[UNIX] Asterisk Skinny Unauthenticated Heap Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 19 Oct 2006 18:01:42 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Asterisk Skinny Unauthenticated Heap Overflow
------------------------------------------------------------------------
SUMMARY
Asterisk is "The Opensource PBX", a popular software telephony server. The
Asterisk Skinny channel driver for Cisco SCCP phones chan_skinny.so)
incorrectly validates a length value in the packet header. An integer
wrap-around leads to heap overwrite, and arbitrary remote code execution
as root.
DETAILS
Vulnerable Systems:
* Asterisk version 1.2.12.1 and prior
* Asterisk version 1.0.12 and prior
Immune Systems:
* Asterisk version 1.4.0-beta1
* Asterisk version 1.4.0-beta2
* Asterisk version 1.2.13
* Asterisk version 1.0.13
The function 'static int get_input(struct skinnysession *s)' in
chan_skinny.c incorrectly validates a user supplied length in the packet
header. In the code below, four bytes of data are read from the socket,
cast to a signed integer, and assigned to dlen. If dlen is between -1 and
-8 then (dlen + 8) will integer wrap to be greater than zero, but less
than sizeof(s->inbuf) for the purposes of this comparison.
Next, dlen + 4 is passed to read() as the maximum number of bytes to write
to s->inbuf+4. Read() takes an unsigned value, so dlen is interpreted as a
very large number. For example, a value of -6 is interpreted as 0xfffffffa
bytes. This instructs read() to write beyond the allocated 1000 byte
length of the buffer s->inbuf.
Code asterisk-1.2.12.1/channels/chan_skinny.c lines 2860-2870:
res = read(s->fd, s->inbuf, 4); // <- integer read from attacker
if (res != 4) {
ast_log(LOG_WARNING, "Skinny Client sent less data than expected.\n");
return -1;
}
dlen = letohl(*(int *)s->inbuf); // <- input 0xfffffffa
// interpreted as signed
if (dlen+8 > sizeof(s->inbuf)) // <- integer wrap to +2
dlen = sizeof(s->inbuf) - 8; // bypasses this check
}
*(int *)s->inbuf = htolel(dlen); // casting just for amusement
res = read(s->fd, s->inbuf+4, dlen+4); /* <- dlen now unsigned again
* permitting read() to write
* up to 0xfffffffa bytes off
* the end of s->inbuf
*/
Exploitation:
An attacker who can connect to the Asterisk server SCCP "Skinny" port (by
default 2000/tcp) can attack the vulnerable function prior to registering
as a configured Skinny phone, permitting pre-authentication remote
compromise.
Once the initial length header value in the packet performs an
integer-wraparound an attacker can overflow off the end of the malloc()ed
input buffer, and into heap space above it. Exploitation is possible via
standard heap-overflow malloc-unlink-macro technique[1] on glibc versions
prior to 2.3.5. On systems with newer glibc, a more sophisticated
exploitation method is necessary due to the improved validation of
malloc's internal heap management linked lists. Brett Moore's work[2] on
bypassing similar restrictions in WinXPSP2 is instructive.
Our proof-of-concept exploit uses vanilla malloc-unlink() to overwrite a
GOT entry to point execution back into our buffer, and executes Metasploit
port-binding shellcode.
Solutions:
- Disable the chan_skinny module if it is not required.
- Firewall port 2000/tcp from untrusted networks.
- Install the vendor supplied upgrades:
1.0-branch: Upgrade to 1.0.12 or later
1.2-branch: Upgrade to 1.2.13 or later
References:
[1] "Advanced Doug Lea's Malloc Exploits" by jp
<http://doc.bughunter.net/buffer-overflow/advanced-malloc-exploits.html>
http://doc.bughunter.net/buffer-overflow/advanced-malloc-exploits.html
[2] "Exploiting Freelist[0] On Windows XP Service Pack 2" by Brett Moore
<http://www.security-assessment.com/technical/>
http://www.security-assessment.com/technical/
ADDITIONAL INFORMATION
The information has been provided by
<mailto:adam.boileau@xxxxxxxxxxxxxxxxxxxxxxx> Adam Boileau.
The original article can be found at:
<http://www.security-assessment.com/files/advisories/Asterisk_remote_heap_overflow.pdf> http://www.security-assessment.com/files/advisories/Asterisk_remote_heap_overflow.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] IBM Lotus Notes Insecure Default Folder Permissions
- Next by Date: [UNIX] Joomla BSQ Sitestats Script Insertion and SQL Injection
- Previous by thread: [NEWS] IBM Lotus Notes Insecure Default Folder Permissions
- Next by thread: [UNIX] Joomla BSQ Sitestats Script Insertion and SQL Injection
- Index(es):
Relevant Pages
|
|
