[VulnWatch] ASA-2007-014: Stack buffer overflow in IAX2 channel driver



Asterisk Project Security Advisory - ASA-2007-014

+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | Stack buffer overflow in IAX2 channel driver |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Exploitable Stack Buffer Overflow |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+-------------------------------------------------|
| Severity | Critical |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | July 12, 2007 |
|----------------------+-------------------------------------------------|
| Reported By | Russell Bryant, Digium, Inc. |
|----------------------+-------------------------------------------------|
| Posted On | July 17, 2007 |
|----------------------+-------------------------------------------------|
| Last Updated On | July 17, 2007 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Russell Bryant <russell@xxxxxxxxxx> |
|----------------------+-------------------------------------------------|
| CVE Name | CVE-2007-3762 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | The Asterisk IAX2 channel driver, chan_iax2, has a |
| | remotely exploitable stack buffer overflow |
| | vulnerability. It occurs when chan_iax2 is passed a |
| | voice or video frame with a data payload larger than 4 |
| | kB. This is exploitable by sending a very large RTP |
| | frame to an active RTP port number used by Asterisk when |
| | the other end of the call is an IAX2 channel. Exploiting |
| | this issue can cause a crash or allow arbitrary code |
| | execution on a remote machine. |
| | |
| | The specific conditions that trigger the vulnerability |
| | are the following: |
| | |
| | * iax2_write() is called with a frame with the |
| | following properties |
| | |
| | * a voice or video frame |
| | |
| | * Its 4-byte timestamp has the same high 2 bytes |
| | as the previous frame that was sent |
| | |
| | * Its format is the one currently expected |
| | |
| | * Its data payload is larger than 4 kB |
| | |
| | iax2_write() calls iax2_send() to send the frame. Inside |
| | of iax2_send(), there is a conditional check to |
| | determine whether the frame should be sent immediately |
| | (the now variable) or queued for transmission later. |
| | |
| | If the frame is going to be transmitted later, an |
| | iax_frame struct is dynamically allocated with a data |
| | buffer that has the exact buffer size needed to |
| | accommodate for the provided ast_frame data. However, if |
| | the frame is being sent immediately, it uses a stack |
| | allocated iax_frame, with a data buffer size of 4096 |
| | bytes. |
| | |
| | Later, the iax_frame_wrap() function is used to copy the |
| | data from the ast_frame struct into the iax_frame |
| | struct. This function assumes the iax_frame data buffer |
| | has enough space for all of the data in the ast_frame. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | This issue is only exploitable when the system is |
| | configured in such a way that calls between channels that |
| | use RTP and IAX2 channels are possible. Also, some |
| | additional protection against arbitrary code execution is |
| | provided if the call involves transcoding between audio |
| | formats as this will change the contents of the frame |
| | payload. |
| | |
| | All users that have systems that connect calls between |
| | channels that use RTP and IAX2 channels should |
| | immediately update to versions listed in the corrected in |
| | section of this advisory. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.22 |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.8 |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.2.1 |
|----------------------------------+-------------+-----------------------|
| AsteriskNOW | pre-release | All versions prior to |
| | | beta7 |
|----------------------------------+-------------+-----------------------|
| Asterisk Appliance Developer Kit | 0.x.x | All versions prior to |
| | | 0.5.0 |
|----------------------------------+-------------+-----------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.0.2 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|-------------------+----------------------------------------------------|
| Asterisk Open | 1.2.22 and 1.4.8, available from |
| Source | ftp://ftp.digium.com/pub/telephony/asterisk |
|-------------------+----------------------------------------------------|
| Asterisk Business | B.2.2.1, available from the Asterisk Business |
| Edition | Edition user portal on http://www.digium.com or |
| | |
| | via Digium Technical Support |
|-------------------+----------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|-------------------+----------------------------------------------------|
| Asterisk | 0.5.0, available from |
| Appliance | |
| Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk/ |
|-------------------+----------------------------------------------------|
| s800i (Asterisk | 1.0.2 |
| Appliance) | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://ftp.digium.com/pub/asa/ASA-2007-014.pdf. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-------------------+-------------------------+--------------------------|
| July 17, 2007 | russell@xxxxxxxxxx | Initial Release |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - ASA-2007-014
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.



Relevant Pages