0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
freeswitch Heap Overflow Vulnerability
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
1. Advisory Information Title: Heap overflow in freeswitch json parser < 1.6.2 & < 1.4.23 Submitter: Marcello Duarte (marcello@cybersightgroup.com) Product: freeswitch Product URL: http://freeswitch.org Affected Versions: freeswitch < 1.6.2 & < 1.4.23 Fixed Versions: 1.6.2 , 1.4.23 Link to source code diff: https://freeswitch.org/stash/projects/FS/repos/freeswitch/commits/cf892528a1a107ed6eb67fb98ed22533e27778fd CVE Status: CVE-2015-7392 2. Vulnerability Information Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No 3. Vulnerability Description Product Information: FreeSWITCH is a scalable open source cross-platform telephony platform designed to route and interconnect popular communication protocols using audio, video, text or any other form of media. It was created in 2006 to fill the void left by proprietary commercial solutions. FreeSWITCH also provides a stable telephony platform on which many applications can be developed using a wide range of free tools. Vulnerability: A carefully crafted json string supplied to cJSON_Parse will trigger a heap overflow with user controlled data. The underlying vulnerability occurs in the parse_string function. By passing a json string with \u at the end of the string will cause the parser to increment past the null at the end of string. This confuses the code responsible for copying the string. Since it doesn't detect the NULL in this situation, it will keep copying until it hits a null in memory. This leads to a heap overflow with user controlled data. Any modules or core code which allows user supplied json to enter the json parser will be vulnerable. Vulnerable Source Code: static const char *parse_string(cJSON *item, const char *str) { ... /* HACKLOG The length of string is determined here, it will stop counting when it hits a null */ while (*ptr != '\"' && *ptr && ++len) if (*ptr++ == '\\') ptr++; /* Skip escaped quotes. */ /* HACKLOG The buffer is alloced with the length obtained from the previous section */ out = (char *)cJSON_malloc( len + 1); /* This is how long we need for the string, roughly. */ if (!out) return 0; /* HACKLOG the following code will copy the string into the alloced buffer taking into account utf16 to utf8 conversion */ ptr = str + 1; ptr2 = out; /* 1 */ while (*ptr != '\"' && *ptr) { if (*ptr != '\\') *ptr2++ = *ptr++; else { ptr++; switch (*ptr) { case 'b': *ptr2++ = '\b'; break; case 'f': *ptr2++ = '\f'; break; case 'n': *ptr2++ = '\n'; break; case 'r': *ptr2++ = '\r'; break; case 't': *ptr2++ = '\t'; break; case 'u': /* transcode utf16 to utf8. */ if (sscanf(ptr + 1, "%4x", &uc) < 1) break; ptr += 4; /* get the unicode char. */ if ((uc >= 0xDC00 && uc <= 0xDFFF) || uc == 0) break; // check for invalid. if (uc >= 0xD800 && uc <= 0xDBFF) // UTF16 surrogate pairs. { if (ptr[1] != '\\' || ptr[2] != 'u') break; // missing second-half of surrogate. if (sscanf(ptr + 3, "%4x", &uc2) < 1) break; ptr += 6; if (uc2 < 0xDC00 || uc2 > 0xDFFF) break; // invalid second-half of surrogate. uc = 0x10000 | ((uc & 0x3FF) << 10) | (uc2 & 0x3FF); } len = 4; if (uc < 0x80) len = 1; else if (uc < 0x800) len = 2; else if (uc < 0x10000) len = 3; ptr2 += len; switch (len) { case 4: *--ptr2 = ((uc | 0x80) & 0xBF); uc >>= 6; case 3: *--ptr2 = ((uc | 0x80) & 0xBF); uc >>= 6; case 2: *--ptr2 = ((uc | 0x80) & 0xBF); uc >>= 6; case 1: *--ptr2 = (char)(uc | firstByteMark[len]); } ptr2 += len; break; default: *ptr2++ = *ptr; break; } /* HACKLOG INCREMENTS past null here, causing the while loop to not detect the end of the buffer so it keeps copying past the end of the alloced buffer */ ptr++; } 4. Vendor Information, Solutions Freeswitch has released versions 1.6.2 , 1.4.23 which fix the issue. # 0day.today [2024-10-06] #