Friday, October 20, 2006

Asterisk remote heap overflow

Notice to all Asterisk users:
A security Advisory has been issued on Asterisk open source PBX, IPPBX. Please fix as soon as possible, any application or servers using Asterisk like TRIXBOX, should fix this overflow. I am running Asterisk 1.4-beta2 and not affected.

Asterisk - chan_skinny Remote Unauthenticated Heap Overflow

Vendor Website:
http://www.asterisk.org
Affected Version:
All 1.2-branch releases prior to and including 1.2.12.1
All 1.0-branch releases prior to and including 1.0.12

Not Affected:
All 1.4-branch beta releases (1.4.0-beta1, 1.4.0-beta2)


== Overview ==
Asterisk is "The Opensource PBX", a popular software telephony server.

The Asterisk Skinny channel driver for Cisco SCCP phones chan_skinny.so)
incorrectly validates a length value in the packet header. An integer
wrap-around leads to heap overwrite, and arbitrary remote code execution
as root.

== Details ==

The function 'static int get_input(struct skinnysession *s)' in
chan_skinny.c incorrectly validates a user supplied length in the packet
header. In the code below, four bytes of data are read from the socket,
cast to a signed integer, and assigned to dlen. If dlen is between -1
and -8 then (dlen + 8) will integer wrap to be greater than zero, but
less than sizeof(s->inbuf) for the purposes of this comparison.

Next, dlen + 4 is passed to read() as the maximum number of bytes to
write to s->inbuf+4. Read() takes an unsigned value, so dlen is
interpreted as a very large number. For example, a value of -6 is
interpreted as 0xfffffffa bytes. This instructs read() to write beyond
the allocated 1000 byte length of the buffer s->inbuf.
== Solutions ==

- Disable the chan_skinny module if it is not required.
- Firewall port 2000/tcp from untrusted networks.
- Install the vendor supplied upgrades:
1.0-branch: Upgrade to 1.0.12 or later
1.2-branch: Upgrade to 1.2.13 or later


== Credit ==

Discovered and advised to Digium 17th October, 2006 by Adam Boileau of
Security-Assessment.com.

0 comments:

Blog Widget by LinkWithin