ASA-2007-015: Remote Crash Vulnerability in IAX2 channel driver

           Asterisk Project Security Advisory - ASA-2007-015

±-----------------------------------------------------------------------+
| Product | Asterisk |
|--------------------±--------------------------------------------------|
| Summary | Remote Crash Vulnerability in IAX2 channel driver |
|--------------------±--------------------------------------------------|
| Nature of Advisory | Denial of Service |
|--------------------±--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------±--------------------------------------------------|
| Severity | Critical |
|--------------------±--------------------------------------------------|
| Exploits Known | No |
|--------------------±--------------------------------------------------|
| Reported On | July 13, 2007 |
|--------------------±--------------------------------------------------|
| Reported By | Chris Clark and Zane Lackey, iSEC Partners |
|--------------------±--------------------------------------------------|
| Posted On | July 17, 2007 |
|--------------------±--------------------------------------------------|
| Last Updated On | July 17, 2007 |
|--------------------±--------------------------------------------------|
| Advisory Contact | Russell Bryant <[email protected]> |
|--------------------±--------------------------------------------------|
| CVE Name | CVE-2007-3763 |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Description | The Asterisk IAX2 channel driver, chan_iax2, has a |
| | remotely exploitable crash vulnerability. A NULL pointer |
| | exception can occur when Asterisk receives a LAGRQ or |
| | LAGRP frame that is part of a valid session and includes |
| | information elements. The session used to exploit this |
| | issue does not have to be authenticated. It can simply |
| | be a NEW packet sent with an invalid username. |
| | |
| | The code that parses the incoming frame correctly parses |
| | the information elements of IAX frames. It then sets a |
| | pointer to NULL to indicate that there is not a raw data |
| | payload associated with this frame. However, it does not |
| | set the variable that indicates the number of bytes in |
| | the raw payload back to zero. Since the raw data length |
| | is non-zero, the code handling LAGRQ and LAGRP frames |
| | tries to copy data from a NULL pointer, causing a crash. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Resolution | All users that have chan_iax2 enabled should upgrade to |
| | the appropriate version listed in the corrected in |
| | section of this advisory. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Links | |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://ftp.digium.com/pub/asa/ASA-2007-015.pdf. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

           Asterisk Project Security Advisory - ASA-2007-015
          Copyright (c) 2007 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.