exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MU Security Advisory 2009-08.01

MU Security Advisory 2009-08.01
Posted Aug 13, 2009
Authored by MU Dynamics, Mu Security research team | Site labs.musecurity.com

The Mu Dynamics Research team has found several vulnerabilities stemming from unsafe use of the sscanf C standard library function. Asterisk versions 1.6.1 through 1.6.1.2 are affected.

tags | advisory, vulnerability
SHA-256 | 4b4ca564af6eb635dec77a8869f1db6582e448ddc90620d17fb84789c0b6f227

MU Security Advisory 2009-08.01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple sscanf vulnerabilities in Asterisk [MU-200908-01]
August 10, 2009

http://labs.mudynamics.com/advisories.html

Affected Products/Versions:
Asterisk 1.6.1 branch up to 1.6.1.2.


Product Overview:

Asterisk is an open source telephony engine and toolkit. Asterisk
implements the Session Initiation Protocol (SIP).


Vulnerability Details:

The Mu Dynamics Research team has found several vulnerabilities
stemming from unsafe use of the sscanf C standard library function.

The sscanf function is used in several places in Asterisk source code
for parsing numeric values from ASCII text in incoming SIP messages.
These
calls to sscanf generally fail to specify a maximum width for the
field being
parsed. With no width specified, sscanf defaults to a maximum width of
infinity. A remote attacker can take advantage of this by crafting a
SIP Invite
message with a large number of ASCII decimal characters in a position
where
a numeric value is being parsed.

E.g. the following sscanf call used to parse out the CSeq value from
the SIP
header is vulnerable (chan_sip.c, line 19578):

if (!error && sscanf(cseq, "%d%n", &seqno, &len) != 1) {

A remote attacker can crash Asterisk by sending a SIP Invite where the
CSeq
value is prefixed by a large number of ASCII decimal characters (such as
32768 zeros).

Other areas demonstrated to be vulnerable include Content-Length parsing
(chan_sip.c, line 6769) and SDP processing (chan_sip.c, lines 6977,
7035,
7043, and 7285). Based on code inspection this list is not complete.


Vendor Response / Solution:

Fixed in Asterisk 1.6.1.4. For details see:
http://downloads.asterisk.org/pub/security/AST-2009-005.html.


History:

July 28, 2009 - First contact with vendor
August 10, 2009 - Vendor releases fix and advisory


See also:
http://www.pcapr.net/advisories/MU-200908-01.pcap
http://downloads.asterisk.org/pub/security/AST-2009-005.pdf


Credit:

This vulnerability was discovered by the Mu Dynamics research team.

http://labs.mudynamics.com/pgpkey.txt

Mu Dynamics proactively eliminates the high cost of service,
application and
network downtime. Mu's solution automates a systematic and repeatable
process
that identifies hard-to-detect sources of potential downtime within IP
services,
applications, and underlying networks. The award-winning Mu solution
is deployed
at more than 100 locations, primarily at leading global service
providers, cable
operators and network product vendors. Headquartered in Sunnyvale,
California,
Mu is backed by leading venture capital firms that include Accel
Partners,
Benchmark Capital, DAG Ventures and Focus Ventures. For more
information, visit
the company's website at http://www.mudynamics.com.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkqA+oUACgkQR65hS3LuY3LGkwCfa8jXWUvoPFQ8Og4IGKOWwszo
Lf0AnRxNa0OiSjo0MvMGtWQAuLJ8ngQl
=ekRt
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close