Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 151881 - net-misc/asterisk - chan_skinny Remote Unauthenticated Heap Overflow (CVE-2006-5444)
Summary: net-misc/asterisk - chan_skinny Remote Unauthenticated Heap Overflow (CVE-200...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa] Falco
: 152010 (view as bug list)
Depends on:
Reported: 2006-10-18 15:41 UTC by Aarni Honka
Modified: 2006-11-05 17:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Aarni Honka 2006-10-18 15:41:25 UTC
= Asterisk - chan_skinny Remote Unauthenticated Heap Overflow
= Vendor Website:
= Affected Version:
=  All 1.2-branch releases prior to and including
=  All 1.0-branch releases prior to and including 1.0.12
= Not Affected:
=  All 1.4-branch beta releases (1.4.0-beta1, 1.4.0-beta2)
= Public disclosure on Oct 19, 2006

== Overview ==

Asterisk is "The Opensource PBX", a popular software telephony server.

The Asterisk Skinny channel driver for Cisco SCCP phones
incorrectly validates a length value in the packet header. An integer
wrap-around leads to heap overwrite, and arbitrary remote code execution
as root.

== Details ==

The function 'static int get_input(struct skinnysession *s)' in
chan_skinny.c incorrectly validates a user supplied length in the packet
header. In the code below, four bytes of data are read from the socket,
cast to a signed integer, and assigned to dlen. If dlen is between -1
and -8 then (dlen + 8) will integer wrap to be greater than zero, but
less than sizeof(s->inbuf) for the purposes of this comparison.

Next, dlen + 4 is passed to read() as the maximum number of bytes to
write to s->inbuf+4. Read() takes an unsigned value, so dlen is
interpreted as a very large number. For example, a value of -6 is
interpreted as 0xfffffffa bytes. This instructs read() to write beyond
the allocated 1000 byte length of the buffer s->inbuf.

Code asterisk- lines 2860-2870
res = read(s->fd, s->inbuf, 4);     // <- integer read from attacker
if (res != 4) {
  ast_log(LOG_WARNING, "Skinny Client sent less data than expected.\n");
  return -1;
dlen = letohl(*(int *)s->inbuf);        // <- input 0xfffffffa
                                        //  interpreted as signed
if (dlen+8 > sizeof(s->inbuf))          // <- integer wrap to +2

  dlen = sizeof(s->inbuf) - 8;          //  bypasses this check
*(int *)s->inbuf = htolel(dlen);        // casting just for amusement
res = read(s->fd, s->inbuf+4, dlen+4);  /* <- dlen now unsigned again
                                          *  permitting read() to write
                                          * up to 0xfffffffa bytes off
                                          * the end of s->inbuf

== Exploitation ==

An attacker who can connect to the Asterisk server SCCP "Skinny" port
(by default 2000/tcp) can attack the vulnerable function prior to
registering as a configured Skinny phone, permitting pre-authentication
remote compromise.

Once the initial length header value in the packet performs an
integer-wraparound an attacker can overflow off the end of the
malloc()ed input buffer, and into heap space above it. Exploitation is
possible via standard heap-overflow malloc-unlink-macro technique[1] on
glibc versions prior to 2.3.5. On systems with newer glibc, a more
sophisticated exploitation method is necessary due to the improved
validation of malloc's internal heap management linked lists. Brett
Moore's work[2] on bypassing similar restrictions in WinXPSP2 is

Our proof-of-concept exploit uses vanilla malloc-unlink() to overwrite a
GOT entry to point execution back into our buffer, and executes
Metasploit port-binding shellcode.

== Solutions ==

 - Disable the chan_skinny module if it is not required.
 - Firewall port 2000/tcp from untrusted networks.
 - Install the vendor supplied upgrades:
	1.0-branch: Upgrade to 1.0.12 or later
	1.2-branch: Upgrade to 1.2.13 or later

== Credit ==

Discovered and advised to Digium 17th October, 2006 by Adam Boileau of commends Digium on their extremely rapid
response, releasing an updated version within two days of receiving our
vulnerability report.

== References ==

[1] "Advanced Doug Lea's Malloc Exploits" by jp
[2] "Exploiting Freelist[0] On Windows XP Service Pack 2" by Brett Moore
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-10-18 23:47:40 UTC
Hi, there is a vulnerability against Asterisk again :((

I'd like to know if the chan_skinny module is enabled by default ?

        1.0-branch: Upgrade to 1.0.12 or later
        1.2-branch: Upgrade to 1.2.13 or later

Comment 2 Stefan Schweizer (RETIRED) gentoo-dev 2006-10-19 13:08:08 UTC
chan_skinny is enabled by default. 1.2.13 is bumped
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-19 14:04:27 UTC
rajiv, pls bump 1.0.* too, if that is still in use

arches, pls test asterisk-1.2.13 and mark stable if possible
Comment 4 Markus Meier gentoo-dev 2006-10-19 14:51:57 UTC
1. emerges on x86, with the following notices:
QA Notice: USE Flag 'elibc_uclibc' not in IUSE for net-misc/asterisk-1.2.13

QA Notice: the following files contain runtime text relocations
 Text relocations force the dynamic linker to perform extra
 work at startup, waste system resources, and may pose a security
 risk.  On some architectures, the code may not even function
 properly, if at all.
 For more information, see
 Please include this file in your report:
TEXTREL usr/lib/asterisk/modules/

QA Notice: the following files contain executable stacks
 Files with executable stacks will not work properly (or at all!)
 on some architectures/operating systems.  A bug should be filed
 at to make sure the file is fixed.
 For more information, see
 Please include this file in your report:
RWX --- --- usr/lib/asterisk/modules/

2. passes collision test
3. daemon starts and stops fine

net-misc/asterisk-1.2.13  USE="alsa gtk h323 mmx ssl -bri -curl -debug -doc -genericjb -hardened -lowmem -mysql -nosamples -odbc -osp -postgres -pri -speex -sqlite -ukcid -zaptel"

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, i686)
System uname: i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.5
Last Sync: Thu, 19 Oct 2006 20:50:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
LINGUAS="en de en_GB de_CH"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-19 15:57:01 UTC
*** Bug 152010 has been marked as a duplicate of this bug. ***
Comment 6 Joshua Jackson (RETIRED) gentoo-dev 2006-10-19 21:58:34 UTC
x86 is stable for 1.2..I could only test as far as it starting as well.... =/
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-10-20 11:42:56 UTC
sparc stable.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-10-21 04:37:22 UTC
ready for glsa
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-10-21 06:03:22 UTC
voip team, please note that if you want to correct the vulnerability in the 1.0.x, it is fixed since 1.0.12
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-10-31 04:28:11 UTC
GLSA 200610-15
Comment 11 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-11-05 17:02:54 UTC
asterisk 1.0.12 in cvs. see bug #154136.

security: do you want to reopen this bug and issue an updated glsa? i do not think it is necessary as most users have already upgraded to 1.2.x.