Asterisk T.38 SDP Parser chan_sip.c process_sdp Function Overflow

2007-04-25T09:03:28
ID OSVDB:35368
Type osvdb
Reporter Barrie Dempster(barrie@ngssoftware.com)
Modified 2007-04-25T09:03:28

Description

Vulnerability Description

A remote overflow exists in Asterisk. The application fails to verify proper boundary for the 'T38FaxRateManagement' and 'T38FaxUdpEC' parameters resulting in a stack based overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Technical Description

This vulnerability is only present when T38 support is enabled in the configuration. This option is disabled by default.

Solution Description

Upgrade to Asterisk version 1.4.3, AsteriskNOW version beta 6 and Asterisk Appliance Developer Kit version 0.4.0 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

A remote overflow exists in Asterisk. The application fails to verify proper boundary for the 'T38FaxRateManagement' and 'T38FaxUdpEC' parameters resulting in a stack based overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Manual Testing Notes

The vulnerability is triggered by sending an SIP INVITE message with the following SDP data:

v=0 o=rtp 1160124458839569000 160124458839569000 IN IP4 127.0.0.1 s=- c=IN IP4 127.0.0.1 t=0 0 m=image 5004 UDPTL t38 a=T38FaxVersion:0 a=T38MaxBitRate:14400 a=T38FaxMaxBuffer:1024 a=T38FaxMaxDatagram:238 a=T38FaxRateManagement:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA a=T38FaxUdpEC:t38UDPRedundancy

References:

Vendor Specific News/Changelog Entry: http://ftp.digium.com/pub/asa/ASA-2007-010.pdf Security Tracker: 1017951 Secunia Advisory ID:24977 Related OSVDB ID: 35369 Nessus Plugin ID:25671 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-07/0030.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-04/0442.html Keyword: ASA-2007-010 ISS X-Force ID: 33895 FrSIRT Advisory: ADV-2007-1534 CVE-2007-2293 Bugtraq ID: 23648