oss-sec mailing list archives
Re: CVE request: FreeSWITCH regex substitution 3 buffer overflows
From: Michael Tokarev <mjt () tls msk ru>
Date: Tue, 09 Jul 2013 23:05:52 +0400
A week has been passed away. But actually I'm not sure I understand the process. What is needed to, first, assign a CVE#, and second, to fill it in? Thanks, /mjt 02.07.2013 00:46, Michael Tokarev wrote:
Hello. Yesterday I started thinking for the first time about some VOIP solution for our office, and come across FreeSWITCH software -- www.freeswitch.org. After talking on IRC a bit, I decided to take a look at the source, because a question asked by one of the users looked interesting to me. And immediately I discovered 3 buffer overflows in the _first_ function I ever saw in the source of this software. http://jira.freeswitch.org/browse/FS-5566 - it is the original bugreport which looked innocent enough initially. http://jira.freeswitch.org/secure/attachment/18855/0001-regex_subst-allow-n-in-regex-substitutions-and-fix-3.patch -- this is a patch of mine that fixes initial bug and also 3 buffer overflows I found when dealing with the issue. Some context. FreeSWITCH's routing mechanism is based almost entirely on regular expressions and uses substring matches in the core routing (dialplan). So the regexps are matched against untrusted input (which is especially mentioned in the docs). But ofcourse users aren't easy with writing regexps correctly, always constraining the length of the input properly. So, if there are any references to unconstrained input in any dialplan expressions -- that is, instead of \d{10}, \d+ is used, we're getting a remotely triggerable buffer overflows with good potential of remote code execution. As simple as that. It _looks_ like the default configuration isn't affected since apparently all regexes there are constrained. But we can't be sure for all user configs. I haven't studied actual potential for code execution, but from a quick view it appears quite possible. Thanks, /mjt
Current thread:
- CVE request: FreeSWITCH regex substitution 3 buffer overflows Michael Tokarev (Jul 01)
- Re: CVE request: FreeSWITCH regex substitution 3 buffer overflows Kurt Seifried (Jul 03)
- Re: CVE request: FreeSWITCH regex substitution 3 buffer overflows Michael Tokarev (Jul 09)
- Re: CVE request: FreeSWITCH regex substitution 3 buffer overflows Kurt Seifried (Jul 09)
- Re: CVE request: FreeSWITCH regex substitution 3 buffer overflows Adam D. Barratt (Jul 09)
- Re: CVE request: FreeSWITCH regex substitution 3 buffer overflows Kurt Seifried (Jul 09)
- Re: CVE request: FreeSWITCH regex substitution 3 buffer overflows Michael Tokarev (Jul 09)
- Re: CVE request: FreeSWITCH regex substitution 3 buffer overflows Adam D. Barratt (Jul 09)
- Re: CVE request: FreeSWITCH regex substitution 3 buffer overflows Michael Tokarev (Jul 09)