Re: CVE request: FreeSWITCH regex substitution 3 buffer overflows

[Michael Tokarev <mjt () tls msk ru>]

A week has been passed away.

But actually I'm not sure I understand the process.  What is
needed to, first, assign a CVE#, and second, to fill it in?

Thanks,

/mjt

02.07.2013 00:46, Michael Tokarev wrote:
> Hello.
>
> Yesterday I started thinking for the first time about some VOIP
> solution for our office, and come across FreeSWITCH software --
> www.freeswitch.org.  After talking on IRC a bit, I decided to
> take a look at the source, because a question asked by one of
> the users looked interesting to me.
>
> And immediately I discovered 3 buffer overflows in the _first_
> function I ever saw in the source of this software.
>
> http://jira.freeswitch.org/browse/FS-5566 - it is the original
>  bugreport which looked innocent enough initially.
>
> http://jira.freeswitch.org/secure/attachment/18855/0001-regex_subst-allow-n-in-regex-substitutions-and-fix-3.patch --
>  this is a patch of mine that fixes initial bug and also 3
>  buffer overflows I found when dealing with the issue.
>
> Some context.  FreeSWITCH's routing mechanism is based almost
> entirely on regular expressions and uses substring matches
> in the core routing (dialplan).  So the regexps are matched
> against untrusted input (which is especially mentioned in the
> docs).  But ofcourse users aren't easy with writing regexps
> correctly, always constraining the length of the input
> properly.
>
> So, if there are any references to unconstrained input in
> any dialplan expressions -- that is, instead of \d{10},
> \d+ is used, we're getting a remotely triggerable buffer
> overflows with good potential of remote code execution.
>
> As simple as that.
>
> It _looks_ like the default configuration isn't affected
> since apparently all regexes there are constrained.  But
> we can't be sure for all user configs.
>
> I haven't studied actual potential for code execution,
> but from a quick view it appears quite possible.
>
> Thanks,
>
> /mjt