SecuriTeam™ - RTP Codec Payload Handling Two Buffer Overflows

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam™ in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

Two buffer overflows exist in the RTP payload handling code of Asterisk. Both overflows can be caused by an INVITE or any other SIP packet with SDP. The request may need to be authenticated depending on configuration of the Asterisk installation.

Credit:
The information has been provided by Joshua Colp.
The original article can be found at: http://downloads.digium.com/pub/security/AST-2008-002.html

Audit your web server for security holes - see what the hackers see.
Sign up for a scan today - risk free!

Vulnerable Systems:
* Asterisk Open Source versions prior to 1.4.18.1 and 1.4.19-rc3
* Asterisk Open Source versions prior to 1.6.0-beta6
* Asterisk Business Edition versions prior to C.1.6.1
* AsteriskNOW versions prior to 1.0.2
* Asterisk Appliance Developer Kit versions prior to Asterisk 1.4 revision 109386
* s800i (Asterisk Appliance) versions prior to 1.1.0.2

Immune Systems:
* Asterisk Open Source version 1.4.18.1, Asterisk Open Source version 1.4.19-rc3 or Asterisk Open Source version 1.6.0-beta6
* Asterisk Business Edition version C.1.6.1
* AsteriskNOW version 1.0.2
* Asterisk Appliance Developer Kit version 1.4 revision 109386
* s800i (Asterisk Appliance) version 1.1.0.2

The first overflow is caused by sending a payload number that surpasses the programmed maximum payload number of 256. This causes an invalid memory write outside of the buffer. While this does not allow the attacker to write arbitrary data it does allow the attacker to write a 0 to other memory locations.

The second overflow is caused by sending more than 32 RTP payloads. This causes a buffer on the stack to overflow allowing the attacker to write values between 0 and 256 (the maximum payload number) to memory locations after the buffer.

Resolution:
Two fixes have been added to check the provided data to ensure it does not exceed static buffer sizes.

* When removing internal information regarding an RTP payload the given payload number will now be checked to make sure it does not exceed the maximum acceptable payload number.

* When reading RTP payloads from SDP a maximum limit of 32 in total will be enforced. Any further RTP payloads will be discarded.

CVE Information:
CVE-2008-1289

Subject:		Date:
From:

	PHP GENERATE_SEED() Weak Random Number Seed Vulnerability
	PHP Multibyte Shell Command Escaping Bypass Vulnerability
	SugarCRM Community Edition Local File Disclosure Vulnerability
	Wordpress Cookie Integrity Protection Vulnerability
	Joomla Component Jom Comment SQL Injection Vulnerability
	Oracle Application Express Privilege Escalation Vulnerability
	libpng Zero-Length Chunks Incorrect Handling
	IBM DB2 Universal Database Administration Server File Creation Vulnerability
	IBM DB2 Universal Database db2dasStartStopFMDaemon Buffer Overflow Vulnerability
	Python Zlib Extension Module Buffer Overflow
	Incorrect Input Validation In PyString_FromStringAndSize() Leads to Multiple Buffer Overflows
	Festival Command Execution Vulnerability
	F5 BIG-IP Management Interface Perl Injection
	SCO UnixWare pkgadd Directory Traversal Vulnerability
	Wireshark TFTP Dissector Denial of Service