[AsteriskBrasil] [NEWS] Stack Buffer Overflow in Asterisk's IAX2 Channel Driver

Rafael Melo rafael.melo em informata.com.br
Quinta Julho 19 10:06:19 BRT 2007


PSC

>
>  Stack Buffer Overflow in Asterisk's IAX2 Channel Driver
> ------------------------------------------------------------------------
>
>
> SUMMARY
>
> The Asterisk IAX2 channel driver, chan_iax2, has a remotely exploitable
> stack buffer overflow vulnerability. It occurs when chan_iax2 is passed a
> voice or video frame with a data payload larger than 4 kB. This is
> exploitable by sending a very large RTP frame to an active RTP port number
> used by Asterisk when the other end of the call is an IAX2 channel.
> Exploiting this issue can cause a crash or allow arbitrary code execution
> on a remote machine.
>
> DETAILS
>
> Vulnerable Systems:
> * Asterisk Open Source versions prior to 1.2.22
> * Asterisk Open Source versions prior to 1.4.8
> * Asterisk Business Edition versions prior to B.2.2.1
> * AsteriskNOW prerelease versions prior to beta7
> * Asterisk Appliance Developer Kit versions prior to 0.5.0
> * s800i (Asterisk Appliance) versions prior to 1.0.2
>
> Immune Systems:
> * Asterisk Open Source version 1.2.22
> * Asterisk Open Source version 1.4.8
> * Asterisk Business Edition B.2.2.1
> * AsteriskNOW Beta7
> * Asterisk Appliance Developer Kit version 0.5.0
> * s800i (Asterisk Appliance) version 1.0.2
>
> The specific conditions that trigger the vulnerability are the following:
> * iax2_write() is called with a frame with the following properties a
> voice or video frame
> * Its 4-byte timestamp has the same high 2 bytes as the previous frame
> that was sent
> * Its format is the one currently expected
> * Its data payload is larger than 4 kB
>
> iax2_write() calls iax2_send() to send the frame. Inside of iax2_send(),
> there is a conditional check to determine whether the frame should be sent
> immediately (the now variable) or queued for transmission later.
>
> If the frame is going to be transmitted later, an iax_frame struct is
> dynamically allocated with a data buffer that has the exact buffer size
> needed to accommodate for the provided ast_frame data. However, if the
> frame is being sent immediately, it uses a stack allocated iax_frame, with
> a data buffer size of 4096 bytes. Later, the iax_frame_wrap() function is
> used to copy the data from the ast_frame struct into the iax_frame struct.
> This function assumes the iax_frame data buffer has enough space for all
> of the data in the ast_frame.
>
> Resolution:
> This issue is only exploitable when the system is configured in such a way
> that calls between channels that use RTP and IAX2 channels are possible.
> Also, some additional protection against arbitrary code execution is
> provided if the call involves transcoding between audio formats as this
> will change the contents of the frame payload.
>
> All users that have systems that connect calls between channels that use
> RTP and IAX2 channels should immediately update to versions listed in the
> corrected in section of this advisory.
>
> CVE Information:
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3762>
> CVE-2007-3762
>
>
> ADDITIONAL INFORMATION
>
> The information has been provided by  <mailto:russell em digium.com> Russell
> Bryant.
> The original article can be found at:
> <http://ftp.digium.com/pub/asa/ASA-2007-014.pdf>
> http://ftp.digium.com/pub/asa/ASA-2007-014.pdf
>
>
>
> ========================================
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject line and 
> body to: list-unsubscribe em securiteam.com
> In order to subscribe to the mailing list, simply forward this email to: 
> list-subscribe em securiteam.com
>
>
> ====================
> ====================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without warranty of 
> any kind.
> In no event shall we be liable for any damages whatsoever including 
> direct, indirect, incidental, consequential, loss of business profits or 
> special damages.
>
>
> 



Mais detalhes sobre a lista de discussão AsteriskBrasil