Vigil@nce : Asterisk, denial of service via sscanf
août 2009 par Vigil@nce
An attacker can send a message containing a long integer in order
to stop Asterisk.
Severity : 2/4
Consequences : denial of service of service
Provenance : intranet client
Means of attack : no proof of concept, no attack
Ability of attacker : expert (4/4)
Confidence : confirmed by the editor (5/5)
Diffusion of the vulnerable configuration : high (3/3)
Creation date : 11/08/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The sscanf() function analyzes a text string, searching for
indicated patterns. For example :
sscanf("1234", "%d", &number) ;
To limit the size of the number :
sscanf("1234", "%10d", &number) ;
However, Asterisk uses sscanf() without limiting the size of
fields. An attacker can therefore use a very long integer
("000...0001234"). When its size is longer than the size of the
Asterisk thread stack, a fatal error occurs.
This error is located in several places of the Asterisk source
code : analysis of SIP Invite, Content-Length, SDP, etc.
An attacker can therefore send a message containing a long integer
in order to stop Asterisk.
CHARACTERISTICS
Identifiers : AST-2009-005, BID-36015, CVE-2009-2726, MU-200908-01,
VIGILANCE-VUL-8932
http://vigilance.fr/vulnerability/Asterisk-denial-of-service-via-sscanf-8932