[Home]

Summary:ASTERISK-27583: Segmentation fault occurs in asterisk with an invalid SDP fmtp attribute
Reporter:Sandro Gauci (sandrogauci)Labels:patch pjsip security
Date Opened:2018-01-15 00:45:19.000-0600Date Closed:2018-02-21 12:13:22.000-0600
Priority:BlockerRegression?
Status:Closed/CompleteComponents:Channels/chan_pjsip
Versions:15.1.5 Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) advisory.md
( 1) AST-2018-003.pdf
( 2) ASTERISK-27583.diff
( 3) extensions.conf
( 4) pjsip.conf
Description: A specially crafted SDP message body with an invalid fmtp attribute causes a
segmentation fault in asterisk using chan_pjsip.

Please see the attached report for full details.

Comments:By: Asterisk Team (asteriskteam) 2018-01-15 00:45:20.325-0600

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.

By: Asterisk Team (asteriskteam) 2018-01-15 00:45:20.464-0600

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

By: Kevin Harwell (kharwell) 2018-01-15 13:11:28.568-0600

Thanks for the report! I've done some testing and am not seeing similar results when using the latest version of Asterisk with bundled pjproject.

Both the Asterisk and pjproject versions in use are old. Please upgrade to the latest versions of Asterisk (13.19.0 and 15.2.0), and pjproject (2.7.1) and re-test.

Also please use the  "\--with-pjproject-bundled" option when configuring Asterisk. -Upgrading to those versions of Asterisk- Upgrading to Asterisk 15.2.0 will enable that configure option, "\--with-pjproject-bundled", by default. For Asterisk 15.1.5 and below you'll have to specify it. Enabling that option will automatically download and configure pjproject 2.7.1 to be used with Asterisk.

See more on using the bundled option [here|https://wiki.asterisk.org/wiki/display/AST/PJSIP-pjproject]

By: Sandro Gauci (sandrogauci) 2018-01-15 15:07:30.023-0600

We tested on 15.2.0 with the `--with-pjproject-bundled` option and were still able to reproduce the issue. Please find attached our configuration `pjsip.conf` which defines the extensions and credentials and the `extensions.conf`. To reproduce the issue we made use of the python script in the advisory.

Do you need further details?

By: Kevin Harwell (kharwell) 2018-01-15 15:26:16.550-0600

I made a slight mistake in my earlier comment. Asterisk 13 does not default to use --with-pjproject-bundled. You have to specify that option in Asterisk 15.1.5 or below when configuring.

Thanks for the configuration files. I'll see if I can duplicate with those.

By: Kevin Harwell (kharwell) 2018-01-16 11:53:14.423-0600

The conf files did the trick. I was able to replicate this crash. I confirmed too that the user must be authenticated (or authentication is not enabled at all on the endpoint) in order for the crash to occur.

By: Sandro Gauci (sandrogauci) 2018-01-17 00:06:05.893-0600

Correct .. the attached config, the user needs to authenticate but of course, this is not required if the context of the extension being called does not require authentication. We also confirmed that the crashes can be reproduced when authentication is not required.



By: Kevin Harwell (kharwell) 2018-01-31 14:20:41.000-0600

Attaching draft of the Asterisk advisory that will be published.

By: Kevin Harwell (kharwell) 2018-02-05 15:59:28.679-0600

[~sandrogauci],

We've received a patch from pjproject for this issue, [^ASTERISK-27582.diff]. If you'd like to test it out then execute the following from the the top level of the Asterisk source tree:
{noformat}
$ git apply ASTERISK-27583.diff
{noformat}
It should then place the pjproject patch in the "./third_party/pjproject/patches" directory. From there you'll need to rebuild pjproject then Asterisk:
{noformat}
$ make -C third-party/pjproject distclean
$ make
{noformat}

By: Sandro Gauci (sandrogauci) 2018-02-06 07:55:06.628-0600

thanks! Will test and let you know.

By: Sandro Gauci (sandrogauci) 2018-02-10 00:06:10.985-0600

Tested the patch and it looks like the issue has been fixed. Thanks!

By: Kevin Harwell (kharwell) 2018-02-19 11:11:46.696-0600

Re-attaching an updated patch. pjproject sent a new patch where they had identified patterns which are similar to the reported issue.

By: Friendly Automation (friendly-automation) 2018-02-21 12:13:22.670-0600

Change 8354 merged by Kevin Harwell:
AST-2018-003: Crash with an invalid SDP fmtp attribute

[https://gerrit.asterisk.org/8354|https://gerrit.asterisk.org/8354]

By: Friendly Automation (friendly-automation) 2018-02-21 12:13:32.015-0600

Change 8355 merged by Kevin Harwell:
AST-2018-003: Crash with an invalid SDP fmtp attribute

[https://gerrit.asterisk.org/8355|https://gerrit.asterisk.org/8355]

By: Friendly Automation (friendly-automation) 2018-02-21 12:13:40.394-0600

Change 8356 merged by Kevin Harwell:
AST-2018-003: Crash with an invalid SDP fmtp attribute

[https://gerrit.asterisk.org/8356|https://gerrit.asterisk.org/8356]

By: Friendly Automation (friendly-automation) 2018-02-21 12:13:48.639-0600

Change 8357 merged by Kevin Harwell:
AST-2018-003: Crash with an invalid SDP fmtp attribute

[https://gerrit.asterisk.org/8357|https://gerrit.asterisk.org/8357]

By: Friendly Automation (friendly-automation) 2018-02-21 12:13:57.428-0600

Change 8358 merged by Kevin Harwell:
AST-2018-003: Crash with an invalid SDP fmtp attribute

[https://gerrit.asterisk.org/8358|https://gerrit.asterisk.org/8358]

By: Friendly Automation (friendly-automation) 2018-02-21 12:14:05.359-0600

Change 8359 merged by Kevin Harwell:
AST-2018-003: Crash with an invalid SDP fmtp attribute

[https://gerrit.asterisk.org/8359|https://gerrit.asterisk.org/8359]

By: Friendly Automation (friendly-automation) 2018-02-21 12:14:14.607-0600

Change 8360 merged by Kevin Harwell:
AST-2018-003: Crash with an invalid SDP fmtp attribute

[https://gerrit.asterisk.org/8360|https://gerrit.asterisk.org/8360]

By: Friendly Automation (friendly-automation) 2018-02-21 14:13:06.404-0600

Change 8346 merged by Kevin Harwell:
AST-2018-003: Crash with an invalid SDP fmtp attribute

[https://gerrit.asterisk.org/8346|https://gerrit.asterisk.org/8346]