|Summary:||ASTERISK-23489: Vulnerability in res_pjsip_pubsub: unauthenticated remote crash in during MWI unsubscribe without being subscribed|
|Reporter:||John Bigelow (jbigelow)||Labels:||Security|
|Date Opened:||2014-03-14 11:53:41||Date Closed:||2014-06-12 09:41:22|
|Versions:||SVN 12.1.0||Frequency of|
|Environment:||Asterisk trunk r410556, PJSIP trunk r4797||Attachments:||( 0) ASTERISK-23489.patch|
( 1) ASTERISK-23489v2.patch
( 2) backtrace_14905.txt
( 3) full.txt
( 4) vulnerability-demo.tar.gz
|Description:||I found that attempting to unsubscribe from MWI when not currently subscribed causes Asterisk to crash with the below output. The SUBSCRIBE is matched to endpoint based on name with no auth.
* backtrace_14905.txt: backtrace of crash
* full.txt: Asterisk full debug log
* vulnerability-demo.tar.gz: testsuite test that causes the crash
[Mar 14 11:05:17] WARNING: asterisk:126 errReceived: Asterisk 127.0.0.1 received error: asterisk: ../src/pjsip-simple/
evsub.c:510: set_timer: Assertion `seconds > 0' failed.
|Comments:||By: Mark Michelson (mmichelson) 2014-03-14 12:09:34.910-0500|
Attaching ASTERISK-23489.patch to the issue. Asterisk should send a 423 response now instead of crashing.
By: Mark Michelson (mmichelson) 2014-03-14 12:35:25.487-0500
Adding a second version of the patch (ASTERISK-23489v2.patch) that does the same as the first patch, except that it now sends a 400 response instead of a 423. This is because RFC 3265 and 6665 both state that you may not send a 423 response if the Expires value is 0.
By: John Bigelow (jbigelow) 2014-03-14 13:47:46.641-0500
Applied ASTERISK-23489v2.patch and Asterisk no longer crashes and a '400 Bad Request' is sent as the response to the SUBSCRIBE using the test suite test that is attached to this issue.
Small typo correction for ASTERISK-23489v2.patch:
- ast_log(LOG_WARNING, "Susbscription request from endpoint %s rejected. Expiration of 0 is invalid\n"
+ ast_log(LOG_WARNING, "Subscription request from endpoint %s rejected. Expiration of 0 is invalid\n"