FreeSWITCH 基于堆的缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1152655 漏洞类型 缓冲区溢出
发布时间 2015-09-29 更新时间 2015-09-29
CVE编号 CVE-2015-7392 CNNVD-ID CNNVD-201510-018
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/76976
https://cxsecurity.com/issue/WLB-2015090190
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201510-018
|漏洞详情
FreeSWITCH是美国软件开发者AnthonyMinessale所研发的一套免费、开源的通信软件。该软件可用于创建音、视频以及短消息类产品和应用。FreeSWITCH1.4.21及之前版本和1.6.0版本的libs/esl/src/esl_json.c文件中的‘parse_string’函数中存在基于堆的缓冲区溢出漏洞,该漏洞源于cJSON_Parse结构体没有充分过滤‘json’字符串末尾的‘\u’字符。远程攻击者可利用该漏洞执行任意代码。
|漏洞EXP
?1. Advisory Information

Title: Heap overflow in freeswitch json parser < 1.6.2 & < 1.4.23
Submitter: Marcello Duarte (marcello@cybersightgroup.com)
Product: freeswitch
Product URL: http://freeswitch.org
Affected Versions: freeswitch < 1.6.2 & < 1.4.23
Fixed Versions: 1.6.2 , 1.4.23
Link to source code diff:
https://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/cf892528a1a107ed6eb67fb98ed22533e27778fd
CVE Status: CVE-2015-7392

2. Vulnerability Information

Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No


3. Vulnerability Description

Product Information: FreeSWITCH is a scalable open source
cross-platform telephony platform designed to route and interconnect
popular communication protocols using audio, video, text or any other
form of media.  It was created in 2006 to fill the void left by
proprietary commercial solutions.  FreeSWITCH also provides a stable
telephony platform on which many applications can be developed using a
wide range of free tools.

Vulnerability:

A carefully crafted json string supplied to cJSON_Parse will trigger a
heap overflow with user controlled data.

The underlying vulnerability occurs in the parse_string function.

By passing a json string with \u at the end of the string will cause
the parser to increment past the null at the end of string.

This confuses the code responsible for copying the string. Since it
doesn't detect the NULL in this situation,  it will keep copying until
it hits a null in memory. This leads to a heap overflow with user
controlled data.

Any modules or core code which allows user supplied json to enter the
json parser will be vulnerable.


Vulnerable Source Code:

static const char *parse_string(cJSON *item, const char *str) {

...

/* HACKLOG The length of string is determined here, it will stop
counting when it hits a null */

  while (*ptr != '\"' && *ptr && ++len)
    if (*ptr++ == '\\')
      ptr++; /* Skip escaped quotes. */


/* HACKLOG The buffer is alloced with the length obtained from the
previous section */

 out = (char *)cJSON_malloc(
      len + 1); /* This is how long we need for the string, roughly. */
  if (!out)
    return 0;

/* HACKLOG the following code will copy the string into the alloced
buffer taking into account utf16 to utf8 conversion */

  ptr = str + 1;
  ptr2 = out;
/* 1 */
  while (*ptr != '\"' && *ptr) {
    if (*ptr != '\\')
      *ptr2++ = *ptr++;
    else {
      ptr++;
      switch (*ptr) {
      case 'b':
        *ptr2++ = '\b';
        break;
      case 'f':
        *ptr2++ = '\f';
        break;
      case 'n':
        *ptr2++ = '\n';
        break;
      case 'r':
        *ptr2++ = '\r';
        break;
      case 't':
        *ptr2++ = '\t';
        break;
      case 'u': /* transcode utf16 to utf8. */
        if (sscanf(ptr + 1, "%4x", &uc) < 1)
          break;

    ptr += 4; /* get the unicode char. */

        if ((uc >= 0xDC00 && uc <= 0xDFFF) || uc == 0)
          break; // check for invalid.

        if (uc >= 0xD800 && uc <= 0xDBFF) // UTF16 surrogate pairs.
        {
          if (ptr[1] != '\\' || ptr[2] != 'u')
            break; // missing second-half of surrogate.
          if (sscanf(ptr + 3, "%4x", &uc2) < 1)
            break;
          ptr += 6;
          if (uc2 < 0xDC00 || uc2 > 0xDFFF)
            break; // invalid second-half of surrogate.
          uc = 0x10000 | ((uc & 0x3FF) << 10) | (uc2 & 0x3FF);
        }

        len = 4;
        if (uc < 0x80)
          len = 1;
        else if (uc < 0x800)
          len = 2;
        else if (uc < 0x10000)
          len = 3;
        ptr2 += len;

        switch (len) {
        case 4:
          *--ptr2 = ((uc | 0x80) & 0xBF);
          uc >>= 6;
        case 3:
          *--ptr2 = ((uc | 0x80) & 0xBF);
          uc >>= 6;
        case 2:
          *--ptr2 = ((uc | 0x80) & 0xBF);
          uc >>= 6;
        case 1:
          *--ptr2 = (char)(uc | firstByteMark[len]);
        }
        ptr2 += len;
        break;
      default:
        *ptr2++ = *ptr;
        break;
      }

      /* HACKLOG INCREMENTS past null here, causing the while loop to
not detect the end of the buffer so it keeps copying past the end of
the alloced buffer */
      ptr++;
    }



4. Vendor Information, Solutions

Freeswitch has released versions 1.6.2 , 1.4.23 which fix the issue.


5. Credits

This vulnerability was discovered and researched by Marcello Duarte (
marcello@cybersightgroup.com ) from CYBERSIGHT GROUP Vulnerability
Research Labs.

6. Report Timeline
2015-09-02 - Vulnerability found
2015-09-13 - Freeswitch developers contacted
2015-09-14 - Freeswitch developers verified bug and patched in master
2015-09-25 - Freeswitch releases fixed packages.
2015-09-20 - CVE requested
2015-09-29 - CVE issued, Advisory released

7. About CYBERSIGHT GROUP

CYBERSIGHT GROUP is an organization of security professionals
specializing in several areas of offensive computer security research.
We specialize in vulnerability research, exploit development, reverse
engineering and cyber attack planning. http://cybersightgroup.com ,
contact@cybersightgroup.com


8. Disclaimer

The information provided in the advisory is provided as is without any
warranty. CYBERSIGHT GROUP and it's members are not liable in any case
of damage, direct or indirect.  Permission to redistribute the
advisory in it's unmodified form is granted.




-- 
Marcello Duarte
Chief Research Officer
CYBERSIGHT GROUP
|受影响的产品
FreeSWITCH FreeSWITCH 1.6 FreeSWITCH FreeSWITCH 1.4
|参考资料

来源:freeswitch.org
链接:https://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/cf8925
来源:packetstormsecurity.com
链接:http://packetstormsecurity.com/files/133781/freeswitch-Heap-Overflow.html
来源:BUGTRAQ
链接:http://www.securityfocus.com/archive/1/archive/1/536569/100/0/threaded