 bits and low order 3 bits will always   |
   |             | be zero. Finally,                                        |
   |             |                                                          |
   |             | this value is bitwise ORed with the output of random(),  |
   |             | so any bits that                                         |
   |             |                                                          |
   |             | are set will be preserved.                               |
   |             |                                                          |
   |             | "An attacker will only have to guess 2^N session ids,    |
   |             | where N is the number                                    |
   |             |                                                          |
   |             | of zeros in the number return by random() between bit    |
   |             | positions 3 and 24.                                      |
   |             |                                                          |
   |             | On average, this will be 1448 guesses.                   |
   |             |                                                          |
   |             | "However, an attacker can do better than this by         |
   |             | consuming challenges until                               |
   |             |                                                          |
   |             | the following number output by random() has many 1's in  |
   |             | those significant                                        |
   |             |                                                          |
   |             | bit positions."                                          |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | To mitigate this attack, the two values are now XORed     |
   |            | together. This will increase the entropy to approximately |
   |            | 2^21, which is far more difficult to predict, especially  |
   |            | given that the random number generator is used for other  |
   |            | purposes in Asterisk, not just manager HTTP session ID    |
   |            | generation.                                               |
   |            |                                                           |
   |            | Upgrade to SVN revision 104704 or greater, or upgrade to  |
   |            | one of the releases below. That the random number         |
   |            | generator is used for other things makes this attack      |
   |            | extremely difficult and unlikely, so we will not produce  |
   |            | a separate release for this security advisory.            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |   Release   |                             |
   |                            |   Series    |                             |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.0.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.2.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.4.x    | All versions prior to       |
   |                            |             | 1.4.19-rc3                  |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.6.x    | All versions prior to       |
   |                            |             | 1.6.0-beta6                 |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    A.x.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    B.x.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   | Asterisk Business Edition  |    C.x.x    | All versions prior to C.1.6 |
   |----------------------------+-------------+-----------------------------|
   |        AsteriskNOW         | pre-release | All versions prior to 1.0.2 |
   |----------------------------+-------------+-----------------------------|
   |     Asterisk Appliance     |     SVN     | All revisions prior to      |
   |       Developer Kit        |             | 104704                      |
   |----------------------------+-------------+-----------------------------|
   | s800i (Asterisk Appliance) |    1.0.x    | All versions prior to       |
   |                            |             | 1.1.0.2                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |               Product                |             Release             |
   |--------------------------------------+---------------------------------|
   |         Asterisk Open Source         |     1.4.19-rc3, 1.6.0-beta6     |
   |--------------------------------------+---------------------------------|
   |      Asterisk Business Edition       |              C.1.6              |
   |--------------------------------------+---------------------------------|
   |             AsteriskNOW              |              1.0.2              |
   |--------------------------------------+---------------------------------|
   |   Asterisk Appliance Developer Kit   |  Asterisk 1.4 revision 104704   |
   |--------------------------------------+---------------------------------|
   |      s800i (Asterisk Appliance)      |             1.1.0.2             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2008-005.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2008-005.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |         Editor         |       Revisions Made        |
   |-----------------+------------------------+-----------------------------|
   | 2008-03-18      | Tilghman Lesher        | Initial release             |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-005
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.