Details
-
Type:
Bug
-
Status: Closed
-
Severity:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.8.19.1, 1.8.20.0, 10.11.1, 10.11.1-digiumphones, 10.12.0, 10.12.0-digiumphones, 11.1.2, 11.2.0
-
Component/s: Core/HTTP
-
Labels:None
-
Regression:Yes
Description
When researching CVE-2012-5976 in HTTP, I came across a DoS possible on the patched versions of Asterisk. It is based on the user-controlled malloc(), which replaced the alloca() in http.c. An attacker can use the Content-length: header to control the amount of heap allocated and exhaust the memory available to Asterisk.
I have attached our disclosure and a PoC for your convenience. The PoC uses a number of concurrent connections but with a bit more effort could probably use a probing scheme and then get away with one or very few connections. Also, note that filling up the memory is not necessary to effect a temporary DoS i.e. an attack would be possible over a low-bandwidth connection. The PoC does fill the buffer to demonstrate that the server process will be terminated by the OS in this case.
Christoph Hebeisen
Issue Links
- must be completed before resolving
-
ASTERISK-21004
Open Blockers for 1.8.21.0
-
- Closed
-
-
ASTERISK-21005
Open Blockers for 11.3.0
-
- Closed
-
If we're in the vicinity, might as well tackle these issues in issueA20967_file_leak_and_unused_wkspace.patch