exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Asterisk Project Security Advisory - Driver Crash

Asterisk Project Security Advisory - Driver Crash
Posted Aug 11, 2009
Authored by Tilghman Lesher | Site asterisk.org

Asterisk Project Security Advisory - On certain implementations of libc, the scanf family of functions uses an unbounded amount of stack memory to repeatedly allocate string buffers prior to conversion to the target type. Coupled with Asterisk's allocation of thread stack sizes that are smaller than the default, an attacker may exhaust stack memory in the SIP stack network thread by presenting excessively long numeric strings in various fields.

tags | advisory
advisories | CVE-2009-2726
SHA-256 | b1dc46b65ba0899d179d5df802c216ac411cd9b7c37c701cd854541313c4d1e2

Asterisk Project Security Advisory - Driver Crash

Change Mirror Download
               Asterisk Project Security Advisory - AST-2009-005

+------------------------------------------------------------------------+
| Product | Asterisk |
|---------------------+--------------------------------------------------|
| Summary | Remote Crash Vulnerability in SIP channel driver |
|---------------------+--------------------------------------------------|
| Nature of Advisory | Denial of Service |
|---------------------+--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|---------------------+--------------------------------------------------|
| Severity | Critical in 1.6.1; minor in lesser versions |
|---------------------+--------------------------------------------------|
| Exploits Known | No |
|---------------------+--------------------------------------------------|
| Reported On | July 28, 2009 |
|---------------------+--------------------------------------------------|
| Reported By | Nick Baggott < nbaggott AT mudynamics DOT com > |
|---------------------+--------------------------------------------------|
| Posted On | August 10, 2009 |
|---------------------+--------------------------------------------------|
| Last Updated On | August 10, 2009 |
|---------------------+--------------------------------------------------|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|---------------------+--------------------------------------------------|
| CVE Name | CVE-2009-2726 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | On certain implementations of libc, the scanf family of |
| | functions uses an unbounded amount of stack memory to |
| | repeatedly allocate string buffers prior to conversion |
| | to the target type. Coupled with Asterisk's allocation |
| | of thread stack sizes that are smaller than the default, |
| | an attacker may exhaust stack memory in the SIP stack |
| | network thread by presenting excessively long numeric |
| | strings in various fields. |
| | |
| | Note that while this potential vulnerability has existed |
| | in Asterisk for a very long time, it is only potentially |
| | exploitable in 1.6.1 and above, since those versions are |
| | the first that have allowed SIP packets to exceed 1500 |
| | bytes total, which does not permit strings that are |
| | large enough to crash Asterisk. (The number strings |
| | presented to us by the security researcher were |
| | approximately 32,000 bytes long.) |
| | |
| | Additionally note that while this can crash Asterisk, |
| | execution of arbitrary code is not possible with this |
| | vector. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | Upgrade Asterisk to one of the releases listed below. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.34 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.26.1 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.6.0.x | All versions prior to |
| | | 1.6.0.12 |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.6.1.x | All versions prior to |
| | | 1.6.1.4 |
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.2.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.4.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.6.0.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Addons | 1.6.1.x | Not affected |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | B.x.x | All versions prior to |
| | | B.2.5.9 |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | C.2.x | All versions prior to |
| | | C.2.4.1 |
|----------------------------+------------+------------------------------|
| Asterisk Business Edition | C.3.x | All versions prior to C.3.1 |
|----------------------------+------------+------------------------------|
| AsteriskNOW | 1.5 | Not affected |
|----------------------------+------------+------------------------------|
| s800i (Asterisk Appliance) | 1.2.x | All versions prior to |
| | | 1.3.0.3 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.2.34 |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.4.26.1 |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.6.0.12 |
|---------------------------------------------+--------------------------|
| Asterisk Open Source | 1.6.1.4 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | B.2.5.9 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | C.2.4.1 |
|---------------------------------------------+--------------------------|
| Asterisk Business Edition | C.3.1 |
|---------------------------------------------+--------------------------|
| s800i (Asterisk Appliance) | 1.3.0.3 |
+------------------------------------------------------------------------+

+---------------------------------------------------------------------------+
| Patches |
|---------------------------------------------------------------------------|
| Link |Branch|
|--------------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-005-1.2.diff.txt |1.2 |
|--------------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-005-1.4.diff.txt |1.4 |
|--------------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-005-trunk.diff.txt|trunk |
|--------------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-005-1.6.0.diff.txt|1.6.0 |
|--------------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-005-1.6.1.diff.txt|1.6.1 |
|--------------------------------------------------------------------+------|
|http://downloads.digium.com/pub/security/AST-2009-005-1.6.2.diff.txt|1.6.2 |
+---------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Links | http://labs.mudynamics.com/advisories/MU-200908-01.txt |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-005.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-005.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|---------------------+----------------------+---------------------------|
| August 10, 2009 | Tilghman Lesher | Initial release |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2009-005
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close