Summary:ASTERISK-20967: Security Vulnerability: DoS attack possible due to fix for CVE-2012-5976
Reporter:Matt Jordan (mjordan)Labels:
Date Opened:2013-01-21 14:31:44.000-0600Date Closed:2013-03-27 14:23:36
Versions: 10.11.1 10.11.1-digiumphones 10.12.0 10.12.0-digiumphones 11.1.2 11.2.0 Frequency of
must be completed before resolvingASTERISK-21004 Open Blockers for
must be completed before resolvingASTERISK-21005 Open Blockers for 11.3.0
Environment:Attachments:( 0) AST-2013-002-1.8.diff
( 1) AST-2013-002-10.diff
( 2) AST-2013-002-11.diff
( 3) issueA20967_file_leak_and_unused_wkspace.patch

When researching CVE-2012-5976 in HTTP, I came across a DoS possible on the patched versions of Asterisk.  It is based on the user-controlled malloc(), which replaced the alloca() in http.c.  An attacker can use the Content-length: header to control the amount of heap allocated and exhaust the memory available to Asterisk.

I have attached our disclosure and a PoC for your convenience.  The PoC uses a number of concurrent connections but with a bit more effort could probably use a probing scheme and then get away with one or very few connections.  Also, note that filling up the memory is not necessary to effect a temporary DoS i.e. an attack would be possible over a low-bandwidth connection.  The PoC does fill the buffer to demonstrate that the server process will be terminated by the OS in this case.

Christoph Hebeisen
Comments:By: Walter Doekes (wdoekes) 2013-03-10 09:45:12.547-0500

If we're in the vicinity, might as well tackle these issues in issueA20967_file_leak_and_unused_wkspace.patch

By: Matt Jordan (mjordan) 2013-03-25 15:08:33.159-0500

I'm okay committing that immediately after the patches go in for the security vulnerability, but if it's okay I'll probably keep it separate from the actual vulnerability fix.