[UNIX] RTP Codec Payload Handling Two Buffer Overflows

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



RTP Codec Payload Handling Two Buffer Overflows
------------------------------------------------------------------------


SUMMARY

Two buffer overflows exist in the RTP payload handling code of Asterisk.
Both overflows can be caused by an INVITE or any other SIP packet with
SDP. The request may need to be authenticated depending on configuration
of the Asterisk installation.

DETAILS

Vulnerable Systems:
* Asterisk Open Source versions prior to 1.4.18.1 and 1.4.19-rc3
* Asterisk Open Source versions prior to 1.6.0-beta6
* Asterisk Business Edition versions prior to C.1.6.1
* AsteriskNOW versions prior to 1.0.2
* Asterisk Appliance Developer Kit versions prior to Asterisk 1.4
revision 109386
* s800i (Asterisk Appliance) versions prior to 1.1.0.2

Immune Systems:
* Asterisk Open Source version 1.4.18.1, Asterisk Open Source version
1.4.19-rc3 or Asterisk Open Source version 1.6.0-beta6
* Asterisk Business Edition version C.1.6.1
* AsteriskNOW version 1.0.2
* Asterisk Appliance Developer Kit version 1.4 revision 109386
* s800i (Asterisk Appliance) version 1.1.0.2

The first overflow is caused by sending a payload number that surpasses
the programmed maximum payload number of 256. This causes an invalid
memory write outside of the buffer. While this does not allow the attacker
to write arbitrary data it does allow the attacker to write a 0 to other
memory locations.

The second overflow is caused by sending more than 32 RTP payloads. This
causes a buffer on the stack to overflow allowing the attacker to write
values between 0 and 256 (the maximum payload number) to memory locations
after the buffer.

Resolution:
Two fixes have been added to check the provided data to ensure it does not
exceed static buffer sizes.

* When removing internal information regarding an RTP payload the given
payload number will now be checked to make sure it does not exceed the
maximum acceptable payload number.

* When reading RTP payloads from SDP a maximum limit of 32 in total will
be enforced. Any further RTP payloads will be discarded.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1289>
CVE-2008-1289


ADDITIONAL INFORMATION

The information has been provided by <mailto:jcolp@xxxxxxxxxx> Joshua
Colp.
The original article can be found at:
<http://downloads.digium.com/pub/security/AST-2008-002.html>
http://downloads.digium.com/pub/security/AST-2008-002.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages