Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <51DC5F10.3000600@msgid.tls.msk.ru>
Date: Tue, 09 Jul 2013 23:05:52 +0400
From: Michael Tokarev <mjt@....msk.ru>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: FreeSWITCH regex substitution 3 buffer
 overflows

A week has been passed away.

But actually I'm not sure I understand the process.  What is
needed to, first, assign a CVE#, and second, to fill it in?

Thanks,

/mjt

02.07.2013 00:46, Michael Tokarev wrote:
> Hello.
> 
> Yesterday I started thinking for the first time about some VOIP
> solution for our office, and come across FreeSWITCH software --
> www.freeswitch.org.  After talking on IRC a bit, I decided to
> take a look at the source, because a question asked by one of
> the users looked interesting to me.
> 
> And immediately I discovered 3 buffer overflows in the _first_
> function I ever saw in the source of this software.
> 
> http://jira.freeswitch.org/browse/FS-5566 - it is the original
>  bugreport which looked innocent enough initially.
> 
> http://jira.freeswitch.org/secure/attachment/18855/0001-regex_subst-allow-n-in-regex-substitutions-and-fix-3.patch --
>  this is a patch of mine that fixes initial bug and also 3
>  buffer overflows I found when dealing with the issue.
> 
> Some context.  FreeSWITCH's routing mechanism is based almost
> entirely on regular expressions and uses substring matches
> in the core routing (dialplan).  So the regexps are matched
> against untrusted input (which is especially mentioned in the
> docs).  But ofcourse users aren't easy with writing regexps
> correctly, always constraining the length of the input
> properly.
> 
> So, if there are any references to unconstrained input in
> any dialplan expressions -- that is, instead of \d{10},
> \d+ is used, we're getting a remotely triggerable buffer
> overflows with good potential of remote code execution.
> 
> As simple as that.
> 
> It _looks_ like the default configuration isn't affected
> since apparently all regexes there are constrained.  But
> we can't be sure for all user configs.
> 
> I haven't studied actual potential for code execution,
> but from a quick view it appears quite possible.
> 
> Thanks,
> 
> /mjt
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.