-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multiple sscanf vulnerabilities in Asterisk [MU-200908-01] August 10, 2009 http://labs.mudynamics.com/advisories.html Affected Products/Versions: Asterisk 1.6.1 branch up to 1.6.1.2. Product Overview: Asterisk is an open source telephony engine and toolkit. Asterisk implements the Session Initiation Protocol (SIP). Vulnerability Details: The Mu Dynamics Research team has found several vulnerabilities stemming from unsafe use of the sscanf C standard library function. The sscanf function is used in several places in Asterisk source code for parsing numeric values from ASCII text in incoming SIP messages. These calls to sscanf generally fail to specify a maximum width for the field being parsed. With no width specified, sscanf defaults to a maximum width of infinity. A remote attacker can take advantage of this by crafting a SIP Invite message with a large number of ASCII decimal characters in a position where a numeric value is being parsed. E.g. the following sscanf call used to parse out the CSeq value from the SIP header is vulnerable (chan_sip.c, line 19578): if (!error && sscanf(cseq, "%d%n", &seqno, &len) != 1) { A remote attacker can crash Asterisk by sending a SIP Invite where the CSeq value is prefixed by a large number of ASCII decimal characters (such as 32768 zeros). Other areas demonstrated to be vulnerable include Content-Length parsing (chan_sip.c, line 6769) and SDP processing (chan_sip.c, lines 6977, 7035, 7043, and 7285). Based on code inspection this list is not complete. Vendor Response / Solution: Fixed in Asterisk 1.6.1.4. For details see: http://downloads.asterisk.org/pub/security/AST-2009-005.html. History: July 28, 2009 - First contact with vendor August 10, 2009 - Vendor releases fix and advisory See also: http://www.pcapr.net/advisories/MU-200908-01.pcap http://downloads.asterisk.org/pub/security/AST-2009-005.pdf Credit: This vulnerability was discovered by the Mu Dynamics research team. http://labs.mudynamics.com/pgpkey.txt Mu Dynamics proactively eliminates the high cost of service, application and network downtime. Mu's solution automates a systematic and repeatable process that identifies hard-to-detect sources of potential downtime within IP services, applications, and underlying networks. The award-winning Mu solution is deployed at more than 100 locations, primarily at leading global service providers, cable operators and network product vendors. Headquartered in Sunnyvale, California, Mu is backed by leading venture capital firms that include Accel Partners, Benchmark Capital, DAG Ventures and Focus Ventures. For more information, visit the company's website at http://www.mudynamics.com. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkqA+oUACgkQR65hS3LuY3LGkwCfa8jXWUvoPFQ8Og4IGKOWwszo Lf0AnRxNa0OiSjo0MvMGtWQAuLJ8ngQl =ekRt -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/