Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMarcello Duarte1337DAY-ID-24324
HistorySep 30, 2015 - 12:00 a.m.

freeswitch Heap Overflow Vulnerability

2015-09-3000:00:00
Marcello Duarte
0day.today
35

0.051 Low

EPSS

Percentile

92.1%

JSON

The JSON parser in freeswitch versions prior to 1.6.2 and 1.4.23 suffer from a heap overflow vulnerability.

1. Advisory Information

Title: Heap overflow in freeswitch json parser < 1.6.2 & < 1.4.23
Submitter: Marcello Duarte ([emailΒ protected])
Product: freeswitch
Product URL: http://freeswitch.org
Affected Versions: freeswitch < 1.6.2 & < 1.4.23
Fixed Versions: 1.6.2 , 1.4.23
Link to source code diff:
https://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/cf892528a1a107ed6eb67fb98ed22533e27778fd
CVE Status: CVE-2015-7392

2. Vulnerability Information

Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No


3. Vulnerability Description

Product Information: FreeSWITCH is a scalable open source
cross-platform telephony platform designed to route and interconnect
popular communication protocols using audio, video, text or any other
form of media.  It was created in 2006 to fill the void left by
proprietary commercial solutions.  FreeSWITCH also provides a stable
telephony platform on which many applications can be developed using a
wide range of free tools.

Vulnerability:

A carefully crafted json string supplied to cJSON_Parse will trigger a
heap overflow with user controlled data.

The underlying vulnerability occurs in the parse_string function.

By passing a json string with \u at the end of the string will cause
the parser to increment past the null at the end of string.

This confuses the code responsible for copying the string. Since it
doesn't detect the NULL in this situation,  it will keep copying until
it hits a null in memory. This leads to a heap overflow with user
controlled data.

Any modules or core code which allows user supplied json to enter the
json parser will be vulnerable.


Vulnerable Source Code:

static const char *parse_string(cJSON *item, const char *str) {

...

/* HACKLOG The length of string is determined here, it will stop
counting when it hits a null */

  while (*ptr != '\"' && *ptr && ++len)
    if (*ptr++ == '\\')
      ptr++; /* Skip escaped quotes. */


/* HACKLOG The buffer is alloced with the length obtained from the
previous section */

 out = (char *)cJSON_malloc(
      len + 1); /* This is how long we need for the string, roughly. */
  if (!out)
    return 0;

/* HACKLOG the following code will copy the string into the alloced
buffer taking into account utf16 to utf8 conversion */

  ptr = str + 1;
  ptr2 = out;
/* 1 */
  while (*ptr != '\"' && *ptr) {
    if (*ptr != '\\')
      *ptr2++ = *ptr++;
    else {
      ptr++;
      switch (*ptr) {
      case 'b':
        *ptr2++ = '\b';
        break;
      case 'f':
        *ptr2++ = '\f';
        break;
      case 'n':
        *ptr2++ = '\n';
        break;
      case 'r':
        *ptr2++ = '\r';
        break;
      case 't':
        *ptr2++ = '\t';
        break;
      case 'u': /* transcode utf16 to utf8. */
        if (sscanf(ptr + 1, "%4x", &uc) < 1)
          break;

    ptr += 4; /* get the unicode char. */

        if ((uc >= 0xDC00 && uc <= 0xDFFF) || uc == 0)
          break; // check for invalid.

        if (uc >= 0xD800 && uc <= 0xDBFF) // UTF16 surrogate pairs.
        {
          if (ptr[1] != '\\' || ptr[2] != 'u')
            break; // missing second-half of surrogate.
          if (sscanf(ptr + 3, "%4x", &uc2) < 1)
            break;
          ptr += 6;
          if (uc2 < 0xDC00 || uc2 > 0xDFFF)
            break; // invalid second-half of surrogate.
          uc = 0x10000 | ((uc & 0x3FF) << 10) | (uc2 & 0x3FF);
        }

        len = 4;
        if (uc < 0x80)
          len = 1;
        else if (uc < 0x800)
          len = 2;
        else if (uc < 0x10000)
          len = 3;
        ptr2 += len;

        switch (len) {
        case 4:
          *--ptr2 = ((uc | 0x80) & 0xBF);
          uc >>= 6;
        case 3:
          *--ptr2 = ((uc | 0x80) & 0xBF);
          uc >>= 6;
        case 2:
          *--ptr2 = ((uc | 0x80) & 0xBF);
          uc >>= 6;
        case 1:
          *--ptr2 = (char)(uc | firstByteMark[len]);
        }
        ptr2 += len;
        break;
      default:
        *ptr2++ = *ptr;
        break;
      }

      /* HACKLOG INCREMENTS past null here, causing the while loop to
not detect the end of the buffer so it keeps copying past the end of
the alloced buffer */
      ptr++;
    }



4. Vendor Information, Solutions

Freeswitch has released versions 1.6.2 , 1.4.23 which fix the issue.

#  0day.today [2018-04-04]  #

Related

prion 1
securityvulns 2
cve 1
cvelist 1
nessus 1
prion
prion
Heap overflow
2015-10-05 14:59:00
securityvulns
securityvulns
FreeSWITCH buffer overflow
2015-10-12 00:00:00
CVE-2015-7392 Heap overflow in Freeswitch json parser &lt; 1.6.2 &amp; &lt; 1.4.23
2015-10-12 00:00:00
cve
cve
CVE-2015-7392
2015-10-05 14:59:00
cvelist
cvelist
CVE-2015-7392
2015-10-05 14:00:00
nessus
nessus
FreeSWITCH < 1.4.26 / 1.6.x < 1.6.5 JSON Parser RCE
2016-02-11 00:00:00

0.051 Low

EPSS

Percentile

92.1%

JSON
Related for 1337DAY-ID-24324
prion1securityvulns2cve1cvelist1nessus1