exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ASA-2007-014.txt

ASA-2007-014.txt
Posted Jul 18, 2007
Authored by Russell Bryant | Site asterisk.org

Asterisk Project Security Advisory - The Asterisk IAX2 channel driver, chan_iax2, has a remotely exploitable stack buffer overflow vulnerability. It occurs when chan_iax2 is passed a voice or video frame with a data payload larger than 4 kB. This is exploitable by sending a very large RTP frame to an active RTP port number used by Asterisk when the other end of the call is an IAX2 channel. Exploiting this issue can cause a crash or allow arbitrary code execution on a remote machine.

tags | advisory, remote, overflow, arbitrary, code execution
advisories | CVE-2007-3762
SHA-256 | e4dc71a2fe12119c9e203636d801c336673cd5417bd25d738fda712d34d52222

ASA-2007-014.txt

Change Mirror Download
               Asterisk Project Security Advisory - ASA-2007-014

+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | Stack buffer overflow in IAX2 channel driver |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Exploitable Stack Buffer Overflow |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+-------------------------------------------------|
| Severity | Critical |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | July 12, 2007 |
|----------------------+-------------------------------------------------|
| Reported By | Russell Bryant, Digium, Inc. |
|----------------------+-------------------------------------------------|
| Posted On | July 17, 2007 |
|----------------------+-------------------------------------------------|
| Last Updated On | July 17, 2007 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Russell Bryant <russell@digium.com> |
|----------------------+-------------------------------------------------|
| CVE Name | CVE-2007-3762 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | The Asterisk IAX2 channel driver, chan_iax2, has a |
| | remotely exploitable stack buffer overflow |
| | vulnerability. It occurs when chan_iax2 is passed a |
| | voice or video frame with a data payload larger than 4 |
| | kB. This is exploitable by sending a very large RTP |
| | frame to an active RTP port number used by Asterisk when |
| | the other end of the call is an IAX2 channel. Exploiting |
| | this issue can cause a crash or allow arbitrary code |
| | execution on a remote machine. |
| | |
| | The specific conditions that trigger the vulnerability |
| | are the following: |
| | |
| | * iax2_write() is called with a frame with the |
| | following properties |
| | |
| | * a voice or video frame |
| | |
| | * Its 4-byte timestamp has the same high 2 bytes |
| | as the previous frame that was sent |
| | |
| | * Its format is the one currently expected |
| | |
| | * Its data payload is larger than 4 kB |
| | |
| | iax2_write() calls iax2_send() to send the frame. Inside |
| | of iax2_send(), there is a conditional check to |
| | determine whether the frame should be sent immediately |
| | (the now variable) or queued for transmission later. |
| | |
| | If the frame is going to be transmitted later, an |
| | iax_frame struct is dynamically allocated with a data |
| | buffer that has the exact buffer size needed to |
| | accommodate for the provided ast_frame data. However, if |
| | the frame is being sent immediately, it uses a stack |
| | allocated iax_frame, with a data buffer size of 4096 |
| | bytes. |
| | |
| | Later, the iax_frame_wrap() function is used to copy the |
| | data from the ast_frame struct into the iax_frame |
| | struct. This function assumes the iax_frame data buffer |
| | has enough space for all of the data in the ast_frame. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | This issue is only exploitable when the system is |
| | configured in such a way that calls between channels that |
| | use RTP and IAX2 channels are possible. Also, some |
| | additional protection against arbitrary code execution is |
| | provided if the call involves transcoding between audio |
| | formats as this will change the contents of the frame |
| | payload. |
| | |
| | All users that have systems that connect calls between |
| | channels that use RTP and IAX2 channels should |
| | immediately update to versions listed in the corrected in |
| | section of this advisory. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.22 |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.8 |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.2.1 |
|----------------------------------+-------------+-----------------------|
| AsteriskNOW | pre-release | All versions prior to |
| | | beta7 |
|----------------------------------+-------------+-----------------------|
| Asterisk Appliance Developer Kit | 0.x.x | All versions prior to |
| | | 0.5.0 |
|----------------------------------+-------------+-----------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.0.2 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|-------------------+----------------------------------------------------|
| Asterisk Open | 1.2.22 and 1.4.8, available from |
| Source | ftp://ftp.digium.com/pub/telephony/asterisk |
|-------------------+----------------------------------------------------|
| Asterisk Business | B.2.2.1, available from the Asterisk Business |
| Edition | Edition user portal on http://www.digium.com or |
| | |
| | via Digium Technical Support |
|-------------------+----------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|-------------------+----------------------------------------------------|
| Asterisk | 0.5.0, available from |
| Appliance | |
| Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk/ |
|-------------------+----------------------------------------------------|
| s800i (Asterisk | 1.0.2 |
| Appliance) | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://ftp.digium.com/pub/asa/ASA-2007-014.pdf. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-------------------+-------------------------+--------------------------|
| July 17, 2007 | russell@digium.com | Initial Release |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - ASA-2007-014
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close