Severity : 2/4

Consequences : denial of service of service

Provenance : intranet client

Means of attack : no proof of concept, no attack

Ability of attacker : expert (4/4)

Confidence : confirmed by the editor (5/5)

Diffusion of the vulnerable configuration : high (3/3)

Creation date : 11/08/2009

IMPACTED PRODUCTS

– Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The sscanf() function analyzes a text string, searching for
indicated patterns. For example :
sscanf("1234", "%d", &number) ;
To limit the size of the number :
sscanf("1234", "%10d", &number) ;

However, Asterisk uses sscanf() without limiting the size of
fields. An attacker can therefore use a very long integer
("000...0001234"). When its size is longer than the size of the
Asterisk thread stack, a fatal error occurs.

This error is located in several places of the Asterisk source
code : analysis of SIP Invite, Content-Length, SDP, etc.

An attacker can therefore send a message containing a long integer
in order to stop Asterisk.

CHARACTERISTICS

Identifiers : AST-2009-005, BID-36015, CVE-2009-2726, MU-200908-01,
VIGILANCE-VUL-8932

http://vigilance.fr/vulnerability/Asterisk-denial-of-service-via-sscanf-8932