Summary:ASTERISK-19541: Security Vulnerability: remotely exploitable stack overrun in Milliwatt
Reporter:Matt Jordan (mjordan)Labels:
Date Opened:2012-03-15 08:14:50Date Closed:2012-03-15 13:43:19
Versions:1.4.43 10.2.0 10.3.0 Frequency of
must be completed before resolvingASTERISK-19271 Asterisk Blockers
must be completed before resolvingASTERISK-19272 Asterisk 10.3.0 Blockers
Environment:Attachments:( 0) milliwatt_stack_overrun.rev1.txt
Description:Reported by Russell Bryant.

The number of people affected by this has got to be near zero, but ...

Milliwatt() appears to be vulnerable to a remotely exploitable stack
overrun.  Remote code execution is not possible.  The data that is
written is the pre-defined Milliwatt data, not custom data.

The root of the problem is fixed in the attached patch.  The
milliwatt_generate() function does not account for AST_FRIENDLY_OFFSET
when calculating the maximum number of samples it can put in the
output buffer.  This can be exploited under the following conditions:

1) A dialplan is using Milliwatt() with the 'o' option.

2) The internal_timing option in asterisk.conf is off.

3) A call sends a large audio packet.  If you take a look at
ast_read_generator_actions() in main/channel.c, you'll see that under
these circumstances, the generator is asked to generate a frame that
matches the size of what came in.  This can be used to trigger the
milliwatt generator to max out, and overrun its stack buffer in the
process, most likely causing a crash.
Comments:By: Matt Jordan (mjordan) 2012-03-15 08:15:50.218-0500

Patch by Russell Byrant attached