-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multiple buffer overflows in Asterisk [MU-200803-01] March 18, 2008 http://labs.musecurity.com/advisories.html Affected Products/Versions: Asterisk 1.4.18 and other branches http://www.asterisk.org/node/48466 Product Overview: Asterisk is an open source telephony engine and toolkit. Asterisk implements the Session Initiation Protocol (SIP). Vulnerability Details: The Mu Security Research team has found two security issues in the SDP parser in Asterisk 1.4.18. One is an invalid write to an attacker-controllable, almost arbitrary memory location and the other is a stack buffer overflow with limited attacker-controllable values. 1) Sending an invalid RTP payload type number in the SDP payload of an INVITE message can cause a write to an invalid memory location. An attacker would have some control over the memory location. The invalid memory write is in ast_rtp_unset_m_type() (main/rtp.c, line 1655) called by process_line() (channels/chan_sip.c, line 5275). ast_rtp_unset_mt_type() does not validate pt, while it is validated in ast_rtp_set_mt_type() (line 1642). The attacker controls pt and could write a 0 to a wide range of memory locations. Example invalid SDP payload (invalid RTP payload type is 780903144): v=0 o=- 817933771 817933775 IN IP4 10.10.1.101 s=session-name c=IN IP4 10.10.1.101 t=0 0 m=audio 5000 RTP/AVP 0 a=rtpmap:780903144 PCMU/8000 a=rtpmap:4 G723/8000/1 a=rtpmap:97 telephone-event/8000 Mu-4000 vector: invite_bye.invite.sdp.media-descriptions.media-attribute-rtp1.value.value.value.value.integer.values:0,3,4. Vectors in the encoding and invalid variants reproduce the same issue. 2) Sending more than 32 RTP payload type number attributes in the SDP payload of a SIP INVITE will overflow a buffer on the stack. An attacker would have some control over the values written. In process_sdp() (channels/chan_sip.c, line 4980), rtpmap codecs are stored in found_rtpmap_codecs, an array of 32 ints. The number of codecs in the map is stored in last_rtpmap_codec. Codecs are appeneded to the array without checking the size of the array (line 5258). Up to 64 (SIP_MAX_LINES). An attacker would have some control over the values written - the codec must be between 0 and 256 (MAX_RTP_PT). Example SDP payload: v=0 o=- 817933771 817933775 IN IP4 10.10.1.101 s=session-name c=IN IP4 10.10.1.101 t=0 0 m=audio 5000 RTP/AVP 0 a=rtpmap:0 PCMU/8000 [... repeat this line ...] a=rtpmap:4 G723/8000/1 a=rtpmap:97 telephone-event/8000 Mu-4000 vector: invite_bye.invite.sdp.media-descriptions.media-attribute-rtp1.repeated:4. Vendor Response / Solution: Fixed in Asterisk 1.4.18.1 and other branches Available from http://www.asterisk.org History: March 11, 2008 - First contact with vendor March 18, 2008 - Vendor releases fix and advisory See also: CVE-2008-1289 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1289 Asterisk Project Security Advisory - AST-2008-002 http://downloads.digium.com/pub/security/AST-2008-002.html Credit: This vulnerability was discovered by the Mu Security research team. http://labs.musecurity.com/pgpkey.txt Mu Security offers a new class of security analysis system, delivering a rigorous and streamlined methodology for verifying the robustness and security readiness of any IP-based product or application. Founded by the pioneers of intrusion detection and prevention technology, Mu Security is backed by preeminent venture capital firms that include Accel Partners, Benchmark Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For more information, visit the company's website at http://www.musecurity.com. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFH4GOaQLdDlEyOXHQRAgFHAKCRA//m6RV5jg8Q0IWh635lPesRvACePaux IfxfSGtQ39ihGPLJTwpNq7M= =V4dl -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/