Asterisk
  1. Asterisk
  2. ASTERISK-20967

Security Vulnerability: DoS attack possible due to fix for CVE-2012-5976

    Details

    • Regression:
      Yes

      Description

      When researching CVE-2012-5976 in HTTP, I came across a DoS possible on the patched versions of Asterisk. It is based on the user-controlled malloc(), which replaced the alloca() in http.c. An attacker can use the Content-length: header to control the amount of heap allocated and exhaust the memory available to Asterisk.

      I have attached our disclosure and a PoC for your convenience. The PoC uses a number of concurrent connections but with a bit more effort could probably use a probing scheme and then get away with one or very few connections. Also, note that filling up the memory is not necessary to effect a temporary DoS i.e. an attack would be possible over a low-bandwidth connection. The PoC does fill the buffer to demonstrate that the server process will be terminated by the OS in this case.

      Christoph Hebeisen

      1. AST-2013-002-1.8.diff
        0.7 kB
        Matt Jordan
      2. AST-2013-002-10.diff
        0.7 kB
        Matt Jordan
      3. AST-2013-002-11.diff
        1 kB
        Matt Jordan
      4. issueA20967_file_leak_and_unused_wkspace.patch
        1 kB
        Walter Doekes

        Issue Links

          Activity

          Hide
          Walter Doekes added a comment -

          If we're in the vicinity, might as well tackle these issues in issueA20967_file_leak_and_unused_wkspace.patch

          Show
          Walter Doekes added a comment - If we're in the vicinity, might as well tackle these issues in issueA20967_file_leak_and_unused_wkspace.patch
          Hide
          Matt Jordan added a comment -

          I'm okay committing that immediately after the patches go in for the security vulnerability, but if it's okay I'll probably keep it separate from the actual vulnerability fix.

          Show
          Matt Jordan added a comment - I'm okay committing that immediately after the patches go in for the security vulnerability, but if it's okay I'll probably keep it separate from the actual vulnerability fix.

            People

            • Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development