BugTraq
AST-2008-002: Two buffer overflows in RTP Codec Payload Handling Mar 18 2008 11:25PM
Asterisk Security Team (security asterisk org)
Asterisk Project Security Advisory - AST-2008-002

+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|--------------------+--------------------------------------------------
-|
| Summary | Two buffer overflows in RTP Codec Payload |
| | Handling |
|--------------------+--------------------------------------------------
-|
| Nature of Advisory | Exploitable Buffer Overflow |
|--------------------+--------------------------------------------------
-|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+--------------------------------------------------
-|
| Severity | Critical |
|--------------------+--------------------------------------------------
-|
| Exploits Known | No |
|--------------------+--------------------------------------------------
-|
| Reported On | March 11, 2008 |
|--------------------+--------------------------------------------------
-|
| Reported By | Mu Security Research Team |
|--------------------+--------------------------------------------------
-|
| Posted On | March 18, 2008 |
|--------------------+--------------------------------------------------
-|
| Last Updated On | March 18, 2008 |
|--------------------+--------------------------------------------------
-|
| Advisory Contact | Joshua Colp <jcolp (at) digium (dot) com [email concealed]> |
|--------------------+--------------------------------------------------
-|
| CVE Name | CVE-2008-1289 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | Two buffer overflows exist in the RTP payload handling |
| | code of Asterisk. Both overflows can be caused by an |
| | INVITE or any other SIP packet with SDP. The request may |
| | need to be authenticated depending on configuration of |
| | the Asterisk installation. |
| | |
| | The first overflow is caused by sending a payload number |
| | that surpasses the programmed maximum payload number of |
| | 256. This causes an invalid memory write outside of the |
| | buffer. While this does not allow the attacker to write |
| | arbitrary data it does allow the attacker to write a 0 |
| | to other memory locations. |
| | |
| | The second overflow is caused by sending more than 32 |
| | RTP payloads. This causes a buffer on the stack to |
| | overflow allowing the attacker to write values between 0 |
| | and 256 (the maximum payload number) to memory locations |
| | after the buffer. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | Two fixes have been added to check the provided data to |
| | ensure it does not exceed static buffer sizes. |
| | |
| | When removing internal information regarding an RTP |
| | payload the given payload number will now be checked to |
| | make sure it does not exceed the maximum acceptable |
| | payload number. |
| | |
| | When reading RTP payloads from SDP a maximum limit of 32 |
| | in total will be enforced. Any further RTP payloads will |
| | be discarded. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release | |
| | Series | |
|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.0.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.4.x | All versions prior to 1.4.18.1 |
| | | and 1.4.19-rc3 |
|----------------------------+---------+--------------------------------
-|
| Asterisk Open Source | 1.6.x | All versions prior to |
| | | 1.6.0-beta6 |
|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | A.x.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | B.x.x | Unaffected |
|----------------------------+---------+--------------------------------
-|
| Asterisk Business Edition | C.x.x | All versions prior to C.1.6.1 |
|----------------------------+---------+--------------------------------
-|
| AsteriskNOW | 1.0.x | All versions prior to 1.0.2 |
|----------------------------+---------+--------------------------------
-|
| Asterisk Appliance | SVN | All versions prior to Asterisk |
| Developer Kit | | 1.4 revision 109386 |
|----------------------------+---------+--------------------------------
-|
| s800i (Asterisk Appliance) | 1.1.x | All versions prior to 1.1.0.2 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|---------------+-------------------------------------------------------
-|
| Asterisk Open | 1.4.18.1/1.4.19-rc3/1.6.0-beta6, available from |
| Source | http://downloads.digium.com/pub/telephony/asterisk |
|---------------+-------------------------------------------------------
-|
| Asterisk | C.1.6.1 |
| Business | |
| Edition | |
|---------------+-------------------------------------------------------
-|
| AsteriskNOW | 1.0.2, available from http://www.asterisknow.org/ |
| | |
| | Current users can update using the system update |
| | feature in the appliance control panel. |
|---------------+-------------------------------------------------------
-|
| Asterisk | Asterisk 1.4 revision 109386. Available by performing |
| Appliance | an svn update of the AADK tree. |
| Developer Kit | |
|---------------+-------------------------------------------------------
-|
| s800i | 1.1.0.2 |
| (Asterisk | |
| Appliance) | |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Links | |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-002.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-002.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|------------------+--------------------+-------------------------------
-|
| 2008-03-18 | Joshua Colp | Initial Release |
+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2008-002
Copyright (c) 2008 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus