exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-09-04.1

Atstake Security Advisory 03-09-04.1
Posted Sep 6, 2003
Authored by Atstake, Ollie Whitehouse, Graham Murphy, Stephen Kapp | Site atstake.com

Atstake Security Advisory A090403-1 - The Asterisk software PBX has a flaw in its SIP protocol implementation that could allow an attacker to obtain remote and unauthenticated access to the system.

tags | advisory, remote, protocol
SHA-256 | e061dbc54a00034594ef6c63ace2f2be44df7efdf3eda421fd1ced83e4fab944

Atstake Security Advisory 03-09-04.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

@stake Inc.
www.atstake.com

Security Advisory

Advisory Name: Asterisk SIP Implementation Issue
Release Date: 09/04/2003
Application: Asterisk
Platform: Linux (x86)
Severity: An attacker is able to obtain remote access
to the host in question prior to authentication
Authors: Ollie Whitehouse [ollie@atstake.com]
Graham Murphy [gmurphy@atstake.com]
Stephen Kapp [skapp@atstake.com]
Vendor Status: Informed / CVS Updated 15th of August 2003
CVE Candidate: CAN-2003-???? (Pending)
Reference: www.atstake.com/research/advisories/2003/a090403-1.txt


Overview:

Asterisk (http://www.asterisk.org/) is a complete PBX (Private
Branch eXchange) in software. It runs on Linux and provides all of the
features you would expect from a PBX and more. Asterisk does voice over IP
in three protocols (SIP, IAX (v1 and v2)) and H323, and can interoperate
with almost all standards-based telephony equipment using relatively
inexpensive hardware.

The Session Initiation Protocol (SIP) is an application-layer control
(signaling) protocol for creating, modifying and terminating sessions
with one or more participants. These sessions include Internet
multimedia conferences, Internet telephone calls, multimedia
distribution and instant messaging. The SIP protocol is described in
RFC3261 (with extensions contained in RFC3265).

While conducting a source code review of the SIP protocol implementation
within Asterisk, @stake found a vulnerability that could allow an attacker
to obtain remote and unauthenticated access to the host in question.

This is a good example of a vulnerability that would be difficult to
identify in the process of automated fault injection (fuzzing).


Details:

@stake discovered that if a specially crafted SIP request of a
specific size was sent (body length of 1024 bytes) with a particular
request
type (MESSAGE and INFO) that the following function could be exploited:

-------[chan_sip.c fragment start]------
static int get_msg_text(char *buf, int len, struct sip_request *req)
{
int x;
strcpy(buf, "");
for (x=0;x<req->lines;x++) {
strncat(buf, req->line[x], len - strlen(buf) - 5);
strcat(buf, "\n");
}
return 0;
}
-------[chan_sip.c fragment end]------

Therefore, when a specially crafted request with a body size of 1024 bytes
is received, the end of the internal buffer used will be over-written.
This happens because a negative number is passed to strncat() instead
of the following (example):

0x080483b9 <go+93>: push $0xa - Copy 10 bytes
0x080483bb <go+95>: pushl 0x8(%ebp)

The number is decremented past 0x0 and wraps to 0xFFFFFFFF to become
(example):

0x080483e5 <go+137>: push $0xfffffffc - Copy a lot more than 10
0x080483e7 <go+139>: pushl 0x8(%ebp)

So this causes the strncat() to copy this many bytes, however due to
a null being located in our page of memory, we don't get a page fault.
Instead it simply overwrites the save return address. Thus this becomes
an easily exploitable buffer overflow.

Although SIP supports authentication, both the MESSAGE and INFO messages
will be processed without any authentication. This allows any user who can
send SIP messages to Asterisk to take advantage of the vulnerability.

By exploiting this vulnerability, @stake managed to obtain access to the
remote host in question. The access level attained by exploiting this
vulnerability is that of the user that started the Asterisk services,
which
in the default installation is as the root user.


Recommendation:

@stake notified the author of this particular code on the
15th of August. The author developed and deployed a patch silently
to the CVS on the 15th of August.

@stake would recommend that if you have not deployed a CVS version
since the 15th of August 2003 to immediately do so.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-??? Asterisk SIP implementation issue


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP1ewYke9kNIfAm4yEQIcuQCggaZa0YYaGBScExKcHI3oJHV4bX4AnjUl
kLia5aqg6D44i54pQ9B+aY5S
=wtSA
-----END PGP SIGNATURE-----




Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close