-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple buffer overflows in Asterisk [MU-200803-01]
March 18, 2008

https://labs.musecurity.com/advisories.html


Affected Products/Versions:

Asterisk 1.4.18 and other branches
https://www.asterisk.org/node/48466


Product Overview:

Asterisk is an open source telephony engine and toolkit. Asterisk
implements the Session Initiation Protocol (SIP).


Vulnerability Details:

The Mu Security Research team has found two security issues in the SDP
parser in Asterisk 1.4.18. One is an invalid write to an
attacker-controllable, almost arbitrary memory location and the other
is a stack buffer overflow with limited attacker-controllable values.

1) Sending an invalid RTP payload type number in the SDP payload of an
INVITE message can cause a write to an invalid memory location. An
attacker would have some control over the memory location.

The invalid memory write is in ast_rtp_unset_m_type() (main/rtp.c,
line 1655) called by process_line() (channels/chan_sip.c, line 5275).
ast_rtp_unset_mt_type() does not validate pt, while it is validated in
ast_rtp_set_mt_type() (line 1642). The attacker controls pt and could
write a 0 to a wide range of memory locations.

Example invalid SDP payload (invalid RTP payload type is 780903144):

v=0
o=- 817933771 817933775 IN IP4 10.10.1.101
s=session-name
c=IN IP4 10.10.1.101
t=0 0
m=audio 5000 RTP/AVP 0
a=rtpmap:780903144 PCMU/8000
a=rtpmap:4 G723/8000/1
a=rtpmap:97 telephone-event/8000

Mu-4000 vector: invite_bye.invite.sdp.media-descriptions.media-attribute-rtp1.value.value.value.value.integer.values:0,3,4.
Vectors in the encoding and invalid variants reproduce the same issue.


2) Sending more than 32 RTP payload type number attributes in the SDP
payload of a SIP INVITE will overflow a buffer on the stack. An
attacker would have some control over the values written.

In process_sdp() (channels/chan_sip.c, line 4980), rtpmap codecs are
stored in found_rtpmap_codecs, an array of 32 ints. The number of
codecs in the map is stored in last_rtpmap_codec. Codecs are appeneded
to the array without checking the size of the array (line 5258). Up to
64 (SIP_MAX_LINES). An attacker would have some control over the
values written - the codec must be between 0 and 256 (MAX_RTP_PT).

Example SDP payload:
v=0
o=- 817933771 817933775 IN IP4 10.10.1.101
s=session-name
c=IN IP4 10.10.1.101
t=0 0
m=audio 5000 RTP/AVP 0
a=rtpmap:0 PCMU/8000
[... repeat this line ...]
a=rtpmap:4 G723/8000/1
a=rtpmap:97 telephone-event/8000

Mu-4000 vector: invite_bye.invite.sdp.media-descriptions.media-attribute-rtp1.repeated:4.


Vendor Response / Solution:

Fixed in Asterisk 1.4.18.1 and other branches
Available from https://www.asterisk.org


History:

March 11, 2008       - First contact with vendor
March 18, 2008       - Vendor releases fix and advisory


See also:

CVE-2008-1289
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1289

Asterisk Project Security Advisory - AST-2008-002
https://downloads.digium.com/pub/security/AST-2008-002.html


Credit:

This vulnerability was discovered by the Mu Security research team.

https://labs.musecurity.com/pgpkey.txt

Mu Security offers a new class of security analysis system, delivering
a rigorous and streamlined methodology for verifying the robustness
and security readiness of any IP-based product or application. Founded
by the pioneers of intrusion detection and prevention technology, Mu
Security is backed by preeminent venture capital firms that include
Accel Partners, Benchmark Capital and DAG Ventures. The company is
headquartered in Sunnyvale, CA. For more information, visit the
company's website at https://www.musecurity.com.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFH4GOaQLdDlEyOXHQRAgFHAKCRA//m6RV5jg8Q0IWh635lPesRvACePaux
IfxfSGtQ39ihGPLJTwpNq7M=
=V4dl
-----END PGP SIGNATURE-----