lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 10 Aug 2009 21:58:45 -0700
From: Mu Dynamics Research Team <security@...ynamics.com>
To: full-disclosure@...ts.grok.org.uk,
 bugtraq@...urityfocus.com
Subject: Multiple sscanf vulnerabilities in Asterisk
	[MU-200908-01]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple sscanf vulnerabilities in Asterisk [MU-200908-01]
August 10, 2009

http://labs.mudynamics.com/advisories.html

Affected Products/Versions:
Asterisk 1.6.1 branch up to 1.6.1.2.


Product Overview:

Asterisk is an open source telephony engine and toolkit. Asterisk
implements the Session Initiation Protocol (SIP).


Vulnerability Details:

The Mu Dynamics Research team has found several vulnerabilities
stemming from unsafe use of the sscanf C standard library function.

The sscanf function is used in several places in Asterisk source code
for parsing numeric values from ASCII text in incoming SIP messages.  
These
calls to sscanf generally fail to specify a maximum width for the  
field being
parsed. With no width specified, sscanf defaults to a maximum width of
infinity. A remote attacker can take advantage of this by crafting a  
SIP Invite
message with a large number of ASCII decimal characters in a position  
where
a numeric value is being parsed.

E.g. the following sscanf call used to parse out the CSeq value from  
the SIP
header is vulnerable (chan_sip.c, line 19578):

      if (!error && sscanf(cseq, "%d%n", &seqno, &len) != 1) {

A remote attacker can crash Asterisk by sending a SIP Invite where the  
CSeq
value is prefixed by a large number of ASCII decimal characters (such as
32768 zeros).

Other areas demonstrated to be vulnerable include Content-Length parsing
(chan_sip.c, line 6769) and SDP processing (chan_sip.c, lines 6977,  
7035,
7043, and 7285). Based on code inspection this list is not complete.


Vendor Response / Solution:

Fixed in Asterisk 1.6.1.4.  For details see:
http://downloads.asterisk.org/pub/security/AST-2009-005.html.


History:

July 28, 2009         - First contact with vendor
August 10, 2009       - Vendor releases fix and advisory


See also:
http://www.pcapr.net/advisories/MU-200908-01.pcap
http://downloads.asterisk.org/pub/security/AST-2009-005.pdf


Credit:

This vulnerability was discovered by the Mu Dynamics research team.

http://labs.mudynamics.com/pgpkey.txt

Mu Dynamics proactively eliminates the high cost of service,  
application and
network downtime. Mu's solution automates a systematic and repeatable  
process
that identifies hard-to-detect sources of potential downtime within IP  
services,
applications, and underlying networks. The award-winning Mu solution  
is deployed
at more than 100 locations, primarily at leading global service  
providers, cable
operators and network product vendors.  Headquartered in Sunnyvale,  
California,
Mu is backed by leading venture capital firms that include Accel  
Partners,
Benchmark Capital, DAG Ventures and Focus Ventures. For more  
information, visit
the company's website at http://www.mudynamics.com.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkqA+oUACgkQR65hS3LuY3LGkwCfa8jXWUvoPFQ8Og4IGKOWwszo
Lf0AnRxNa0OiSjo0MvMGtWQAuLJ8ngQl
=ekRt
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ