CVE-2006-5445: Denial of service in chan_sip

Debian Bug report logs - #395080
CVE-2006-5445: Denial of service in chan_sip

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: submit@bugs.debian.org

Subject: Asterisk Cisco SCCP "chan_skinny" Integer Overflow Vulnerability

Date: Tue, 24 Oct 2006 21:46:00 +0200

Package: asterisk
Severity: grave
Tags: security

A heap-based buffer overflow vulnerability has been found in the 
skinny module of asterisk. It is fixed in 1.2.13 and 1.0.12

See

http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/050171.html
http://secunia.com/advisories/22480/

for details.

Message #10 received at 395080@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 395080@bugs.debian.org, control@bugs.debian.org

Subject: another asterisk issue

Date: Tue, 24 Oct 2006 22:14:45 +0200

retitle 395080 CVE-2006-5444/5:security issues in asterisk
thanks

The skinny issue is CVE-2006-5444.

There is another issue in the SIP channel driver, CVE-2006-5445.

Please mention the CVE ids in the changelog.

Message #19 received at 395080-close@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: 395080-close@bugs.debian.org

Subject: Bug#395080: fixed in asterisk 1:1.2.13~dfsg-1

Date: Tue, 24 Oct 2006 23:32:19 -0700

Source: asterisk
Source-Version: 1:1.2.13~dfsg-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-bristuff_1.2.13~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-1_i386.deb
asterisk-classic_1.2.13~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-classic_1.2.13~dfsg-1_i386.deb
asterisk-config_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-config_1.2.13~dfsg-1_all.deb
asterisk-dev_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-dev_1.2.13~dfsg-1_all.deb
asterisk-doc_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-doc_1.2.13~dfsg-1_all.deb
asterisk-h423_1.2.13~dfsg-1_i386.deb
  to pool/main/a/asterisk/asterisk-h423_1.2.13~dfsg-1_i386.deb
asterisk-sounds-main_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-1_all.deb
asterisk-web-vmail_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-1_all.deb
asterisk_1.2.13~dfsg-1.diff.gz
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1.diff.gz
asterisk_1.2.13~dfsg-1.dsc
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1.dsc
asterisk_1.2.13~dfsg-1_all.deb
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg-1_all.deb
asterisk_1.2.13~dfsg.orig.tar.gz
  to pool/main/a/asterisk/asterisk_1.2.13~dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 395080@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 25 Oct 2006 06:46:52 +0100
Source: asterisk
Binary: asterisk-h423 asterisk-web-vmail asterisk asterisk-classic asterisk-dev asterisk-doc asterisk-sounds-main asterisk-bristuff asterisk-config
Architecture: source all i386
Version: 1:1.2.13~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-bristuff - Open Source Private Branch Exchange (PBX) - BRIstuff-enabled vers
 asterisk-classic - Open Source Private Branch Exchange (PBX) - original Digium versi
 asterisk-config - config files for asterisk
 asterisk-dev - development files for asterisk
 asterisk-doc - documentation for asterisk
 asterisk-h423 - asterisk H.323 VoIP channel
 asterisk-sounds-main - sound files for asterisk
 asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk
Closes: 338116 342138 348194 375141 386113 389376 394025 394122 395080
Changes: 
 asterisk (1:1.2.13~dfsg-1) unstable; urgency=high
 .
   [ Kilian Krause ]
   * Fixup dfsg versions with increased upstream build count.
 .
   [ Santiago Ruano Rincón ]
   * Added cdr_sqlite3_custom dpatch
 .
   [ Mark Purcell ]
   * New upstream release
     - Remote compromise (Closes: #394025)
     - CVE-2006-5444/5:security issues in asterisk (Closes: #395080)
     - Urgency high as this fixes remote compromise security issue
     - Information disclosure of voice mail messages through vmail.cgi
     (Closes: #338116)
     - package asterisk-dev should contain asterisk.h main header (Closes:
     #342138)
     - format_ogg_vorbis.so was present in i386, no longer in packages
     (Closes: #375141)
   * Update debian/patches/bristuff.dpatch
   * bristuff-0.3.0-PRE-1v
     - Please package bristuff 0.3.0PREu (Closes: #394122)
     - please include app_pickup.c from bristuff (Closes: #348194)
   * Build Depends: dpkg ( >= 1.13.19)
     - Asterisk must build-depend upon dpkg ( >= 1.13.19) (Closes: #386113)
   * Build-Depends: libpq-dev
     - obsolete build dependency postgresql-dev (Closes: #389376)
Files: 
 14426527db1c7abf12a02b745cae91b0 1395 comm optional asterisk_1.2.13~dfsg-1.dsc
 f8ee088b2e4feffe2b35d78079f90b69 3835589 comm optional asterisk_1.2.13~dfsg.orig.tar.gz
 a75d403e861600e0a50e5d3f5688985f 173367 comm optional asterisk_1.2.13~dfsg-1.diff.gz
 e9a80c1e404ac596ba7c31074e348e7b 145536 comm optional asterisk_1.2.13~dfsg-1_all.deb
 73d0100ba93d2f1193c9e227be83d8e5 19121500 doc optional asterisk-doc_1.2.13~dfsg-1_all.deb
 f25a5e8e52b262c07d3645024f6e1b14 168992 devel optional asterisk-dev_1.2.13~dfsg-1_all.deb
 189167a3c013dda5bb26b80c1518f313 1503672 comm optional asterisk-sounds-main_1.2.13~dfsg-1_all.deb
 0d31a0872756006e310c64e171f1e268 72796 comm optional asterisk-web-vmail_1.2.13~dfsg-1_all.deb
 ecae111f8aa9e43ee65e31dcac7e0e3b 130726 comm optional asterisk-config_1.2.13~dfsg-1_all.deb
 8da1c58282bcfccc944ab62f3f35321a 1614394 comm optional asterisk-classic_1.2.13~dfsg-1_i386.deb
 0e6df112a50fb2d859e713e2a1922c95 1647624 comm optional asterisk-bristuff_1.2.13~dfsg-1_i386.deb
 46e7f3bf3fbbfb248fc20ae839b7a854 129878 comm optional asterisk-h423_1.2.13~dfsg-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFPv4ToCzanz0IthIRAlenAJ9wJZlZlwJB7pGtrhrC916T9FZprACfYtx+
fpIysXNrCHdbPtaFLWqZfL8=
=y4D5
-----END PGP SIGNATURE-----

Message #24 received at 395080@bugs.debian.org (full text, mbox, reply):

From: Frédéric Brière <fbriere@fbriere.net>

To: 395080@bugs.debian.org

Cc: security@debian.org

Subject: Re: CVE-2006-5444/5:security issues in asterisk

Date: Wed, 8 Nov 2006 23:25:11 -0500

On Tue, Oct 24, 2006 at 10:14:45PM +0200, Stefan Fritsch wrote:
> The skinny issue is CVE-2006-5444.

Is there a reason why this issue has not yet been fixed in sarge?


-- 
             Frédéric Brière    <*>    fbriere@fbriere.net

 =>  <fbriere@abacom.com> IS NO MORE:  <http://www.abacomsucks.com>  <=

Message #29 received at 395080@bugs.debian.org (full text, mbox, reply):

From: "Brandon Kruse" <admteamkruz@gmail.com>

To: "Frédéric Brière" <fbriere@fbriere.net>, 395080@bugs.debian.org

Subject: Re: Bug#395080: CVE-2006-5444/5:security issues in asterisk

Date: Fri, 10 Nov 2006 04:07:14 +0000

[Message part 1 (text/plain, inline)]

hello, this has been fixed in the latest branch of asterisk (1.2.13)
and in 1.4

for a temporary fix, ( if its the bug im thinking your talking about )
just edit /etc/asterisk/modules.conf and noload=>chan_skinny.so



On 11/9/06, Frédéric Brière <fbriere@fbriere.net> wrote:
>
> On Tue, Oct 24, 2006 at 10:14:45PM +0200, Stefan Fritsch wrote:
> > The skinny issue is CVE-2006-5444.
>
> Is there a reason why this issue has not yet been fixed in sarge?
>
>
> --
>              Frédéric Brière    <*>    fbriere@fbriere.net
>
> =>  <fbriere@abacom.com> IS NO MORE:  <http://www.abacomsucks.com>  <=
>
>
> _______________________________________________
> Pkg-voip-maintainers mailing list
> Pkg-voip-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-voip-maintainers
>



-- 
-----------------------------------------------
Brandon Kruse

[Message part 2 (text/html, inline)]

Message #34 received at 395080@bugs.debian.org (full text, mbox, reply):

From: Frédéric Brière <fbriere@fbriere.net>

To: 395080@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#395080: CVE-2006-5444/5:security issues in asterisk

Date: Thu, 9 Nov 2006 23:35:51 -0500

On Fri, Nov 10, 2006 at 04:07:14AM +0000, Brandon Kruse wrote:
> hello, this has been fixed in the latest branch of asterisk (1.2.13)
> and in 1.4

Yes, I know this is fixed in sid.  What I want to know is why this
buffer overflow is still present in sarge.  The fix seems rather
straightforward, and patches have been proposed in #394025.

> for a temporary fix, ( if its the bug im thinking your talking about )
> just edit /etc/asterisk/modules.conf and noload=>chan_skinny.so

I'm not using chan_skinny, so I'm not actually worried about being
bitten by this particular bug.

However, from what I understand, this is a theoretically exploitable
security bug which has been allowed to sit for three weeks, without any
update nor announcement for sarge users.

*That* is why I'm worried.


-- 
             Frédéric Brière    <*>    fbriere@fbriere.net

 =>  <fbriere@abacom.com> IS NO MORE:  <http://www.abacomsucks.com>  <=

Message #39 received at 395080@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: Frédéric Brière <fbriere@fbriere.net>, 395080@bugs.debian.org

Subject: Re: Bug#395080: CVE-2006-5444/5:security issues in asterisk

Date: Fri, 10 Nov 2006 18:26:44 +0200

On Wed, Nov 08, 2006 at 11:25:11PM -0500, Frédéric Brière wrote:
> On Tue, Oct 24, 2006 at 10:14:45PM +0200, Stefan Fritsch wrote:
> > The skinny issue is CVE-2006-5444.
> 
> Is there a reason why this issue has not yet been fixed in sarge?

I haven't looked at it yet, but the patch from 1.0.11 to 1.0.12 is
basically just this fix.

-- 
               Tzafrir Cohen       
icq#16849755                    jabber:tzafrir@jabber.org
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com       
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #44 received at 395080@bugs.debian.org (full text, mbox, reply):

From: "Brandon Kruse" <admteamkruz@gmail.com>

To: "Tzafrir Cohen" <tzafrir.cohen@xorcom.com>, 395080@bugs.debian.org

Subject: Re: Bug#395080: CVE-2006-5444/5:security issues in asterisk

Date: Sat, 11 Nov 2006 05:04:09 +0000

[Message part 1 (text/plain, inline)]

yes, it had to be made into a new version because it WAS a big security
issue.

On 11/10/06, Tzafrir Cohen <tzafrir.cohen@xorcom.com> wrote:
>
> On Wed, Nov 08, 2006 at 11:25:11PM -0500, Frédéric Brière wrote:
> > On Tue, Oct 24, 2006 at 10:14:45PM +0200, Stefan Fritsch wrote:
> > > The skinny issue is CVE-2006-5444.
> >
> > Is there a reason why this issue has not yet been fixed in sarge?
>
> I haven't looked at it yet, but the patch from 1.0.11 to 1.0.12 is
> basically just this fix.
>
> --
>                Tzafrir Cohen
> icq#16849755                    jabber:tzafrir@jabber.org
> +972-50-7952406           mailto:tzafrir.cohen@xorcom.com
> http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir
>
>
> _______________________________________________
> Pkg-voip-maintainers mailing list
> Pkg-voip-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-voip-maintainers
>



-- 
-----------------------------------------------
Brandon Kruse

[Message part 2 (text/html, inline)]

Message #49 received at 395080@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 395080@bugs.debian.org, control@bugs.debian.org

Subject: Re: security issues in asterisk

Date: Sat, 18 Nov 2006 19:55:08 +0000

[Message part 1 (text/plain, inline)]

package asterisk
retitle 394025 CVE-2006-5444: Remote compromise in chan_skinny
retitle 395080 CVE-2006-5445: Denial of service in chan_sip
thanks

One bug per bug report, please.

Ben.

-- 
Ben Hutchings
Lowery's Law:
             If it jams, force it. If it breaks, it needed replacing anyway.

[signature.asc (application/pgp-signature, inline)]

Message #56 received at 395080@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 395080@bugs.debian.org

Subject: Re: CVE-2006-5445: Denial of service in chan_sip

Date: Sun, 19 Nov 2006 00:29:35 +0000

[Message part 1 (text/plain, inline)]

The fix for CVE-2006-5445 in the 1.2 branch appears to be:
http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=45306&r2=45380

There's no corresponding fix in the 1.0 branch.

Here's my attempt at backporting it.  This is untested, since I don't
run Asterisk myself.

The initialisation of the SIP context (sip_pvt) is a bit different in
1.0 and I've copied what looks like the corresponding code from
sip_alloc() into transmit_response_using_temp().  I added a call to
build_contact() because __send_response() indirectly uses the
our_contact member.

In 1.0 there's no validate commands before the call find_call() and
there's no sip_method array.  Therefore I wrote string comparisons
against all the commands that are allowed to create a new SIP context
based on the flags in the 1.2 code, minus "PUBLISH" because that isn't
supported at all (I'm not sure this is correct; we may end up sending
the wrong error message).

Ben.

--- asterisk-1.0.7.dfsg.1/channels/chan_sip.c.orig	2006-11-18 20:25:43.000000000 +0000
+++ asterisk-1.0.7.dfsg.1/channels/chan_sip.c	2006-11-18 23:22:41.000000000 +0000
@@ -557,6 +557,7 @@
 static struct ast_ha *localaddr;
 
 static struct ast_frame  *sip_read(struct ast_channel *ast);
+static int transmit_response_using_temp(char *callid, struct sockaddr_in *sin, int useglobal_nat, struct sip_request *req, char *msg);
 static int transmit_response(struct sip_pvt *p, char *msg, struct sip_request *req);
 static int transmit_response_with_sdp(struct sip_pvt *p, char *msg, struct sip_request *req, int retrans);
 static int transmit_response_with_auth(struct sip_pvt *p, char *msg, struct sip_request *req, char *rand, int reliable, char *header);
@@ -2364,7 +2365,7 @@
 	char *callid;
 	char tmp[256] = "";
 	char iabuf[INET_ADDRSTRLEN];
-	char *cmd;
+	const char *cmd = req->rlPart1;
 	char *tag = "", *c;
 
 	callid = get_header(req, "Call-ID");
@@ -2378,11 +2379,6 @@
 		   SIP implementations, and thus Asterisk does not enable this behavior
 		   by default. Short version: You'll need this option to support conferencing
 		   on the pingtel */
-		strncpy(tmp, req->header[0], sizeof(tmp) - 1);
-		cmd = tmp;
-		c = strchr(tmp, ' ');
-		if (c)
-			*c = '\0';
 		if (!strcasecmp(cmd, "SIP/2.0"))
 			strncpy(tmp, get_header(req, "To"), sizeof(tmp) - 1);
 		else
@@ -2414,9 +2410,19 @@
 		p = p->next;
 	}
 	ast_mutex_unlock(&iflock);
-	p = sip_alloc(callid, sin, 1);
-	if (p)
-		ast_mutex_lock(&p->lock);
+
+	if (strcasecmp(cmd, "REGISTER")
+	    && strcasecmp(cmd, "OPTIONS")
+	    && strcasecmp(cmd, "INVITE")
+	    && strcasecmp(cmd, "SUBSCRIBE")
+	    && strcasecmp(cmd, "MESSAGE")) {
+		if (strcasecmp(cmd, "RESPONSE"))
+			transmit_response_using_temp(callid, sin, 1, req, "481 Call leg/transaction does not exist");
+	} else {
+		p = sip_alloc(callid, sin, 1);
+		if (p)
+			ast_mutex_lock(&p->lock);
+	}
 	return p;
 }
 
@@ -3218,6 +3224,45 @@
 	return send_response(p, &resp, reliable, seqno);
 }
 
+/*--- transmit_response_using_temp: Transmit response, no retransmits, using temporary pvt */
+static int transmit_response_using_temp(char *callid, struct sockaddr_in *sin, int useglobal_nat, struct sip_request *req, char *msg)
+{
+	struct sip_pvt *p = alloca(sizeof(*p));
+	char iabuf[INET_ADDRSTRLEN];
+
+	memset(p, 0, sizeof(*p));
+
+	if (sin) {
+		memcpy(&p->sa, sin, sizeof(p->sa));
+		if (ast_sip_ouraddrfor(&p->sa.sin_addr, &p->ourip))
+			memcpy(&p->ourip, &__ourip, sizeof(p->ourip));
+	} else
+		memcpy(&p->ourip, &__ourip, sizeof(p->ourip));
+	p->branch = rand();
+	p->tag = rand();
+	p->ocseq = 101;
+
+	if (useglobal_nat && sin) {
+		/* Setup NAT structure according to global settings if we have an address */
+		p->nat = global_nat;
+		memcpy(&p->recv, sin, sizeof(p->recv));
+	}
+
+	strncpy(p->fromdomain, default_fromdomain, sizeof(p->fromdomain) - 1);
+	/* z9hG4bK is a magic cookie.  See RFC 3261 section 8.1.1.7 */
+	if (p->nat != SIP_NAT_NEVER)
+		snprintf(p->via, sizeof(p->via), "SIP/2.0/UDP %s:%d;branch=z9hG4bK%08x;rport", ast_inet_ntoa(iabuf, sizeof(iabuf), p->ourip), ourport, p->branch);
+	else
+		snprintf(p->via, sizeof(p->via), "SIP/2.0/UDP %s:%d;branch=z9hG4bK%08x", ast_inet_ntoa(iabuf, sizeof(iabuf), p->ourip), ourport, p->branch);
+	strncpy(p->callid, callid, sizeof(p->callid) - 1);
+
+	build_contact(p);
+
+	__transmit_response(p, msg, req, 0);
+
+	return 0;
+}
+
 /*--- transmit_response: Transmit response, no retransmits */
 static int transmit_response(struct sip_pvt *p, char *msg, struct sip_request *req) 
 {
-- END --

-- 
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.