<<< Date Index >>>     <<< Thread Index >>>

AST-2008-002: Two buffer overflows in RTP Codec Payload Handling



               Asterisk Project Security Advisory - AST-2008-002

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Two buffer overflows in RTP Codec Payload         |
   |                    | Handling                                          |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Exploitable Buffer Overflow                       |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Critical                                          |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | March 11, 2008                                    |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Mu Security Research Team                         |
   |--------------------+---------------------------------------------------|
   |     Posted On      | March 18, 2008                                    |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | March 18, 2008                                    |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Joshua Colp <jcolp@xxxxxxxxxx>                    |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2008-1289                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | Two buffer overflows exist in the RTP payload handling   |
   |             | code of Asterisk. Both overflows can be caused by an     |
   |             | INVITE or any other SIP packet with SDP. The request may |
   |             | need to be authenticated depending on configuration of   |
   |             | the Asterisk installation.                               |
   |             |                                                          |
   |             | The first overflow is caused by sending a payload number |
   |             | that surpasses the programmed maximum payload number of  |
   |             | 256. This causes an invalid memory write outside of the  |
   |             | buffer. While this does not allow the attacker to write  |
   |             | arbitrary data it does allow the attacker to write a 0   |
   |             | to other memory locations.                               |
   |             |                                                          |
   |             | The second overflow is caused by sending more than 32    |
   |             | RTP payloads. This causes a buffer on the stack to       |
   |             | overflow allowing the attacker to write values between 0 |
   |             | and 256 (the maximum payload number) to memory locations |
   |             | after the buffer.                                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Two fixes have been added to check the provided data to   |
   |            | ensure it does not exceed static buffer sizes.            |
   |            |                                                           |
   |            | When removing internal information regarding an RTP       |
   |            | payload the given payload number will now be checked to   |
   |            | make sure it does not exceed the maximum acceptable       |
   |            | payload number.                                           |
   |            |                                                           |
   |            | When reading RTP payloads from SDP a maximum limit of 32  |
   |            | in total will be enforced. Any further RTP payloads will  |
   |            | be discarded.                                             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.0.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | All versions prior to 1.4.18.1  |
   |                            |         | and 1.4.19-rc3                  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.6.x  | All versions prior to           |
   |                            |         | 1.6.0-beta6                     |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  A.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  B.x.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   | Asterisk Business Edition  |  C.x.x  | All versions prior to C.1.6.1   |
   |----------------------------+---------+---------------------------------|
   |        AsteriskNOW         |  1.0.x  | All versions prior to 1.0.2     |
   |----------------------------+---------+---------------------------------|
   |     Asterisk Appliance     |   SVN   | All versions prior to Asterisk  |
   |       Developer Kit        |         | 1.4 revision 109386             |
   |----------------------------+---------+---------------------------------|
   | s800i (Asterisk Appliance) |  1.1.x  | All versions prior to 1.1.0.2   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |    Product    |                        Release                         |
   |---------------+--------------------------------------------------------|
   | Asterisk Open |    1.4.18.1/1.4.19-rc3/1.6.0-beta6, available from     |
   |    Source     |   http://downloads.digium.com/pub/telephony/asterisk   |
   |---------------+--------------------------------------------------------|
   |   Asterisk    |                        C.1.6.1                         |
   |   Business    |                                                        |
   |    Edition    |                                                        |
   |---------------+--------------------------------------------------------|
   |  AsteriskNOW  |   1.0.2, available from http://www.asterisknow.org/    |
   |               |                                                        |
   |               |    Current users can update using the system update    |
   |               |        feature in the appliance control panel.         |
   |---------------+--------------------------------------------------------|
   |   Asterisk    | Asterisk 1.4 revision 109386. Available by performing  |
   |   Appliance   |            an svn update of the AADK tree.             |
   | Developer Kit |                                                        |
   |---------------+--------------------------------------------------------|
   |     s800i     |                        1.1.0.2                         |
   |   (Asterisk   |                                                        |
   |  Appliance)   |                                                        |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2008-002.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2008-002.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date       |       Editor       |         Revisions Made         |
   |------------------+--------------------+--------------------------------|
   | 2008-03-18       | Joshua Colp        | Initial Release                |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-002
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.