[NEWS] Asterisk SIP Implementation Issue

• Previous message: SecuriTeam: "[NT] Foxweb Buffer Overflow in CGI and ISAPI extension"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 7 Sep 2003 18:01:23 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Asterisk SIP Implementation Issue
------------------------------------------------------------------------

SUMMARY

 <http://www.asterisk.org/> Asterisk is a complete PBX (Private Branch
eXchange) in software. It runs on Linux and provides all of the features
you would expect from a PBX and more. Asterisk does voice over IP in three
protocols (SIP, IAX (v1 and v2)) and H323, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

The Session Initiation Protocol (SIP) is an application-layer control
(signaling) protocol for creating, modifying and terminating sessions with
one or more participants. These sessions include Internet multimedia
conferences, Internet telephone calls, multimedia distribution and instant
messaging. The SIP protocol is described in RFC3261 (with extensions
contained in RFC3265).

While conducting a source code review of the SIP protocol implementation
within Asterisk, @stake found a vulnerability that could allow an attacker
to obtain remote and unauthenticated access to the host in question.

This is a good example of a vulnerability that would be difficult to
identify in the process of automated fault injection (fuzzing).

DETAILS

@stake discovered that if a specially crafted SIP request of a specific
size was sent (body length of 1024 bytes) with a particular request type
(MESSAGE and INFO) that the following function could be exploited:

 -------[chan_sip.c fragment start]------
 static int get_msg_text(char *buf, int len, struct sip_request *req) {
  int x;
  strcpy(buf, "");
  for (x=0;x<req->lines;x++) {
   strncat(buf, req->line[x], len - strlen(buf) - 5);
   strcat(buf, "\n");
  }
  return 0;
 }
 -------[chan_sip.c fragment end]------

Therefore, when a specially crafted request with a body size of 1024 bytes
is received, the end of the internal buffer used will be over-written.
This happens because a negative number is passed to strncat() instead of
the following (example):

0x080483b9 <go+93>: push $0xa - Copy 10 bytes
0x080483bb <go+95>: pushl 0x8(%ebp)

The number is decremented past 0x0 and wraps to 0xFFFFFFFF to become
(example):

0x080483e5 <go+137>: push $0xfffffffc - Copy a lot more than 10
0x080483e7 <go+139>: pushl 0x8(%ebp)

So this causes the strncat() to copy this many bytes, however due to a
null being located in our page of memory, we don't get a page fault.
Instead it simply overwrites the save return address. Thus this becomes an
easily exploitable buffer overflow.

Although SIP supports authentication, both the MESSAGE and INFO messages
will be processed without any authentication. This allows any user who can
send SIP messages to Asterisk to take advantage of the vulnerability.

By exploiting this vulnerability, @stake managed to obtain access to the
remote host in question. The access level attained by exploiting this
vulnerability is that of the user that started the Asterisk services,
which in the default installation is as the root user.
 
Recommendation:
@stake notified the author of this particular code on the 15th of August.
The author developed and deployed a patch silently to the CVS on the 15th
of August.

@stake would recommend that if you have not deployed a CVS version since
the 15th of August 2003 to immediately do so.

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
<http://www.atstake.com/research/advisories/2003/a090403-1.txt>
http://www.atstake.com/research/advisories/2003/a090403-1.txt.

The information has been provided by <mailto:advisories@atstake.com>
@stake Advisories.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Foxweb Buffer Overflow in CGI and ISAPI extension"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]