what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AST-2008-002.txt

AST-2008-002.txt
Posted Mar 19, 2008
Authored by Joshua Colp | Site asterisk.org

Asterisk Project Security Advisory - Two buffer overflows exist in the RTP payload handling code of Asterisk. Both overflows can be caused by an INVITE or any other SIP packet with SDP. The request may need to be authenticated depending on configuration of the Asterisk installation.

tags | advisory, overflow
advisories | CVE-2008-1289
SHA-256 | 7af0f5f8834e1ec6cfc12a2131ca26a0a7c955b7d3cc5c93dab300406251ab4b

AST-2008-002.txt

Change Mirror Download
               Asterisk Project Security Advisory - AST-2008-002

+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Two buffer overflows in RTP Codec Payload |
| | Handling |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Exploitable Buffer Overflow |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | March 11, 2008 |
|--------------------+---------------------------------------------------|
| Reported By | Mu Security Research Team |
|--------------------+---------------------------------------------------|
| Posted On | March 18, 2008 |
|--------------------+---------------------------------------------------|
| Last Updated On | March 18, 2008 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Joshua Colp <jcolp@digium.com> |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2008-1289 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | Two buffer overflows exist in the RTP payload handling |
| | code of Asterisk. Both overflows can be caused by an |
| | INVITE or any other SIP packet with SDP. The request may |
| | need to be authenticated depending on configuration of |
| | the Asterisk installation. |
| | |
| | The first overflow is caused by sending a payload number |
| | that surpasses the programmed maximum payload number of |
| | 256. This causes an invalid memory write outside of the |
| | buffer. While this does not allow the attacker to write |
| | arbitrary data it does allow the attacker to write a 0 |
| | to other memory locations. |
| | |
| | The second overflow is caused by sending more than 32 |
| | RTP payloads. This causes a buffer on the stack to |
| | overflow allowing the attacker to write values between 0 |
| | and 256 (the maximum payload number) to memory locations |
| | after the buffer. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | Two fixes have been added to check the provided data to |
| | ensure it does not exceed static buffer sizes. |
| | |
| | When removing internal information regarding an RTP |
| | payload the given payload number will now be checked to |
| | make sure it does not exceed the maximum acceptable |
| | payload number. |
| | |
| | When reading RTP payloads from SDP a maximum limit of 32 |
| | in total will be enforced. Any further RTP payloads will |
| | be discarded. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.0.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.18.1 |
| | | and 1.4.19-rc3 |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.6.x | All versions prior to |
| | | 1.6.0-beta6 |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|----------------------------+---------+---------------------------------|
| Asterisk Business Edition | C.x.x | All versions prior to C.1.6.1 |
|----------------------------+---------+---------------------------------|
| AsteriskNOW | 1.0.x | All versions prior to 1.0.2 |
|----------------------------+---------+---------------------------------|
| Asterisk Appliance | SVN | All versions prior to Asterisk |
| Developer Kit | | 1.4 revision 109386 |
|----------------------------+---------+---------------------------------|
| s800i (Asterisk Appliance) | 1.1.x | All versions prior to 1.1.0.2 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------+--------------------------------------------------------|
| Asterisk Open | 1.4.18.1/1.4.19-rc3/1.6.0-beta6, available from |
| Source | http://downloads.digium.com/pub/telephony/asterisk |
|---------------+--------------------------------------------------------|
| Asterisk | C.1.6.1 |
| Business | |
| Edition | |
|---------------+--------------------------------------------------------|
| AsteriskNOW | 1.0.2, available from http://www.asterisknow.org/ |
| | |
| | Current users can update using the system update |
| | feature in the appliance control panel. |
|---------------+--------------------------------------------------------|
| Asterisk | Asterisk 1.4 revision 109386. Available by performing |
| Appliance | an svn update of the AADK tree. |
| Developer Kit | |
|---------------+--------------------------------------------------------|
| s800i | 1.1.0.2 |
| (Asterisk | |
| Appliance) | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-002.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-002.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|------------------+--------------------+--------------------------------|
| 2008-03-18 | Joshua Colp | Initial Release |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2008-002
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close