- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Stack Buffer Overflow in Asterisk's IAX2 Channel Driver
------------------------------------------------------------------------
SUMMARY
The Asterisk IAX2 channel driver, chan_iax2, has a remotely exploitable
stack buffer overflow vulnerability. It occurs when chan_iax2 is passed a
voice or video frame with a data payload larger than 4 kB. This is
exploitable by sending a very large RTP frame to an active RTP port number
used by Asterisk when the other end of the call is an IAX2 channel.
Exploiting this issue can cause a crash or allow arbitrary code execution
on a remote machine.
DETAILS
Vulnerable Systems:
* Asterisk Open Source versions prior to 1.2.22
* Asterisk Open Source versions prior to 1.4.8
* Asterisk Business Edition versions prior to B.2.2.1
* AsteriskNOW prerelease versions prior to beta7
* Asterisk Appliance Developer Kit versions prior to 0.5.0
* s800i (Asterisk Appliance) versions prior to 1.0.2
Immune Systems:
* Asterisk Open Source version 1.2.22
* Asterisk Open Source version 1.4.8
* Asterisk Business Edition B.2.2.1
* AsteriskNOW Beta7
* Asterisk Appliance Developer Kit version 0.5.0
* s800i (Asterisk Appliance) version 1.0.2
The specific conditions that trigger the vulnerability are the following:
* iax2_write() is called with a frame with the following properties a
voice or video frame
* Its 4-byte timestamp has the same high 2 bytes as the previous frame
that was sent
* Its format is the one currently expected
* Its data payload is larger than 4 kB
iax2_write() calls iax2_send() to send the frame. Inside of iax2_send(),
there is a conditional check to determine whether the frame should be sent
immediately (the now variable) or queued for transmission later.
If the frame is going to be transmitted later, an iax_frame struct is
dynamically allocated with a data buffer that has the exact buffer size
needed to accommodate for the provided ast_frame data. However, if the
frame is being sent immediately, it uses a stack allocated iax_frame, with
a data buffer size of 4096 bytes. Later, the iax_frame_wrap() function is
used to copy the data from the ast_frame struct into the iax_frame struct.
This function assumes the iax_frame data buffer has enough space for all
of the data in the ast_frame.
Resolution:
This issue is only exploitable when the system is configured in such a way
that calls between channels that use RTP and IAX2 channels are possible.
Also, some additional protection against arbitrary code execution is
provided if the call involves transcoding between audio formats as this
will change the contents of the frame payload.
All users that have systems that connect calls between channels that use
RTP and IAX2 channels should immediately update to versions listed in the
corrected in section of this advisory.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3762>
CVE-2007-3762
ADDITIONAL INFORMATION
The information has been provided by <mailto:russell@digium.com> Russell
Bryant.
The original article can be found at:
<http://ftp.digium.com/pub/asa/ASA-2007-014.pdf>
http://ftp.digium.com/pub/asa/ASA-2007-014.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment