Summary: | ASTERISK-20967: Security Vulnerability: DoS attack possible due to fix for CVE-2012-5976 | ||||||
Reporter: | Matt Jordan (mjordan) | Labels: | |||||
Date Opened: | 2013-01-21 14:31:44.000-0600 | Date Closed: | 2013-03-27 14:23:36 | ||||
Priority: | Major | Regression? | Yes | ||||
Status: | Closed/Complete | Components: | Core/HTTP | ||||
Versions: | 1.8.19.1 1.8.20.0 10.11.1 10.11.1-digiumphones 10.12.0 10.12.0-digiumphones 11.1.2 11.2.0 | Frequency of Occurrence | |||||
Related Issues: |
| ||||||
Environment: | Attachments: | ( 0) AST-2013-002-1.8.diff ( 1) AST-2013-002-10.diff ( 2) AST-2013-002-11.diff ( 3) issueA20967_file_leak_and_unused_wkspace.patch | |||||
Description: | {quote}
When researching CVE-2012-5976 in HTTP, I came across a DoS possible on the patched versions of Asterisk. It is based on the user-controlled malloc(), which replaced the alloca() in http.c. An attacker can use the Content-length: header to control the amount of heap allocated and exhaust the memory available to Asterisk. I have attached our disclosure and a PoC for your convenience. The PoC uses a number of concurrent connections but with a bit more effort could probably use a probing scheme and then get away with one or very few connections. Also, note that filling up the memory is not necessary to effect a temporary DoS i.e. an attack would be possible over a low-bandwidth connection. The PoC does fill the buffer to demonstrate that the server process will be terminated by the OS in this case. Christoph Hebeisen {quote} | ||||||
Comments: | By: Walter Doekes (wdoekes) 2013-03-10 09:45:12.547-0500 If we're in the vicinity, might as well tackle these issues in issueA20967_file_leak_and_unused_wkspace.patch By: Matt Jordan (mjordan) 2013-03-25 15:08:33.159-0500 I'm okay committing that immediately after the patches go in for the security vulnerability, but if it's okay I'll probably keep it separate from the actual vulnerability fix. |