1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.

Asterisk SIP Stack Overflow

Discussion in 'Bug Reporting and Fixes' started by wardmundy, Jan 18, 2011.

  1. wardmundy Nerd Uno

    Be advised that a new SIP vulnerability has been identified for systems that enable SIP access from untrusted sources. This vulnerability exists in all releases of Asterisk below the following versions:


    Patches for earlier versions are included below. You can read the announcement here.

    Special thanks to Malcolm Davenport for the heads up.


    Description
    When forming an outgoing SIP request while in pedantic mode, a stack buffer can be made to overflow if supplied with carefully crafted caller ID information. This vulnerability also affects the URIENCODE dialplan function and in some versions of asterisk, the AGI dialplan application as well. The ast_uri_encode function does not properly respect the size of its output buffer and can write past the end of it when encoding URIs.


    Resolution
    The size of the output buffer passed to the ast_uri_encode function is now properly respected.


    In asterisk versions not containing the fix for this issue, limiting strings originating from remote sources that will be URI encoded to a length of 40 characters will protect against this vulnerability.


    exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40})
    exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40})
    exten => s,n,Dial(SIP/channel)



    The CALLERID(num) and CALLERID(name) channel values, and any strings passed to the URIENCODE dialplan function should be limited in this manner.
  2. lgaetz Pundit

    I got this wonderful message when trying to follow the directions above on my Asterisk 1.4.21.2, probably due to user error:

    Code:
    Hunk #1 FAILED at 388.
    1 out of 1 hunk FAILED -- saving rejects to file main/utils.c.rej
    
    Will this be rolled into the update-fixes so that I get a "fool-resistant" fix?

    Lorne
  3. wardmundy Nerd Uno

    Patch for Asterisk 1.4 Systems

    The following patch only works on PIAF-Silver and DAHDI-based versions of Asterisk 1.4:

    HTML:
    #!/bin/bash
    echo "Patching Asterisk 1.4.x for SIP vulnerability..."
    cd /usr/src/asterisk
    wget http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff
    patch -p0 < AST-2011-001-1.4.diff
    amportal stop
    make clean
    ./configure
    make
    make install
    amportal start
    echo "Done."

    For PIAF-Gold and Zaptel-based versions of Asterisk 1.4, use the following patch contributed by RentPBX:

    HTML:
    #!/bin/bash
    echo "Patching PIAF-Gold for SIP vulnerability..."
    cd /usr/src/asterisk
    wget http://pbxinaflash.com/utils.patch.gold
    patch -p0 < utils.patch.gold
    amportal stop
    make clean
    ./configure
    make
    make install
    amportal start
    
    echo "Done."
  4. wardmundy Nerd Uno

    Asterisk 1.8 SIP Vulnerability Patch

    A major SIP security vulnerability was discovered in all versions of Asterisk today. You can read all about it here.

    We have developed a script for Asterisk 1.8.x only which will quickly patch your system and eliminate the problem. Log into your server as root and issue the following commands:


    Please apply this patch immediately to protect your server!
  5. wardmundy Nerd Uno

    Asterisk 1.6.2 SIP Vulnerability Patch

    Here is the script for patching existing PIAF-Bronze systems:

    HTML:
    #!/bin/bash
    echo "Patching Asterisk 1.6.2.x for SIP vulnerability..."
    cd /usr/src/asterisk
    wget http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff
    patch -p0 < AST-2011-001-1.6.2.diff
    amportal stop
    make clean
    ./configure
    make
    make install
    amportal start
    echo "Done."
  6. wardmundy Nerd Uno

    New PIAF-Silver, Bronze and Purple Now Available

    All new installs of PIAF-Silver, Bronze, and Purple now include Asterisk versions with the SIP vulnerability patch applied.

    For those still using PIAF-Gold including new downloads, you will need to patch it yourself using the Asterisk 1.4 patch instructions above.
  7. phoenixkv New Member

    Updated Breaks UI?

    It appears that this update on a Purple machine breaks the web UI?

    I've attached examples.

    Attached Files:

  8. lgaetz Pundit

    Correct patch download is confirmed, I was unable to patch my system running Asterisk 1.4.21.2 I ended up downloading revision 301305 of /usr/src/asterisk//main/utils.c from here and continuing with the script.

    Lorne
  9. wardmundy Nerd Uno

    New PIAF-Purple OpenVZ Template with SIP Security Patch Now Available at SourceForge.net.
  10. wardmundy Nerd Uno

    That's a Google Chrome problem, I believe. Try Firefox.
  11. The Deacon Guru

    Just ran the patch for Asterisk 1.4.x, PIAF-Gold, PIAF-Silver Systems and at the very end saw this:

    Code:
    WARNING WARNING WARNING
    
     Your Asterisk modules directory, located at
     /usr/lib/asterisk/modules
     contains modules that were not installed by this 
     version of Asterisk. Please ensure that these
     modules are compatible with this version before
     attempting to run Asterisk.
    
        app_addon_sql_mysql.so
        app_devstate.so
        app_flite.so
        app_nv_backgrounddetect.so
        app_nv_faxdetect.so
        app_pickup2.so
        app_rxfax.so
        app_saycountpl.so
        app_swift.so
        app_txfax.so
        cdr_addon_mysql.so
        chan_ooh323.so
        format_mp3.so
        func_devstate.so
        res_config_mysql.so
    
     WARNING WARNING WARNING
    
    
    SETTING FILE PERMISSIONS
    Permissions OK
    
    STARTING ASTERISK
    Asterisk Started
    
    STARTING FOP SERVER
    FOP Server Started
    Done.
    
    I'm assuming that this is nothing to be concerned about.
  12. jdouglas50 New Member

    1.4.xx Patch

    This was a good install on my system 1.4.36



  13. MyKroFt Guru

    guess I am finally gonna have to bit the bullet and update 1.4.x here at work, as the patch is for a version beyond the locked ver that uses zaptel.

    Guess its time to get my feet wet with dhadi :(
  14. MyKroFt Guru

    the 1.4 patch does not work for the locked zaptel version....

  15. wardmundy Nerd Uno

    New PIAF-Gold Patch from RentPBX

    Our special thanks to RentPBX.com for development of a patch that works on PIAF-Gold and other Zaptel editions (we think) of Asterisk 1.4:

    HTML:
    #!/bin/bash
    echo "Patching PIAF-Gold for SIP vulnerability..."
    cd /usr/src/asterisk
    wget http://pbxinaflash.com/utils.patch.gold
    patch -p0 < utils.patch.gold
    amportal stop
    make clean
    ./configure
    make
    make install
    amportal start
    echo "Done."
  16. wardmundy Nerd Uno

    FreePBX Patch

    This just in from Philippe Lindheimer at FreePBX:

  17. wardmundy Nerd Uno

    PIAF-Gold, Silver, Bronze & Purple Announcement

    As of 5 p.m. Eastern time today, ALL new PBX in a Flash installs now include Asterisk SIP stack buffer overflow protection. Coming soon to update-fixes.

    Well, not quite. See below.
  18. phoenixkv New Member

    Those snapshots are from FireFox and IE ... I don't use Google Chrome on my PC.
  19. wardmundy Nerd Uno

    New, New, New PIAF Updates

    As of 5 p.m. Eastern time today, ALL new PBX in a Flash installs now include Asterisk SIP stack buffer overflow protection... even Asterisk 1.8. Also available by running update-programs and then update-fixes.

    If you want more history, see this thread.
  20. tm1000 Schmoozecom INC/FreePBX

    That's been broken for a long time. Well before this patch.

Share This Page