Summary:ASTERISK-23489: Vulnerability in res_pjsip_pubsub: unauthenticated remote crash in during MWI unsubscribe without being subscribed
Reporter:John Bigelow (jbigelow)Labels:Security
Date Opened:2014-03-14 11:53:41Date Closed:2014-06-12 09:41:22
Versions:SVN 12.1.0 Frequency of
Environment:Asterisk trunk r410556, PJSIP trunk r4797Attachments:( 0) ASTERISK-23489.patch
( 1) ASTERISK-23489v2.patch
( 2) backtrace_14905.txt
( 3) full.txt
( 4) vulnerability-demo.tar.gz
Description:I found that attempting to unsubscribe from MWI when not currently subscribed causes Asterisk to crash with the below output. The SUBSCRIBE is matched to endpoint based on name with no auth.

* backtrace_14905.txt: backtrace of crash
* full.txt: Asterisk full debug log
* vulnerability-demo.tar.gz: testsuite test that causes the crash

[Mar 14 11:05:17] WARNING[8603]: asterisk:126 errReceived: Asterisk received error: asterisk: ../src/pjsip-simple/
evsub.c:510: set_timer: Assertion `seconds > 0' failed.
Comments:By: Mark Michelson (mmichelson) 2014-03-14 12:09:34.910-0500

Attaching ASTERISK-23489.patch to the issue. Asterisk should send a 423 response now instead of crashing.

By: Mark Michelson (mmichelson) 2014-03-14 12:35:25.487-0500

Adding a second version of the patch (ASTERISK-23489v2.patch) that does the same as the first patch, except that it now sends a 400 response instead of a 423. This is because RFC 3265 and 6665 both state that you may not send a 423 response if the Expires value is 0.

By: John Bigelow (jbigelow) 2014-03-14 13:47:46.641-0500

Applied ASTERISK-23489v2.patch and Asterisk no longer crashes and a '400 Bad Request' is sent as the response to the SUBSCRIBE using the test suite test that is attached to this issue.

Small typo correction for ASTERISK-23489v2.patch:
-                       ast_log(LOG_WARNING, "Susbscription request from endpoint %s rejected. Expiration of 0 is invalid\n"
+                       ast_log(LOG_WARNING, "Subscription request from endpoint %s rejected. Expiration of 0 is invalid\n"