AST-2008-002: Two buffer overflows in RTP Codec Payload Handling

           Asterisk Project Security Advisory - AST-2008-002

±-----------------------------------------------------------------------+
| Product | Asterisk |
|--------------------±--------------------------------------------------|
| Summary | Two buffer overflows in RTP Codec Payload |
| | Handling |
|--------------------±--------------------------------------------------|
| Nature of Advisory | Exploitable Buffer Overflow |
|--------------------±--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------±--------------------------------------------------|
| Severity | Critical |
|--------------------±--------------------------------------------------|
| Exploits Known | No |
|--------------------±--------------------------------------------------|
| Reported On | March 11, 2008 |
|--------------------±--------------------------------------------------|
| Reported By | Mu Security Research Team |
|--------------------±--------------------------------------------------|
| Posted On | March 18, 2008 |
|--------------------±--------------------------------------------------|
| Last Updated On | March 18, 2008 |
|--------------------±--------------------------------------------------|
| Advisory Contact | Joshua Colp <[email protected]> |
|--------------------±--------------------------------------------------|
| CVE Name | CVE-2008-1289 |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Description | Two buffer overflows exist in the RTP payload handling |
| | code of Asterisk. Both overflows can be caused by an |
| | INVITE or any other SIP packet with SDP. The request may |
| | need to be authenticated depending on configuration of |
| | the Asterisk installation. |
| | |
| | The first overflow is caused by sending a payload number |
| | that surpasses the programmed maximum payload number of |
| | 256. This causes an invalid memory write outside of the |
| | buffer. While this does not allow the attacker to write |
| | arbitrary data it does allow the attacker to write a 0 |
| | to other memory locations. |
| | |
| | The second overflow is caused by sending more than 32 |
| | RTP payloads. This causes a buffer on the stack to |
| | overflow allowing the attacker to write values between 0 |
| | and 256 (the maximum payload number) to memory locations |
| | after the buffer. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Resolution | Two fixes have been added to check the provided data to |
| | ensure it does not exceed static buffer sizes. |
| | |
| | When removing internal information regarding an RTP |
| | payload the given payload number will now be checked to |
| | make sure it does not exceed the maximum acceptable |
| | payload number. |
| | |
| | When reading RTP payloads from SDP a maximum limit of 32 |
| | in total will be enforced. Any further RTP payloads will |
| | be discarded. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Links | |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2008-002.pdf and |
| http://downloads.digium.com/pub/security/AST-2008-002.html |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

           Asterisk Project Security Advisory - AST-2008-002
          Copyright (c) 2008 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.