Bug#395080: Network Management SPAM Rejected

SPAM filter at NETMAN.COM spam at netman.com
Sun Nov 19 02:18:14 CET 2006 

Network Management SPAM Rejected

***ALERT******ALERT******ALERT******ALERT******ALERT***
If you have received this message, your email has been marked 
SPAM by NETMAN.COM.
The message has not been forwarded on to the intended user.  
We do NOT ALLOW unsolicited emailing on this domain.  

Please remove this email address from your lists.

If your email was NOT unsolicited, please contact the Email 
user for futher options.  You can also check the HEADER of 
the message to see if your mail server is listed on our  
Relay Black Lists.  We use SPAMCOP, RELAYS.VISI.COM and  
ORDB.ORG.  You should see an X-HEADER (see below) with the 
relay list that listed your server.  Contact the relay list 
provider for further removal instructions.

Network Management, Inc.



Original Message:
Received: from SMTP32-FWD by sbnets.com
  (SMTP32) id AB05CA8CE0080182A; Sat, 18 Nov 2006 19:18:13 -0600
Received: from master.debian.org [70.103.162.29] by mail.netman.com with ESMTP
  (SMTPD32-8.15) id A05CA8CE0080; Sat, 18 Nov 2006 19:16:12 -0600
Received: from qa by master.debian.org with local (Exim 4.50)
	id 1GlbI2-0000qe-9z
	for jrad at sbnets.com; Sun, 19 Nov 2006 01:16:10 +0000
Received: from spohr.debian.org ([140.211.166.43]) by master.debian.org
 with esmtp (Exim 4.50) id 1Glalp-0006CP-Rn for
 asterisk at packages.qa.debian.org; Sun, 19 Nov 2006 00:42:54 +0000
Received: from debbugs by spohr.debian.org with local (Exim 4.50) id
 1GlacL-0003h6-6l; Sat, 18 Nov 2006 16:33:05 -0800
X-Loop: owner at bugs.debian.org
Subject: Bug#395080: CVE-2006-5445: Denial of service in chan_sip
Reply-To: Ben Hutchings <ben at decadent.org.uk>, 395080 at bugs.debian.org
Resent-From: Ben Hutchings <ben at decadent.org.uk>
Resent-To: debian-bugs-dist at lists.debian.org
Resent-CC: Debian VoIP Team <pkg-voip-maintainers at lists.alioth.debian.org>
Resent-Date: Sun, 19 Nov 2006 00:33:04 +0000
Resent-Message-Id: <handler.395080.B395080.116389617328043 at bugs.debian.org>
X-Debian-PR-Message: report 395080
X-Debian-PR-Package: asterisk
X-Debian-PR-Keywords: security
X-Debian-PR-Source: asterisk
Received: via spool by 395080-submit at bugs.debian.org
 id=B395080.116389617328043 (code B ref 395080); Sun, 19 Nov 2006 00:33:04
 +0000
Received: (at 395080) by bugs.debian.org; 19 Nov 2006 00:29:33 +0000
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]) by
 spohr.debian.org with esmtp (Exim 4.50) id 1GlaYv-0007HP-4C for
 395080 at bugs.debian.org; Sat, 18 Nov 2006 16:29:33 -0800
Received: from [192.168.4.138] (helo=deadeye.i.decadentplace.org.uk) by
 shadbolt.decadent.org.uk with esmtp (Exim 4.50) id 1GlaYl-0008N4-Kp for
 395080 at bugs.debian.org; Sun, 19 Nov 2006 00:29:29 +0000
Received: from womble by deadeye.i.decadentplace.org.uk with local (Exim
 4.63) (envelope-from <ben at decadent.org.uk>) id 1GlaYx-0008Sz-D0 for
 395080 at bugs.debian.org; Sun, 19 Nov 2006 00:29:35 +0000
From: Ben Hutchings <ben at decadent.org.uk>
To: 395080 at bugs.debian.org
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="=-P2fnCnnG9WVR+A50K/+E"
Date: Sun, 19 Nov 2006 00:29:35 +0000
Message-Id: <1163896175.28058.22.camel at deadeye.i.decadentplace.org.uk>
MIME-Version: 1.0
X-Mailer: Evolution 2.6.3
X-Sa-Exim-Connect-Ip: 192.168.4.138
X-Sa-Exim-Mail-From: ben at decadent.org.uk
X-Sa-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
X-Sa-Exim-Scanned: Yes (on shadbolt.decadent.org.uk)
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
 (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
 version=2.60-bugs.debian.org_2005_01_02
Resent-Sender: Debian BTS <debbugs at bugs.debian.org>
Resent-Date: Sat, 18 Nov 2006 16:33:05 -0800
Delivered-To: asterisk at packages.qa.debian.org
Precedence: list
X-Loop: asterisk at packages.qa.debian.org
X-PTS-Package: asterisk
X-PTS-Keyword: bts
X-Unsubscribe: echo 'unsubscribe asterisk' | mail pts at qa.debian.org
X-IMAIL-SPAM-DNSBL: (SpamCop,b05ca8ce0080182a,127.0.0.2)


--=-P2fnCnnG9WVR+A50K/+E
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

The fix for CVE-2006-5445 in the 1.2 branch appears to be:
http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=3D4=
5306&r2=3D45380

There's no corresponding fix in the 1.0 branch.

Here's my attempt at backporting it.  This is untested, since I don't
run Asterisk myself.

The initialisation of the SIP context (sip_pvt) is a bit different in
1.0 and I've copied what looks like the corresponding code from
sip_alloc() into transmit_response_using_temp().  I added a call to
build_contact() because __send_response() indirectly uses the
our_contact member.

In 1.0 there's no validate commands before the call find_call() and
there's no sip_method array.  Therefore I wrote string comparisons
against all the commands that are allowed to create a new SIP context
based on the flags in the 1.2 code, minus "PUBLISH" because that isn't
supported at all (I'm not sure this is correct; we may end up sending
the wrong error message).

Ben.

--- asterisk-1.0.7.dfsg.1/channels/chan_sip.c.orig	2006-11-18 20:25:43.0000=
00000 +0000
+++ asterisk-1.0.7.dfsg.1/channels/chan_sip.c	2006-11-18 23:22:41.000000000=
 +0000
@@ -557,6 +557,7 @@
 static struct ast_ha *localaddr;
=20
 static struct ast_frame  *sip_read(struct ast_channel *ast);
+static int transmit_response_using_temp(char *callid, struct sockaddr_in *=
sin, int useglobal_nat, struct sip_request *req, char *msg);
 static int transmit_response(struct sip_pvt *p, char *msg, struct sip_requ=
est *req);
 static int transmit_response_with_sdp(struct sip_pvt *p, char *msg, struct=
 sip_request *req, int retrans);
 static int transmit_response_with_auth(struct sip_pvt *p, char *msg, struc=
t sip_request *req, char *rand, int reliable, char *header);
@@ -2364,7 +2365,7 @@
 	char *callid;
 	char tmp[256] =3D "";
 	char iabuf[INET_ADDRSTRLEN];
-	char *cmd;
+	const char *cmd =3D req->rlPart1;
 	char *tag =3D "", *c;
=20
 	callid =3D get_header(req, "Call-ID");
@@ -2378,11 +2379,6 @@
 		   SIP implementations, and thus Asterisk does not enable this behavior
 		   by default. Short version: You'll need this option to support confere=
ncing
 		   on the pingtel */
-		strncpy(tmp, req->header[0], sizeof(tmp) - 1);
-		cmd =3D tmp;
-		c =3D strchr(tmp, ' ');
-		if (c)
-			*c =3D '\0';
 		if (!strcasecmp(cmd, "SIP/2.0"))
 			strncpy(tmp, get_header(req, "To"), sizeof(tmp) - 1);
 		else
@@ -2414,9 +2410,19 @@
 		p =3D p->next;
 	}
 	ast_mutex_unlock(&iflock);
-	p =3D sip_alloc(callid, sin, 1);
-	if (p)
-		ast_mutex_lock(&p->lock);
+
+	if (strcasecmp(cmd, "REGISTER")
+	    && strcasecmp(cmd, "OPTIONS")
+	    && strcasecmp(cmd, "INVITE")
+	    && strcasecmp(cmd, "SUBSCRIBE")
+	    && strcasecmp(cmd, "MESSAGE")) {
+		if (strcasecmp(cmd, "RESPONSE"))
+			transmit_response_using_temp(callid, sin, 1, req, "481 Call leg/transac=
tion does not exist");
+	} else {
+		p =3D sip_alloc(callid, sin, 1);
+		if (p)
+			ast_mutex_lock(&p->lock);
+	}
 	return p;
 }
=20
@@ -3218,6 +3224,45 @@
 	return send_response(p, &resp, reliable, seqno);
 }
=20
+/*--- transmit_response_using_temp: Transmit response, no retransmits, usi=
ng temporary pvt */
+static int transmit_response_using_temp(char *callid, struct sockaddr_in *=
sin, int useglobal_nat, struct sip_request *req, char *msg)
+{
+	struct sip_pvt *p =3D alloca(sizeof(*p));
+	char iabuf[INET_ADDRSTRLEN];
+
+	memset(p, 0, sizeof(*p));
+
+	if (sin) {
+		memcpy(&p->sa, sin, sizeof(p->sa));
+		if (ast_sip_ouraddrfor(&p->sa.sin_addr, &p->ourip))
+			memcpy(&p->ourip, &__ourip, sizeof(p->ourip));
+	} else
+		memcpy(&p->ourip, &__ourip, sizeof(p->ourip));
+	p->branch =3D rand();
+	p->tag =3D rand();
+	p->ocseq =3D 101;
+
+	if (useglobal_nat && sin) {
+		/* Setup NAT structure according to global settings if we have an addres=
s */
+		p->nat =3D global_nat;
+		memcpy(&p->recv, sin, sizeof(p->recv));
+	}
+
+	strncpy(p->fromdomain, default_fromdomain, sizeof(p->fromdomain) - 1);
+	/* z9hG4bK is a magic cookie.  See RFC 3261 section 8.1.1.7 */
+	if (p->nat !=3D SIP_NAT_NEVER)
+		snprintf(p->via, sizeof(p->via), "SIP/2.0/UDP %s:%d;branch=3Dz9hG4bK%08x=
;rport", ast_inet_ntoa(iabuf, sizeof(iabuf), p->ourip), ourport, p->branch)=
;
+	else
+		snprintf(p->via, sizeof(p->via), "SIP/2.0/UDP %s:%d;branch=3Dz9hG4bK%08x=
", ast_inet_ntoa(iabuf, sizeof(iabuf), p->ourip), ourport, p->branch);
+	strncpy(p->callid, callid, sizeof(p->callid) - 1);
+
+	build_contact(p);
+
+	__transmit_response(p, msg, req, 0);
+
+	return 0;
+}
+
 /*--- transmit_response: Transmit response, no retransmits */
 static int transmit_response(struct sip_pvt *p, char *msg, struct sip_requ=
est *req)=20
 {
-- END --

--=20
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.

--=-P2fnCnnG9WVR+A50K/+E
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBFX6Vv79ZNCRIGYgcRAsZeAJ4lC0tX3UdP2HVf4jlti+PpIti1tQCbB/2m
m7IYohGCKFNDQ5/XwXNga3w=
=CLSC
-----END PGP SIGNATURE-----

--=-P2fnCnnG9WVR+A50K/+E--

More information about the Pkg-voip-maintainers mailing list