| Summary: | ASTERISK-19541: Security Vulnerability: remotely exploitable stack overrun in Milliwatt | ||||||
| Reporter: | Matt Jordan (mjordan) | Labels: | |||||
| Date Opened: | 2012-03-15 08:14:50 | Date Closed: | 2012-03-15 13:43:19 | ||||
| Priority: | Blocker | Regression? | No | ||||
| Status: | Closed/Complete | Components: | Applications/app_milliwatt | ||||
| Versions: | 1.4.43 1.6.2.22 1.8.10.0 1.8.11.0 10.2.0 10.3.0 | Frequency of Occurrence | |||||
| Related Issues: |
| ||||||
| Environment: | Attachments: | ( 0) milliwatt_stack_overrun.rev1.txt | |||||
| Description: | Reported by Russell Bryant. The number of people affected by this has got to be near zero, but ... Milliwatt() appears to be vulnerable to a remotely exploitable stack overrun. Remote code execution is not possible. The data that is written is the pre-defined Milliwatt data, not custom data. The root of the problem is fixed in the attached patch. The milliwatt_generate() function does not account for AST_FRIENDLY_OFFSET when calculating the maximum number of samples it can put in the output buffer. This can be exploited under the following conditions: 1) A dialplan is using Milliwatt() with the 'o' option. 2) The internal_timing option in asterisk.conf is off. 3) A call sends a large audio packet. If you take a look at ast_read_generator_actions() in main/channel.c, you'll see that under these circumstances, the generator is asked to generate a frame that matches the size of what came in. This can be used to trigger the milliwatt generator to max out, and overrun its stack buffer in the process, most likely causing a crash. | ||||||
| Comments: | By: Matt Jordan (mjordan) 2012-03-15 08:15:50.218-0500 Patch by Russell Byrant attached | ||||||