[VulnWatch] Asterisk SIP Implementation Issue

From: _at_stake Advisories (_at_stake)
Date: 09/05/03

  • Next message: GreyMagic Software: "[VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032"
    Date: Thu, 04 Sep 2003 18:12:21 -0400
    To: vulnwatch@vulnwatch.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----

    Hash: SHA1

                                  @stake Inc.
                               www.atstake.com

                              Security Advisory

    Advisory Name: Asterisk SIP Implementation Issue
    Release Date: 09/04/2003
     Application: Asterisk
        Platform: Linux (x86)
        Severity: An attacker is able to obtain remote access
                  to the host in question prior to authentication
         Authors: Ollie Whitehouse [ollie@atstake.com]
                  Graham Murphy [gmurphy@atstake.com]
                  Stephen Kapp [skapp@atstake.com]
    Vendor Status: Informed / CVS Updated 15th of August 2003
    CVE Candidate: CAN-2003-???? (Pending)
       Reference: www.atstake.com/research/advisories/2003/a090403-1.txt

    Overview:

    Asterisk (http://www.asterisk.org/) is a complete PBX (Private
    Branch eXchange) in software. It runs on Linux and provides all of the
    features you would expect from a PBX and more. Asterisk does voice over IP
    in three protocols (SIP, IAX (v1 and v2)) and H323, and can interoperate
    with almost all standards-based telephony equipment using relatively
    inexpensive hardware.

    The Session Initiation Protocol (SIP) is an application-layer control
    (signaling) protocol for creating, modifying and terminating sessions
    with one or more participants. These sessions include Internet
    multimedia conferences, Internet telephone calls, multimedia
    distribution and instant messaging. The SIP protocol is described in
    RFC3261 (with extensions contained in RFC3265).

    While conducting a source code review of the SIP protocol implementation
    within Asterisk, @stake found a vulnerability that could allow an attacker
    to obtain remote and unauthenticated access to the host in question.

    This is a good example of a vulnerability that would be difficult to
    identify in the process of automated fault injection (fuzzing).

    Details:

    @stake discovered that if a specially crafted SIP request of a
    specific size was sent (body length of 1024 bytes) with a particular
    request
    type (MESSAGE and INFO) that the following function could be exploited:

     -------[chan_sip.c fragment start]------
     static int get_msg_text(char *buf, int len, struct sip_request *req)
     {
      int x;
      strcpy(buf, "");
      for (x=0;x<req->lines;x++) {
       strncat(buf, req->line[x], len - strlen(buf) - 5);
       strcat(buf, "\n");
      }
      return 0;
     }
     -------[chan_sip.c fragment end]------

    Therefore, when a specially crafted request with a body size of 1024 bytes
    is received, the end of the internal buffer used will be over-written.
    This happens because a negative number is passed to strncat() instead
    of the following (example):

    0x080483b9 <go+93>: push $0xa - Copy 10 bytes
    0x080483bb <go+95>: pushl 0x8(%ebp)

    The number is decremented past 0x0 and wraps to 0xFFFFFFFF to become
    (example):

    0x080483e5 <go+137>: push $0xfffffffc - Copy a lot more than 10
    0x080483e7 <go+139>: pushl 0x8(%ebp)

    So this causes the strncat() to copy this many bytes, however due to
    a null being located in our page of memory, we don't get a page fault.
    Instead it simply overwrites the save return address. Thus this becomes
    an easily exploitable buffer overflow.

    Although SIP supports authentication, both the MESSAGE and INFO messages
    will be processed without any authentication. This allows any user who can
    send SIP messages to Asterisk to take advantage of the vulnerability.

    By exploiting this vulnerability, @stake managed to obtain access to the
    remote host in question. The access level attained by exploiting this
    vulnerability is that of the user that started the Asterisk services,
    which
    in the default installation is as the root user.
      

    Recommendation:

    @stake notified the author of this particular code on the
    15th of August. The author developed and deployed a patch silently
    to the CVS on the 15th of August.

    @stake would recommend that if you have not deployed a CVS version
    since the 15th of August 2003 to immediately do so.

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

     CAN-2003-??? Asterisk SIP implementation issue

    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    @stake is currently seeking application security experts to fill
    several consulting positions. Applicants should have strong
    application development skills and be able to perform application
    security design reviews, code reviews, and application penetration
    testing. Please send resumes to jobs@atstake.com.

    Copyright 2003 @stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBP1ewYke9kNIfAm4yEQIcuQCggaZa0YYaGBScExKcHI3oJHV4bX4AnjUl
    kLia5aqg6D44i54pQ9B+aY5S
    =wtSA
    -----END PGP SIGNATURE-----


  • Next message: GreyMagic Software: "[VulnWatch] RE: BAD NEWS: Microsoft Security Bulletin MS03-032"

    Relevant Pages

    • [NEWS] Asterisk SIP Implementation Issue
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Session Initiation Protocol (SIP) is an application-layer control ... @stake found a vulnerability that could allow an attacker ... This is a good example of a vulnerability that would be difficult to ...
      (Securiteam)
    • [Full-disclosure] Asteroid SIP Denial of Service Tool
      ... Asteroid is a SIP denial of service attack tools which affected older versions ... of Asterisk the Open Source PBX and may affect other products running the SIP ... There are thousands of custom crafted SIP packets which were ...
      (Full-Disclosure)
    • Re: [opensuse] connecting my telephone to the internet
      ... Reading the documentation I understood it was a risk, ... But that goes for POTS too, it isn't specific to Asterisk or VOIP. ... running an Asterisk server that refuses inbound SIP calls seems like ... suppressed CLID could still be known by the telco. ...
      (SuSE)
    • Re: [Full-disclosure] CISCO Phone 7940 DOS vulnerability
      ... We are always open for vulnerability reports regarding any Cisco ... Cisco 7940 SIP INVITE remote DOS ... using the Madynes VoIP fuzzer. ... This vulnerability was identified by the Madynes research team at INRIA ...
      (Full-Disclosure)
    • Re: SIP mit asterisk
      ... Deinen 1&1 SIP Server als Friend festlegen ... Ein RTP Server Protokoll definieren (UDP empfangen-senden, ... Erstelle einen Computersatz mit der Adresse deiner Asterisk ...
      (microsoft.public.de.german.isaserver)