[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] AST-2011-001: Stack buffer overflow in SIP channel driver



               Asterisk Project Security Advisory - AST-2011-001

         Product        Asterisk                                              
         Summary        Stack buffer overflow in SIP channel driver           
    Nature of Advisory  Exploitable Stack Buffer Overflow                     
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      January 11, 2011                                      
       Reported By      Matthew Nicholson                                     
        Posted On       January 18, 2011                                      
     Last Updated On    January 18, 2011                                      
     Advisory Contact   Matthew Nicholson <mnicholson@xxxxxxxxxx>             
         CVE Name       

   Description When forming an outgoing SIP request while in pedantic mode, a 
               stack buffer can be made to overflow if supplied with          
               carefully crafted caller ID information. This vulnerability    
               also affects the URIENCODE dialplan function and in some       
               versions of asterisk, the AGI dialplan application as well.    
               The ast_uri_encode function does not properly respect the size 
               of its output buffer and can write past the end of it when     
               encoding URIs.                                                 

   Resolution The size of the output buffer passed to the ast_uri_encode      
              function is now properly respected.                             
                                                                              
              In asterisk versions not containing the fix for this issue,     
              limiting strings originating from remote sources that will be   
              URI encoded to a length of 40 characters will protect against   
              this vulnerability.                                             
                                                                              
              exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})           
              exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})         
              exten => s,n,Dial(SIP/channel)                                  
                                                                              
              The CALLERID(num) and CALLERID(name) channel values, and any    
              strings passed to the URIENCODE dialplan function should be     
              limited in this manner.                                         

                               Affected Versions
                Product              Release Series 
         Asterisk Open Source            1.2.x      All versions              
         Asterisk Open Source            1.4.x      All versions              
         Asterisk Open Source            1.6.x      All versions              
         Asterisk Open Source            1.8.x      All versions              
       Asterisk Business Edition         C.x.x      All versions              
              AsteriskNOW                 1.5       All versions              
      s800i (Asterisk Appliance)         1.2.x      All versions              

                                  Corrected In
            Product                              Release                      
     Asterisk Open Source       1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1,     
                                       1.6.2.16.1, 1.8.1.2, 1.8.2.1           
   Asterisk Business Edition                     C.3.6.2                      

                                    Patches                            
                                   URL                                 Branch 
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff    1.4    
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff  1.6.1  
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff  1.6.2  
   http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff    1.8    

   Asterisk Project Security Advisories are posted at                         
   http://www.asterisk.org/security                                           
                                                                              
   This document may be superseded by later versions; if so, the latest       
   version will be posted at                                                  
   http://downloads.digium.com/pub/security/AST-2011-001.pdf and              
   http://downloads.digium.com/pub/security/AST-2011-001.html                 

                                Revision History
         Date                 Editor                  Revisions Made          
   2011-01-18        Matthew Nicholson        Initial Release                 

               Asterisk Project Security Advisory - AST-2011-001
              Copyright (c) 2011 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/