Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 03 Jul 2013 21:37:11 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Michael Tokarev <mjt@....msk.ru>, Michael Jerris <mike@...ris.com>,
        Ken Rice <krice@...eswitch.org>
Subject: Re: CVE request: FreeSWITCH regex substitution 3 buffer
 overflows

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/01/2013 02:46 PM, Michael Tokarev wrote:
> Hello.
> 
> Yesterday I started thinking for the first time about some VOIP 
> solution for our office, and come across FreeSWITCH software -- 
> www.freeswitch.org.  After talking on IRC a bit, I decided to take
> a look at the source, because a question asked by one of the users
> looked interesting to me.
> 
> And immediately I discovered 3 buffer overflows in the _first_ 
> function I ever saw in the source of this software.
> 
> http://jira.freeswitch.org/browse/FS-5566 - it is the original 
> bugreport which looked innocent enough initially.
> 
> http://jira.freeswitch.org/secure/attachment/18855/0001-regex_subst-allow-n-in-regex-substitutions-and-fix-3.patch
> -- this is a patch of mine that fixes initial bug and also 3 buffer
> overflows I found when dealing with the issue.
> 
> Some context.  FreeSWITCH's routing mechanism is based almost 
> entirely on regular expressions and uses substring matches in the
> core routing (dialplan).  So the regexps are matched against
> untrusted input (which is especially mentioned in the docs).  But
> ofcourse users aren't easy with writing regexps correctly, always
> constraining the length of the input properly.
> 
> So, if there are any references to unconstrained input in any
> dialplan expressions -- that is, instead of \d{10}, \d+ is used,
> we're getting a remotely triggerable buffer overflows with good
> potential of remote code execution.
> 
> As simple as that.
> 
> It _looks_ like the default configuration isn't affected since
> apparently all regexes there are constrained.  But we can't be sure
> for all user configs.
> 
> I haven't studied actual potential for code execution, but from a
> quick view it appears quite possible.
> 
> Thanks,
> 
> /mjt

Same researcher/version/vuln type so CVE MERGE. Please use
CVE-2013-2238 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR1O3mAAoJEBYNRVNeJnmTwA4QAMVxd81ar5PHUNo/NRf+giHU
EQhYZBvIQIysyFeOn3SAmeAcO4j0+t+t06Hmm23gR7YKHhj04PvHhCHCo+12WKt5
3susjMf9XfR0hlXoGK0Buzn9ICx7GzR8Gxq9omevNkacJHySdhHrUVbjpd/lLjtK
iR0IUG/+7w/5guznzT+NaKVPc1jkxjE+agH4gIO553V1ZgmN7U9S16/FylL8Z9PD
0uRyzztah/4pE4Ic/OMhwRUMX2B1s894oW0NxIqS4nhsp6Wwzqbp5+SDQLt18Vcc
EzrrnAd8JGWswqZylZTmgOGOG0uuXtkq+WIKqKDx4B6I+RdBipQ/+3GGWY+giaAT
P6vfSMU+VvzjJ6iYQRanRzJIiZQogfmRIhDXHjtOBR32/uZinZdSPm1GWMaBcRFq
ZLbUEjtIjN3zVffYF2lZtYspQ1iIy4OHddanpYBlcBNQSqgpW5ChNQB0/+JkwE3h
fOV/PEs+TAK7U/exVshWnF93Hr85B167q274ViWb+9/VOjfiUvHGcjbkYiVthv5P
xkBkj4PNkYssdncXlRCH43ImO0APAy3dDbOUozEgJ8iPU9hIDWb+3/J5uODY/tz+
Tmbk8Ni69hIe3F4uMk0B5HOapTAfbcOzp+Gz1CPfMhZ2xpEZJNnHgqJ7j4b7kGAr
0/y4JDV6gsCe7QAKaaID
=HSFr
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.