Asterisk SIP T.38 SDP Parsing Remote Stack Buffer Overflow Vulnerabilities
BID:23648
Info
Asterisk SIP T.38 SDP Parsing Remote Stack Buffer Overflow Vulnerabilities
| Bugtraq ID: | 23648 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 24 2006 12:00AM |
| Updated: | Nov 15 2007 12:37AM |
| Credit: | Barrie Dempster of NGS Software is credited with the discovery of these issues. |
| Vulnerable: |
Asterisk AsteriskNow Beta 5 Asterisk Asterisk 1.4.2 Asterisk Asterisk 1.4.1 Asterisk Asterisk 1.4 Beta Asterisk Appliance Developers Kit 0.3 |
| Not Vulnerable: |
Asterisk AsteriskNow Beta 6 Asterisk Asterisk Appliance Developer Kit 0.4 Asterisk Asterisk 1.4.3 |
Discussion
Asterisk SIP T.38 SDP Parsing Remote Stack Buffer Overflow Vulnerabilities
Asterisk is prone to multiple remote stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers.
Successful exploits may allow an attacker to execute arbitrary machine code to compromise an affected computer or to cause denial-of-service conditions.
Versions prior to Asterisk Open Source 1.4.3, AsteriskNOW Beta 6, and Asterisk Appliance Developer Kit 0.4.0 are vulnerable.
NOTE: These issues occur only when 't38 fax over SIP' is enabled in 'sip.conf'.
Asterisk is prone to multiple remote stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers.
Successful exploits may allow an attacker to execute arbitrary machine code to compromise an affected computer or to cause denial-of-service conditions.
Versions prior to Asterisk Open Source 1.4.3, AsteriskNOW Beta 6, and Asterisk Appliance Developer Kit 0.4.0 are vulnerable.
NOTE: These issues occur only when 't38 fax over SIP' is enabled in 'sip.conf'.
Exploit / POC
Asterisk SIP T.38 SDP Parsing Remote Stack Buffer Overflow Vulnerabilities
Attackers can use readily available networking utilities to exploit these issues.
UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following proof-of-concept packet data is available:
Attackers can use readily available networking utilities to exploit these issues.
UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following proof-of-concept packet data is available:
Solution / Fix
Asterisk SIP T.38 SDP Parsing Remote Stack Buffer Overflow Vulnerabilities
Solution:
The vendor has released fixes to address these issues. Please see the references for more information.
Asterisk Asterisk 1.4 Beta
Asterisk Asterisk 1.4.1
Asterisk Asterisk 1.4.2
Solution:
The vendor has released fixes to address these issues. Please see the references for more information.
Asterisk Asterisk 1.4 Beta
-
Asterisk asterisk-1.4.3.tar.gz
http://ftp.digium.com/pub/asterisk/releases/asterisk-1.4.3.tar.gz
Asterisk Asterisk 1.4.1
-
Asterisk asterisk-1.4.3.tar.gz
http://ftp.digium.com/pub/asterisk/releases/asterisk-1.4.3.tar.gz
Asterisk Asterisk 1.4.2
-
Asterisk asterisk-1.4.3.tar.gz
http://ftp.digium.com/pub/asterisk/releases/asterisk-1.4.3.tar.gz
References
Asterisk SIP T.38 SDP Parsing Remote Stack Buffer Overflow Vulnerabilities
References:
References:
- Asterisk Homepage (Asterisk)
- ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code ("Kevin P. Fleming"
- Multiple Remote unauthenticated stack overflows in Asterisk chan_sip.c (NGS Software Insight Security Research)
- Asterisk Project Security Advisory - ASA-2007-010 (Asterisk)