[Full-disclosure] AST-2011-001: Stack buffer overflow in SIP channel driver



Asterisk Project Security Advisory - AST-2011-001

Product Asterisk
Summary Stack buffer overflow in SIP channel driver
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On January 11, 2011
Reported By Matthew Nicholson
Posted On January 18, 2011
Last Updated On January 18, 2011
Advisory Contact Matthew Nicholson <mnicholson@xxxxxxxxxx>
CVE Name

Description When forming an outgoing SIP request while in pedantic mode, a
stack buffer can be made to overflow if supplied with
carefully crafted caller ID information. This vulnerability
also affects the URIENCODE dialplan function and in some
versions of asterisk, the AGI dialplan application as well.
The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when
encoding URIs.

Resolution The size of the output buffer passed to the ast_uri_encode
function is now properly respected.

In asterisk versions not containing the fix for this issue,
limiting strings originating from remote sources that will be
URI encoded to a length of 40 characters will protect against
this vulnerability.

exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
exten => s,n,Dial(SIP/channel)

The CALLERID(num) and CALLERID(name) channel values, and any
strings passed to the URIENCODE dialplan function should be
limited in this manner.

Affected Versions
Product Release Series
Asterisk Open Source 1.2.x All versions
Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.x All versions
Asterisk Open Source 1.8.x All versions
Asterisk Business Edition C.x.x All versions
AsteriskNOW 1.5 All versions
s800i (Asterisk Appliance) 1.2.x All versions

Corrected In
Product Release
Asterisk Open Source 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1,
1.6.2.16.1, 1.8.1.2, 1.8.2.1
Asterisk Business Edition C.3.6.2

Patches
URL Branch
http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff 1.4
http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff 1.6.1
http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff 1.6.2
http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff 1.8

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-001.pdf and
http://downloads.digium.com/pub/security/AST-2011-001.html

Revision History
Date Editor Revisions Made
2011-01-18 Matthew Nicholson Initial Release

Asterisk Project Security Advisory - AST-2011-001
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/