IAXclient truncated frames vulnerabilities

Advisory ID Internal
CORE-2006-0327

Date Published: 2006-06-09

Last Update: 2006-06-09

Advisory ID: CORE-2006-0327

Bugtraq ID: 18307

CVE Name: CVE-2006-2923

Title: IAXclient truncated frames vulnerabilities

Class: Input Validation Error

Remotely Exploitable: Yes

Locally Exploitable: Yes

Vendors contacted:
2006-06-05: Initial notification to vendor
2006-06-05: Vendor acknowledgment received
2006-06-05: Draft advisory and technical details provided to vendor
2006-06-05: Fixes committed to IAXclient source tree repository
2006-06-06: Notified third-party vendors that use the IAXclient library

Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

IAXclient is an open source library that implements the IAX2 VoIP protocol used by the Asterisk IP PBX and several VoIP software phones.
Two vulnerabilities have been found in the library that may grant attackers remote execution of arbitrary code on systems using software packages that rely on it to implement the IAX2 protocol support.

*Vulnerable Packages:*

Although this vulnerability was discovered and tested in the IDE FISK software phone other software packages that use the IAXclient library may be vulnerable. Software phones that implement the IAX2 protocol using the IAXclient library:

- IDE FISK (confirmed vulnerable)
versions <= 1.35
- IaxComm (confirmed vulnerable)
versions < 1.2.0
- KIAX (confirmed vulnerable)
versions <= 0.8.5
- LoudHush
versions <= 1.3.6
- DIAX
- Ziaxphone, a softphone for the Zaurus PDA
- IAX Phone
- X-lite
- MediaX
- Extreme Networks ePhone

The Asterisk open source PBX is NOT VULNERABLE to these flaws because it uses a different function to read and process IAX packets received form the network that properly discards truncated packets.

*Solution/Vendor Information:*

Software packages using an IAXclient library built from source code dated June 6th, 2006 or newer are not vulnerable.
A fix was committed to the IAXclient SVN source tree on June 5th, 2006. To fix your client package obtain a current version of IAXclient from the source repository an recompile the library.

Software phones not vulnerable
- IDE FISK 1.37
- LoudHush 1.3.7
- IaxComm 1.2.0
- KIAX 0.8.51

*Credits:*

Damian Saura, Alejandro Lozanoff, Eduardo Koch, Norberto Kueffner and Ivan Arce from Core Security discovered and tested these vulnerabilities.

We would like to thank IAXclient maintainer Steve K for responding to our bug report diligently and for his quickness in addressing the issue and releasing a fix.


*Technical Description - Exploit/Concept Code:*


The Inter-Asterisk Exchange (IAX) protocol provides control and transmission of streaming media over IP networks. IAX can be used with any type of streaming media including video and still images but is targeted primarily at the control of VoIP calls. [1]

The IAX protocol relies on a single UDP port for all its communications (4569/udp). The protocol uses a 15-bit identification number (call number) to multiplex several streams over the same UDP port.

IAX messages are called frames. Several basic frame types are described in the protocol specification draft[1]. Two types of IAX frames are of interest in this case: the IAX full frame and the IAX mini-frame which are defined in file iaxclient/lib/libiax2/src/iax2.h

/* Full frames are always delivered reliably */
struct ast_iax2_full_hdr {
unsigned short scallno; /* Source call number -- high bit must be 1 */
unsigned short dcallno; /* Destination call number -- high bit is 1 if retransmission */
unsigned int ts; /* 32-bit timestamp in milliseconds (from 1st transmission) */
unsigned char oseqno; /* Packet number (outgoing) */
unsigned char iseqno; /* Packet number (next incoming expected) */
char type; /* Frame type */
unsigned char csub; /* Compressed subclass */
unsigned char iedata[0];
} __PACKED;

/* Mini header is used only for voice frames -- delivered unreliably */
struct ast_iax2_mini_hdr {
unsigned short callno; /* Source call number -- high bit must be 0, rest must be non-zero */
unsigned short ts; /* 16-bit Timestamp (high 16 bits from last ast_iax2_full_hdr) */
/* Frametype implicitly VOICE_FRAME */
/* subclass implicit from last ast_iax2_full_hdr */
unsigned char data[0];
} __PACKED;

Parsing of IAX packets received over the network is done in iax_net_process() function implemented in iaxclient/lib/libiax2/src/iax.c. The following excerpts are from revision 536 of the file.

struct iax_event *iax_net_process(unsigned char *buf, int len, struct sockaddr_in *sin)
{
struct ast_iax2_full_hdr *fh = (struct ast_iax2_full_hdr *)buf;
struct ast_iax2_mini_hdr *mh = (struct ast_iax2_mini_hdr *)buf;
struct iax_session *session;

if (ntohs(fh->scallno) & IAX_FLAG_FULL) {
/* Full size header */
[A] if (len < sizeof(struct ast_iax2_full_hdr)) {
DEBU(G "Short header received from %s
", inet_ntoa(sin->sin_addr));
IAXERROR "Short header received from %s
", inet_ntoa(sin->sin_addr));
}
/* We have a full header, process appropriately */
session = iax_find_session(sin, ntohs(fh->scallno) & ~IAX_FLAG_FULL, ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS, 1);
if (!session)
session = iax_txcnt_session(fh, len-sizeof(struct ast_iax2_full_hdr), sin, ntohs(fh->scallno) & ~IAX_FLAG_FULL, ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS);
if (session)
return iax_header_to_event(session, fh, len - sizeof(struct ast_iax2_full_hdr), sin);
DEBU(G "No session?
");
return NULL;
} else {
[B] if (len < sizeof(struct ast_iax2_mini_hdr)) {
DEBU(G "Short header received from %s
", inet_ntoa(sin->sin_addr));
IAXERROR "Short header received from %s
", inet_ntoa(sin->sin_addr));
}
/* Miniature, voice frame */
session = iax_find_session(sin, ntohs(fh->scallno), 0, 0);
if (session)
return iax_miniheader_to_event(session, mh, len - sizeof(struct ast_iax2_mini_hdr));
DEBU(G "No session?
");
return NULL;
}
}


The 'len' argument is received from the iax_net_read() function implemented in the same file. Its value is set to the return value of a call to the recvfrom(2) function -the number of bytes read from the network. The 'buf' argument is a pointer to a fixed-size buffer allocated in the stack with the data read in the iax_net_read() function.

The function performs length checks at [A] and [B] to make sure that the received packet is not a truncated full-frame or mini-frame respectively, but processing of possibly undersized packets continues after output of error messages. This will provide two exploitable security flaws further down the execution flow.

IAX2 truncated full-frame vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the case of [A] a full-frame packet is processed with the following execution flow:
iax_net_read()
iax_net_process()
iax_find_session()
iax_txcnt_session()
iax_header_to_event()

The iax_txcnt_session is implemented in the same file:

static struct iax_session *iax_txcnt_session(struct ast_iax2_full_hdr *fh, int datalen,
struct sockaddr_in *sin, short callno, short dcallno)
{
int subclass = uncompress_subclass(fh->csub);
unsigned char buf[ 65536 ]; /* allocated on stack with same size as iax_net_read() */
struct iax_ies ies;
struct iax_session *cur;

if ((fh->type != AST_FRAME_IAX) || (subclass != IAX_COMMAND_TXCNT) || (!datalen)) {
return NULL; /* special handling for TXCNT only */
}
[C] memcpy(buf, fh->iedata, datalen); /* prepare local buf for iax_parse_ies() */

if (iax_parse_ies(&ies, buf, datalen)) {
return NULL; /* Unable to parse IE's */
}
...

The 'datalen' argument receives the value passed by iax_net_process() calculated as datalen = len-sizeof(struct ast_iax2_full_hdr) which will be become less than 0 if a truncated full frame packet was read from the network.

Later in [C] the memcpy using a possibly negative value of 'datalen' will trigger a buffer overflow on the fixed-sized buffer 'buf' in the stack. A 11-byte UDP packet can be crafted to trigger the vulnerability and execute arbitrary code on vulnerable systems.

The iax_header_to_event() function suffers from a similar problem (in this case a heap overflow) due to its use of a combination of malloc(2), memset(2) and memcpy(2) using a possibly negative length argument

IAX2 truncated mini-frame vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Similarly, in the case of [B], mini-frame packets are processed following this execution flow:

iax_net_read()
iax_net_process()
iax_find_session()
iax_miniheader_to_event()

An excerpt from the iax_miniheader_to_event() funtion, implemente in the same file is shown below:

static struct iax_event *iax_miniheader_to_event(struct iax_session *session,
struct ast_iax2_mini_hdr *mh,
int datalen)
{
struct iax_event *e;
unsigned int ts;
int updatehistory = 1;
e = (struct iax_event *)malloc(sizeof(struct iax_event) + datalen);
if (e) {
if (session->voiceformat > 0) {
e->etype = IAX_EVENT_VOICE;
e->session = session;
e->subclass = session->voiceformat;
e->datalen = datalen;
if (datalen) {
#ifdef EXTREME_DEBUG
DEBU(G "%d bytes of voice
", datalen);
#endif
[D] memcpy(e->data, mh->data, datalen);
}
ts = (session->last_ts & 0xFFFF0000) | ntohs(mh->ts);
return schedule_delivery(e, ts, updatehistory);


The memcpy in [D] will trigger buffer overflow of heap-allocated data if the 'datalen' argument has a value of less than 0. A 3-byte UDP packet (1-byte shorter than a mini-frame packet) can be crafted to trigger the overflow and execute arbitrary code on vulnerable systems.

*Workaround:*

Block inbound packets to port 4569/udp at the perimeter. This workaround will prevent IAX-based VoIP solutions from working with VoIP services outside the boundaries of the filtered network. Particularly, IAX software phones will be unable to communicate with IAX2 PBXs or termination services across the network perimeter.

*Additional information and References*

[1] Inter-Asterisk Exchange (IAX) version 2 protocol (draft-mspencer-iax2-01)

*About CoreLabs*

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at www.coresecurity.com/core-labs

About Core Security

Core Security develops strategic solutions that help security-conscious organizations worldwide. The company’s flagship product, CORE IMPACT, is the first automated penetration testing product for assessing specific information security threats to an organization. Penetration testing evaluates overall network security and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks.
Core augments its leading technology solution with world-class security consulting services, including penetration testing, software security auditing and related training. www.coresecurity.com

*DISCLAIMER:*

The contents of this advisory are copyright (c) 2006 CORE Security and (c) 2006 Corelabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: IAXclient-advisory.txt,v 1.4 2006/06/09 21:31:11 iarce Exp $