what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MU Security Advisory 2008-03.01

MU Security Advisory 2008-03.01
Posted Mar 19, 2008
Authored by MU Dynamics, Mu Security research team | Site labs.musecurity.com

The Mu Security Research team has found two security issues in the SDP parser in Asterisk 1.4.18. One is an invalid write to an attacker-controllable, almost arbitrary memory location and the other is a stack buffer overflow with limited attacker-controllable values.

tags | advisory, overflow, arbitrary
advisories | CVE-2008-1289
SHA-256 | 22b9f55626db7117f3ba9d0b616eac257212d9c93020ffbcecfcfa095604f614

MU Security Advisory 2008-03.01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple buffer overflows in Asterisk [MU-200803-01]
March 18, 2008

http://labs.musecurity.com/advisories.html


Affected Products/Versions:

Asterisk 1.4.18 and other branches
http://www.asterisk.org/node/48466


Product Overview:

Asterisk is an open source telephony engine and toolkit. Asterisk
implements the Session Initiation Protocol (SIP).


Vulnerability Details:

The Mu Security Research team has found two security issues in the SDP
parser in Asterisk 1.4.18. One is an invalid write to an
attacker-controllable, almost arbitrary memory location and the other
is a stack buffer overflow with limited attacker-controllable values.

1) Sending an invalid RTP payload type number in the SDP payload of an
INVITE message can cause a write to an invalid memory location. An
attacker would have some control over the memory location.

The invalid memory write is in ast_rtp_unset_m_type() (main/rtp.c,
line 1655) called by process_line() (channels/chan_sip.c, line 5275).
ast_rtp_unset_mt_type() does not validate pt, while it is validated in
ast_rtp_set_mt_type() (line 1642). The attacker controls pt and could
write a 0 to a wide range of memory locations.

Example invalid SDP payload (invalid RTP payload type is 780903144):

v=0
o=- 817933771 817933775 IN IP4 10.10.1.101
s=session-name
c=IN IP4 10.10.1.101
t=0 0
m=audio 5000 RTP/AVP 0
a=rtpmap:780903144 PCMU/8000
a=rtpmap:4 G723/8000/1
a=rtpmap:97 telephone-event/8000

Mu-4000 vector: invite_bye.invite.sdp.media-descriptions.media-attribute-rtp1.value.value.value.value.integer.values:0,3,4.
Vectors in the encoding and invalid variants reproduce the same issue.


2) Sending more than 32 RTP payload type number attributes in the SDP
payload of a SIP INVITE will overflow a buffer on the stack. An
attacker would have some control over the values written.

In process_sdp() (channels/chan_sip.c, line 4980), rtpmap codecs are
stored in found_rtpmap_codecs, an array of 32 ints. The number of
codecs in the map is stored in last_rtpmap_codec. Codecs are appeneded
to the array without checking the size of the array (line 5258). Up to
64 (SIP_MAX_LINES). An attacker would have some control over the
values written - the codec must be between 0 and 256 (MAX_RTP_PT).

Example SDP payload:
v=0
o=- 817933771 817933775 IN IP4 10.10.1.101
s=session-name
c=IN IP4 10.10.1.101
t=0 0
m=audio 5000 RTP/AVP 0
a=rtpmap:0 PCMU/8000
[... repeat this line ...]
a=rtpmap:4 G723/8000/1
a=rtpmap:97 telephone-event/8000

Mu-4000 vector: invite_bye.invite.sdp.media-descriptions.media-attribute-rtp1.repeated:4.


Vendor Response / Solution:

Fixed in Asterisk 1.4.18.1 and other branches
Available from http://www.asterisk.org


History:

March 11, 2008 - First contact with vendor
March 18, 2008 - Vendor releases fix and advisory


See also:

CVE-2008-1289
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1289

Asterisk Project Security Advisory - AST-2008-002
http://downloads.digium.com/pub/security/AST-2008-002.html


Credit:

This vulnerability was discovered by the Mu Security research team.

http://labs.musecurity.com/pgpkey.txt

Mu Security offers a new class of security analysis system, delivering
a rigorous and streamlined methodology for verifying the robustness
and security readiness of any IP-based product or application. Founded
by the pioneers of intrusion detection and prevention technology, Mu
Security is backed by preeminent venture capital firms that include
Accel Partners, Benchmark Capital and DAG Ventures. The company is
headquartered in Sunnyvale, CA. For more information, visit the
company's website at http://www.musecurity.com.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFH4GOaQLdDlEyOXHQRAgFHAKCRA//m6RV5jg8Q0IWh635lPesRvACePaux
IfxfSGtQ39ihGPLJTwpNq7M=
=V4dl
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close