|Summary:||ASTERISK-20967: Security Vulnerability: DoS attack possible due to fix for CVE-2012-5976|
|Reporter:||Matt Jordan (mjordan)||Labels:|
|Date Opened:||2013-01-21 14:31:44.000-0600||Date Closed:||2013-03-27 14:23:36|
|Versions:||220.127.116.11 18.104.22.168 10.11.1 10.11.1-digiumphones 10.12.0 10.12.0-digiumphones 11.1.2 11.2.0||Frequency of|
|Environment:||Attachments:||( 0) AST-2013-002-1.8.diff|
( 1) AST-2013-002-10.diff
( 2) AST-2013-002-11.diff
( 3) issueA20967_file_leak_and_unused_wkspace.patch
When researching CVE-2012-5976 in HTTP, I came across a DoS possible on the patched versions of Asterisk. It is based on the user-controlled malloc(), which replaced the alloca() in http.c. An attacker can use the Content-length: header to control the amount of heap allocated and exhaust the memory available to Asterisk.
I have attached our disclosure and a PoC for your convenience. The PoC uses a number of concurrent connections but with a bit more effort could probably use a probing scheme and then get away with one or very few connections. Also, note that filling up the memory is not necessary to effect a temporary DoS i.e. an attack would be possible over a low-bandwidth connection. The PoC does fill the buffer to demonstrate that the server process will be terminated by the OS in this case.
|Comments:||By: Walter Doekes (wdoekes) 2013-03-10 09:45:12.547-0500|
If we're in the vicinity, might as well tackle these issues in issueA20967_file_leak_and_unused_wkspace.patch
By: Matt Jordan (mjordan) 2013-03-25 15:08:33.159-0500
I'm okay committing that immediately after the patches go in for the security vulnerability, but if it's okay I'll probably keep it separate from the actual vulnerability fix.