Bug#482997: asterisk: Remote Crash Vulnerability in SIP channel driver when run in pedantic mode (CVE-2008-2119)

Tue Jun 10 07:59:38 UTC 2008

On Tue, Jun 10, 2008 at 09:20:52AM +0200, Torgeir S. wrote:
> On Mon, Jun 09, 2008 at 02:57:55PM +0300, Faidon Liambotis wrote:
> > Torgeir S. wrote:
> > > 2etch5 was tested today. Unfortunately, asterisk died with a segfault (both when
> > > executed with /etc/init.d/asterisk and /usr/sbin/asterisk -vvvvv)
> > > 
> > > It looked like it had something to do with IAX, as it died right after
> > > saying:
> > >                                                                                                             
> > > (snip)                                                                                                      
> > >   == Registered channel type 'IAX2' (Inter Asterisk eXchange Driver (Ver 2))                                
> > >   == IAX Ready and Listening
> > > Segmentation fault
> > >                                                                                                             
> > > When I moved our iax.conf to iax.conf.OLD, asterisk didn't segfault and started normally:
> > > 
> > > Asterisk Ready.
> > > 
> > > It appears, after some commenting/uncommenting of config directives in
> > > /etc/asterisk/iax.conf, that asterisk 2etch5 will segfault if >1 peer
> > > has the same value in the host= directive.
> > 
> > I've tried to reproduce it with no success.
> > Could you send me your iax.conf or one with sensitive settings stripped
> > that reproduces the crash for you?
> > 
> 
> The attached config will crash asterisk 2etch5 with the segmentation
> fault described in the previous message. Note that the host directives
> need to contain a valid host with iax2 listening. Both host directives
> need to contain the same host.
> 
> The config file is the default config file found in
> /usr/share/doc/asterisk/examples/ with the two peer accounts added to
> the bottom.
> 
> asterisk-2etch5 will crash with this config when connected (host=) to a
> default asterisk-2etch4
> 
> asterisk-2etch5 will crash with this config when connected (host=) to a
> default asterisk-2etch5

I could not reproduce this in a fresh asterisk installation in a chroot.
Maybe the hosts cause some extra delay and the crash is from some
incompatible module?

Could you please try disabling the module iax to see if the crash is
from a different module? in /etc/asterisk/modules.conf:

  noload => chan_iax2.so

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir