CVE-2006-2923
CVSS6.4
发布时间 :2006-06-09 06:02:00
修订时间 :2011-03-28 00:00:00
NMCOS    

[原文]The iax_net_read function in the iaxclient open source library, as used in multiple products including (a) LoudHush 1.3.6, (b) IDE FISK 1.35 and earlier, (c) Kiax 0.8.5 and earlier, (d) DIAX, (e) Ziaxphone, (f) IAX Phone, (g) X-lite, (h) MediaX, (i) Extreme Networks ePhone, and (j) iaxComm before 1.2.0, allows remote attackers to execute arbitrary code via crafted IAX 2 (IAX2) packets with truncated (1) full frames or (2) mini-frames, which are detected in a length check but still processed, leading to buffer overflows related to negative length values.


[CNNVD]IAXClient 多个截短IAX帧 内存破坏漏洞(CNNVD-200606-196)

        IAXClient是用于实现IAX2 VoIP协议的开放源码函数库。
        IAXClient对IAX消息的处理上存在内存破坏漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        IAX消息被称为帧。iaxclient/lib/libiax2/src/iax2.h文件中定义了两个帧类型,分别是IAX完整帧(full frame)和IAX小型帧(mini-frame)。
        /* Full frames are always delivered reliably */
        struct ast_iax2_full_hdr {
        unsigned short scallno; /* Source call number -- high bit must be 1 */
        unsigned short dcallno; /* Destination call number -- high bit is 1 if
        retransmission */
        unsigned int ts; /* 32-bit timestamp in milliseconds (from 1st
        transmission) */
        unsigned char oseqno; /* Packet number (outgoing) */
        unsigned char iseqno; /* Packet number (next incoming expected) */
        char type; /* Frame type */
        unsigned char csub; /* Compressed subclass */
        unsigned char iedata[0];
        } __PACKED;
        /* Mini header is used only for voice frames -- delivered unreliably */
        struct ast_iax2_mini_hdr {
        unsigned short callno; /* Source call number -- high bit must be 0, rest
        must be non-zero */
        unsigned short ts; /* 16-bit Timestamp (high 16 bits from last
        ast_iax2_full_hdr) */
        /* Frametype implicitly VOICE_FRAME */
        /* subclass implicit from last ast_iax2_full_hdr */
        unsigned char data[0];
        } __PACKED;
        解析通过网络接收的IAX报文是由iaxclient/lib/libiax2/src/iax.c中实现的iax_net_process()函数完成的。以下截取自该文件的revision 536:
        struct iax_event *iax_net_process(unsigned char *buf, int len, struct
        sockaddr_in *sin)
        {
        struct ast_iax2_full_hdr *fh = (struct ast_iax2_full_hdr *)buf;
        struct ast_iax2_mini_hdr *mh = (struct ast_iax2_mini_hdr *)buf;
        struct iax_session *session;
        if (ntohs(fh->scallno) & IAX_FLAG_FULL) {
        /* Full size header */
        [A] if (len < sizeof(struct ast_iax2_full_hdr)) {
        DEBU(G "Short header received from 临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在边界阻断到4569/UDP端口的入站报文。
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.loudhush.ro/opencms/export/sites/default/loudhush/LoudHush1.3.7.dmg.zip\n", inet_ntoa(sin->sin_addr));
        IAXERROR "Short header received from \n", inet_ntoa(sin->sin_addr));
        }
        /* We have a full header, process appropriately */
        session = iax_find_session(sin, ntohs(fh->scallno) & ~IAX_FLAG_FULL,
        ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS, 1);
        if (!session)
        session = iax_txcnt_session(fh, len-sizeof(struct ast_iax2_full_hdr),
        sin, ntohs(fh->scallno) & ~IAX_FLAG_FULL, ntohs(fh->dcallno) &
        ~IAX_FLAG_RETRANS);
        if (session)
        return iax_header_to_event(session, fh, len - sizeof(struct
        ast_iax2_full_hdr), sin);
        DEBU(G "No session?\n");
        return NULL;
        } else {
        [B] if (len < sizeof(struct ast_iax2_mini_hdr)) {
        DEBU(G "Short header received from \n", inet_ntoa(sin->sin_addr));
        IAXERROR "Short header received from \n", inet_ntoa(sin->sin_addr));
        }
        /* Miniature, voice frame */
        session = iax_find_session(sin, ntohs(fh->scallno), 0, 0);
        if (session)
        return iax_miniheader_to_event(session, mh, len - sizeof(struct
        ast_iax2_mini_hdr));
        DEBU(G "No session?\n");
        return NULL;
        }
        }
        len参数是从同一文件中实现的iax_net_read()函数接收到的,其值设置为recvfrom(2)函数调用的返回值,也就是从网络读取的字节数。buf参数是指向栈中分配的固定大小缓冲区的指针,数据从iax_net_read()函数读取。
        函数在[A]和[B]执行了长度检查以确保所接收到的报文不是截短了的full-frame或mini-frame,但在输出错误消息后仍可能出现过小的报文,这就导致了两个可利用的漏洞。
        IAX2截短full-frame漏洞
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        在[A]的情况下full-frame报文是由以下执行流处理的:
        iax_net_read()
        iax_net_process()
        iax_find_session()
        iax_txcnt_session()
        iax_header_to_event()
        同一文件中也实现了iax_txcnt_session:
        static struct iax_session *iax_txcnt_session(struct ast_iax2_full_hdr
        *fh, int datalen,
        struct sockaddr_in *sin, short callno, short dcallno)
        {
        int subclass = uncompress_subclass(fh->csub);
        unsigned char buf[ 65536 ]; /* allocated on stack with same size asiax_net_read() */
        struct iax_ies ies;
        struct iax_session *cur;
        if ((fh->type != AST_FRAME_IAX) || (subclass != IAX_COMMAND_TXCNT) ||
        (!datalen)) {
        return NULL; /* special handling for TXCNT only */
        }
        [C] memcpy(buf, fh->iedata, datalen); /* prepare local buf for
        iax_parse_ies() */
        if (iax_parse_ies( &ies, buf, datalen)) {
        return NULL; /* Unable to parse IE's */
        }
        ...
        datalen参数接收iax_net_process()传送的值,其计算方法为datalen = len-sizeof(struct ast_iax2_full_hdr)。如果full frame报文是从网络读取的话,该值就可能小于0。
        然后在[C]使用了负值datalen的memcpy就会在栈中固定大小的缓冲区buf触发溢出。攻击者可以通过创建11字节长的UDP报文触发这个漏洞,执行任意代码。
        由于使用了负数长度参数的malloc(2)、memset(2)和memcpy(2)组合,iax_header_to_event()函数也存在类似问题,在这种情况下是堆溢出。
        IAX2截短mini-frame漏洞
        ~~~~

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2923
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2923
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-196
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18307
(PATCH)  BID  18307
http://secunia.com/advisories/20466
(VENDOR_ADVISORY)  SECUNIA  20466
http://xforce.iss.net/xforce/xfdb/27047
(UNKNOWN)  XF  iaxclient-truncated-frame-bo(27047)
http://www.vupen.com/english/advisories/2006/2286
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2286
http://www.vupen.com/english/advisories/2006/2285
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2285
http://www.vupen.com/english/advisories/2006/2284
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2284
http://www.vupen.com/english/advisories/2006/2180
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2180
http://www.securityfocus.com/archive/1/archive/1/436638/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060609 CORE-2006-0327: IAXclient truncated frames vulnerabilities
http://www.loudhush.ro/changelog.txt
(UNKNOWN)  CONFIRM  http://www.loudhush.ro/changelog.txt
http://www.gentoo.org/security/en/glsa/glsa-200606-30.xml
(UNKNOWN)  GENTOO  GLSA-200606-30
http://www.coresecurity.com/common/showdoc.php?idx=548&idxseccion=10
(UNKNOWN)  MISC  http://www.coresecurity.com/common/showdoc.php?idx=548&idxseccion=10
http://sourceforge.net/project/shownotes.php?release_id=423099&group_id=131960
(UNKNOWN)  CONFIRM  http://sourceforge.net/project/shownotes.php?release_id=423099&group_id=131960
http://secunia.com/advisories/20900
(VENDOR_ADVISORY)  SECUNIA  20900
http://secunia.com/advisories/20623
(VENDOR_ADVISORY)  SECUNIA  20623
http://secunia.com/advisories/20567
(VENDOR_ADVISORY)  SECUNIA  20567
http://secunia.com/advisories/20560
(VENDOR_ADVISORY)  SECUNIA  20560
http://iaxclient.sourceforge.net/iaxcomm/
(UNKNOWN)  CONFIRM  http://iaxclient.sourceforge.net/iaxcomm/

- 漏洞信息

IAXClient 多个截短IAX帧 内存破坏漏洞
中危 缓冲区溢出
2006-06-09 00:00:00 2006-06-14 00:00:00
远程  
        IAXClient是用于实现IAX2 VoIP协议的开放源码函数库。
        IAXClient对IAX消息的处理上存在内存破坏漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        IAX消息被称为帧。iaxclient/lib/libiax2/src/iax2.h文件中定义了两个帧类型,分别是IAX完整帧(full frame)和IAX小型帧(mini-frame)。
        /* Full frames are always delivered reliably */
        struct ast_iax2_full_hdr {
        unsigned short scallno; /* Source call number -- high bit must be 1 */
        unsigned short dcallno; /* Destination call number -- high bit is 1 if
        retransmission */
        unsigned int ts; /* 32-bit timestamp in milliseconds (from 1st
        transmission) */
        unsigned char oseqno; /* Packet number (outgoing) */
        unsigned char iseqno; /* Packet number (next incoming expected) */
        char type; /* Frame type */
        unsigned char csub; /* Compressed subclass */
        unsigned char iedata[0];
        } __PACKED;
        /* Mini header is used only for voice frames -- delivered unreliably */
        struct ast_iax2_mini_hdr {
        unsigned short callno; /* Source call number -- high bit must be 0, rest
        must be non-zero */
        unsigned short ts; /* 16-bit Timestamp (high 16 bits from last
        ast_iax2_full_hdr) */
        /* Frametype implicitly VOICE_FRAME */
        /* subclass implicit from last ast_iax2_full_hdr */
        unsigned char data[0];
        } __PACKED;
        解析通过网络接收的IAX报文是由iaxclient/lib/libiax2/src/iax.c中实现的iax_net_process()函数完成的。以下截取自该文件的revision 536:
        struct iax_event *iax_net_process(unsigned char *buf, int len, struct
        sockaddr_in *sin)
        {
        struct ast_iax2_full_hdr *fh = (struct ast_iax2_full_hdr *)buf;
        struct ast_iax2_mini_hdr *mh = (struct ast_iax2_mini_hdr *)buf;
        struct iax_session *session;
        if (ntohs(fh->scallno) & IAX_FLAG_FULL) {
        /* Full size header */
        [A] if (len < sizeof(struct ast_iax2_full_hdr)) {
        DEBU(G "Short header received from 临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在边界阻断到4569/UDP端口的入站报文。
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.loudhush.ro/opencms/export/sites/default/loudhush/LoudHush1.3.7.dmg.zip\n", inet_ntoa(sin->sin_addr));
        IAXERROR "Short header received from \n", inet_ntoa(sin->sin_addr));
        }
        /* We have a full header, process appropriately */
        session = iax_find_session(sin, ntohs(fh->scallno) & ~IAX_FLAG_FULL,
        ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS, 1);
        if (!session)
        session = iax_txcnt_session(fh, len-sizeof(struct ast_iax2_full_hdr),
        sin, ntohs(fh->scallno) & ~IAX_FLAG_FULL, ntohs(fh->dcallno) &
        ~IAX_FLAG_RETRANS);
        if (session)
        return iax_header_to_event(session, fh, len - sizeof(struct
        ast_iax2_full_hdr), sin);
        DEBU(G "No session?\n");
        return NULL;
        } else {
        [B] if (len < sizeof(struct ast_iax2_mini_hdr)) {
        DEBU(G "Short header received from \n", inet_ntoa(sin->sin_addr));
        IAXERROR "Short header received from \n", inet_ntoa(sin->sin_addr));
        }
        /* Miniature, voice frame */
        session = iax_find_session(sin, ntohs(fh->scallno), 0, 0);
        if (session)
        return iax_miniheader_to_event(session, mh, len - sizeof(struct
        ast_iax2_mini_hdr));
        DEBU(G "No session?\n");
        return NULL;
        }
        }
        len参数是从同一文件中实现的iax_net_read()函数接收到的,其值设置为recvfrom(2)函数调用的返回值,也就是从网络读取的字节数。buf参数是指向栈中分配的固定大小缓冲区的指针,数据从iax_net_read()函数读取。
        函数在[A]和[B]执行了长度检查以确保所接收到的报文不是截短了的full-frame或mini-frame,但在输出错误消息后仍可能出现过小的报文,这就导致了两个可利用的漏洞。
        IAX2截短full-frame漏洞
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        在[A]的情况下full-frame报文是由以下执行流处理的:
        iax_net_read()
        iax_net_process()
        iax_find_session()
        iax_txcnt_session()
        iax_header_to_event()
        同一文件中也实现了iax_txcnt_session:
        static struct iax_session *iax_txcnt_session(struct ast_iax2_full_hdr
        *fh, int datalen,
        struct sockaddr_in *sin, short callno, short dcallno)
        {
        int subclass = uncompress_subclass(fh->csub);
        unsigned char buf[ 65536 ]; /* allocated on stack with same size asiax_net_read() */
        struct iax_ies ies;
        struct iax_session *cur;
        if ((fh->type != AST_FRAME_IAX) || (subclass != IAX_COMMAND_TXCNT) ||
        (!datalen)) {
        return NULL; /* special handling for TXCNT only */
        }
        [C] memcpy(buf, fh->iedata, datalen); /* prepare local buf for
        iax_parse_ies() */
        if (iax_parse_ies( &ies, buf, datalen)) {
        return NULL; /* Unable to parse IE's */
        }
        ...
        datalen参数接收iax_net_process()传送的值,其计算方法为datalen = len-sizeof(struct ast_iax2_full_hdr)。如果full frame报文是从网络读取的话,该值就可能小于0。
        然后在[C]使用了负值datalen的memcpy就会在栈中固定大小的缓冲区buf触发溢出。攻击者可以通过创建11字节长的UDP报文触发这个漏洞,执行任意代码。
        由于使用了负数长度参数的malloc(2)、memset(2)和memcpy(2)组合,iax_header_to_event()函数也存在类似问题,在这种情况下是堆溢出。
        IAX2截短mini-frame漏洞
        ~~~~

- 公告与补丁

        

- 漏洞信息

26176
IAXClient Open Source Library iax_net_read Function Packet Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2006-06-06 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

IAXClient Multiple Truncated IAX Frames Remote Buffer Overflow Vulnerabilities
Boundary Condition Error 18307
Yes No
2006-06-06 12:00:00 2006-06-30 09:09:00
Damian Saura, Alejandro Lozanoff, Eduardo Koch, Norberto Kueffner and Ivan Arce from Core Security Technologies discovered these vulnerabilities.

- 受影响的程序版本

LoudHush LoudHush 1.3.6
Kiax Kiax 0.8.5
IaxComm IaxComm 1.0
IAXClient IAXClient 0
Gentoo Linux
asterisKGuru IDEFISK Softphone 1.35
LoudHush LoudHush 1.3.7
Kiax Kiax 0.8.51
IaxComm IaxComm 1.2

- 不受影响的程序版本

LoudHush LoudHush 1.3.7
Kiax Kiax 0.8.51
IaxComm IaxComm 1.2

- 漏洞讨论

The IAXClient library is prone to multiple remote buffer-overflow vulnerabilities because it fails to properly bounds-check user-supplied input before copying it to insufficiently sized memory buffers.

These issues allow remote attackers to execute arbitrary machine code in the context of applications that use the affected library to process IAX network datagrams.

The following packages are known to use a vulnerable version of the library:
- IDE FISK, versions 1.35 and prior
- IaxComm, versions prior to 1.2.0
- KIAX, versions 0.8.5 and prior
- LoudHush, versions 1.3.6 and prior

Other packages may also use the affected library.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

The vendor has applied fixes to their Subversion repository as of June 6, 2006. Users of affected packages should contact the vendor for information on obtaining and applying fixes.

LoudHush has released version 1.3.7 to address this issue.

Please see the reference section for details.


LoudHush LoudHush 1.3.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站