ASA-2007-014: Stack buffer overflow in IAX2 channel driver

           Asterisk Project Security Advisory - ASA-2007-014

±-----------------------------------------------------------------------+
| Product | Asterisk |
|----------------------±------------------------------------------------|
| Summary | Stack buffer overflow in IAX2 channel driver |
|----------------------±------------------------------------------------|
| Nature of Advisory | Exploitable Stack Buffer Overflow |
|----------------------±------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------±------------------------------------------------|
| Severity | Critical |
|----------------------±------------------------------------------------|
| Exploits Known | No |
|----------------------±------------------------------------------------|
| Reported On | July 12, 2007 |
|----------------------±------------------------------------------------|
| Reported By | Russell Bryant, Digium, Inc. |
|----------------------±------------------------------------------------|
| Posted On | July 17, 2007 |
|----------------------±------------------------------------------------|
| Last Updated On | July 17, 2007 |
|----------------------±------------------------------------------------|
| Advisory Contact | Russell Bryant <[email protected]> |
|----------------------±------------------------------------------------|
| CVE Name | CVE-2007-3762 |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Description | The Asterisk IAX2 channel driver, chan_iax2, has a |
| | remotely exploitable stack buffer overflow |
| | vulnerability. It occurs when chan_iax2 is passed a |
| | voice or video frame with a data payload larger than 4 |
| | kB. This is exploitable by sending a very large RTP |
| | frame to an active RTP port number used by Asterisk when |
| | the other end of the call is an IAX2 channel. Exploiting |
| | this issue can cause a crash or allow arbitrary code |
| | execution on a remote machine. |
| | |
| | The specific conditions that trigger the vulnerability |
| | are the following: |
| | |
| | * iax2_write() is called with a frame with the |
| | following properties |
| | |
| | * a voice or video frame |
| | |
| | * Its 4-byte timestamp has the same high 2 bytes |
| | as the previous frame that was sent |
| | |
| | * Its format is the one currently expected |
| | |
| | * Its data payload is larger than 4 kB |
| | |
| | iax2_write() calls iax2_send() to send the frame. Inside |
| | of iax2_send(), there is a conditional check to |
| | determine whether the frame should be sent immediately |
| | (the now variable) or queued for transmission later. |
| | |
| | If the frame is going to be transmitted later, an |
| | iax_frame struct is dynamically allocated with a data |
| | buffer that has the exact buffer size needed to |
| | accommodate for the provided ast_frame data. However, if |
| | the frame is being sent immediately, it uses a stack |
| | allocated iax_frame, with a data buffer size of 4096 |
| | bytes. |
| | |
| | Later, the iax_frame_wrap() function is used to copy the |
| | data from the ast_frame struct into the iax_frame |
| | struct. This function assumes the iax_frame data buffer |
| | has enough space for all of the data in the ast_frame. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Resolution | This issue is only exploitable when the system is |
| | configured in such a way that calls between channels that |
| | use RTP and IAX2 channels are possible. Also, some |
| | additional protection against arbitrary code execution is |
| | provided if the call involves transcoding between audio |
| | formats as this will change the contents of the frame |
| | payload. |
| | |
| | All users that have systems that connect calls between |
| | channels that use RTP and IAX2 channels should |
| | immediately update to versions listed in the corrected in |
| | section of this advisory. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Links | |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://ftp.digium.com/pub/asa/ASA-2007-014.pdf. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

           Asterisk Project Security Advisory - ASA-2007-014
          Copyright (c) 2007 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.