JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library

渗透技巧 2年前 (2022) admin
792 0 0
JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library

JFrog’s Security Research team is constantly looking for new and previously unknown security vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered 5 security vulnerabilities in PJSIP, a widely used open-source multimedia communication library developed by Teluu.

By triggering these newly discovered vulnerabilities, an attacker can cause arbitrary code execution in the application that uses the PJSIP library.

JFrog Security responsibly disclosed these vulnerabilities and worked with PJSIP’s maintainers on verifying the fix to these reported security vulnerabilities.

What is the PJSIP library used for?

PJSIP supplies an API that can be used by IP telephony applications such as VoIP phones and conference applications. It is used today by the world’s most popular communication applications such as WhatsApp and BlueJeans. PJSIP is also used by Asterisk, the ubiquitous open-source PBX (private branch exchange) implementation.

The disclosed PJSIP security vulnerabilities

CVE ID Description Impact JFrog CVSS
CVE-2021-43299 Stack overflow in PJSUA API when calling pjsua_player_create Code Execution 8.1
CVE-2021-43300 Stack overflow in PJSUA API when calling pjsua_recorder_create Code Execution 8.1
CVE-2021-43301 Stack overflow in PJSUA API when calling pjsua_playlist_create Code Execution 8.1
CVE-2021-43302 Read out-of-bounds in PJSUA API when calling pjsua_recorder_create Denial of Service 5.9
CVE-2021-43303 Buffer overflow in PJSUA API when calling pjsua_call_dump Denial of Service 5.9

Who is impacted by the PJSIP vulnerabilities?

Any projects that use the PJSIP library before version 2.12 and pass attacker-controlled arguments to any of the following APIs are vulnerable:

  • pjsua_player_create –  argument must be attacker-controlledfilename
  • pjsua_recorder_create – argument must be attacker-controlledfilename
  • pjsua_playlist_create – argument must be (partially) attacker-controlledfile_names
  • pjsua_call_dump –  argument capacity must be smaller than 128 bytesbuffer

Technical breakdown

PJSIP offers a library named PJSUA that supplies an API for SIP applications. The basic PJSUA APIs are also wrapped by object-oriented APIs. PJSUA offers a rich Media Manipulation API, where we have spotted the following vulnerabilities:

CVE-2021-43299 was found in (OO wrapper – ) which creates a file player and automatically adds this player to the conference bridge.pjsua_player_createAudioMediaPlayer::createPlayer

This function contains a stack overflow vulnerability:

PJ_DEF(pj_status_t) pjsua_player_create( const pj_str_t *filename,
                     unsigned options,
                     pjsua_player_id *p_id)
{
    unsigned slot, file_id;
    char path[PJ_MAXPATH];
    ...
    pj_memcpy(path, filename->ptr, filename->slen);
    path[filename->slen] = '\0';
    ...
}

filename->ptr is being copied to without verifying that (the filename size) is at most ’s allocated size which is pathfilename->slenpathPJ_MAXPATH<c/ode> (260). Therefore, passing a filename longer than 260 characters will cause a stack overflow.

CVE-2021-43300 and CVE-2021-43302 were found in (OO wrapper – ) which creates a file recorder and automatically connects this recorder to the conference bridge.pjsua_recorder_create()AudioMediaRecorder::createRecorder

This function contains a stack overflow vulnerability:

PJ_DEF(pj_status_t) pjsua_recorder_create( const pj_str_t *filename,
                       unsigned enc_type,
                       void *enc_param,
                       pj_ssize_t max_size,
                       unsigned options,
                       pjsua_recorder_id *p_id)
{
    ...
    char path[PJ_MAXPATH];
    pj_str_t ext;
    ...
    /* Determine the file format */
    ext.ptr = filename->ptr + filename->slen - 4;
    ext.slen = 4;
   
    if (pj_stricmp2(&ext, ".wav") == 0)
    file_format = FMT_WAV;
    else if (pj_stricmp2(&ext, ".mp3") == 0)
    file_format = FMT_MP3;
    else {
        ...
    }
    ...
    pj_memcpy(path, filename->ptr, filename->slen);
    path[filename->slen] = '\0';
    ...
}

ext.ptr is set to and is set to , later is called with in order to compare the extension of the file against or .filename->ptr + filename->slen - 4ext.slen4pj_stricmp2ext“.wav”“.mp3”

The issue disclosed as CVE-2021-43302 is that doesn’t check if the length of is at least 4. If is shorter than , will cause a read out-of-bounds while comparing the strings.pjsua_recorder_createfilenamefilename4pj_stricmp2

CVE-2021-43300 is similar to CVE-2021-43299: is being copied with to the stack variable without checking that is at most the allocated size which is (260).filename->ptrmemcpypathfilename->slenpathPJ_MAXPATH

CVE-2021-43301 is another similar stack overflow vulnerability that was found in (OO wrapper – ) which creates a file playlist media port and automatically adds the port to the conference bridge.
calls with the argument mapped as :
pjsua_playlist_createAudioMediaPlayer::createPlaylistpjsua_playlist_createpjmedia_wav_playlist_createfile_namesfile_list

PJ_DEF(pj_status_t) pjmedia_wav_playlist_create(pj_pool_t *pool,
                        const pj_str_t *port_label,
                        const pj_str_t file_list[],
                        int file_count,
                        unsigned ptime,
                        unsigned options,
                        pj_ssize_t buff_size,
                        pjmedia_port **p_port)
{
    ...
    char filename[PJ_MAXPATH];  /* filename for open operations.    */
    ...
    /* Be sure all files exist  */
    for (index=0; index<file_count; index++) {
 
        PJ_ASSERT_RETURN(file_list[index].slen < PJ_MAXPATH, PJ_ENAMETOOLONG); pj_memcpy(filename, file_list[index].ptr, file_list[index].slen); filename[file_list[index].slen] = '\0'; /* Check the file really exists. */ if (!pj_file_exists(filename)) { PJ_LOG(4,(THIS_FILE, "WAV playlist error: file '%s' not found", filename)); return PJ_ENOTFOUND; } } ... /* ok run this for all files to be sure all are good for playback. */ for (index=file_count-1; index>=0; index--) {
 
        pjmedia_wave_hdr wavehdr;
        pj_ssize_t size_to_read, size_read;
 
        /* we end with the last one so we are good to go if still in function*/
        pj_memcpy(filename, file_list[index].ptr, file_list[index].slen);
        filename[file_list[index].slen] = '\0';
        ...
    }
    ...
}

The function copies each file name from to without checking if its length is at most (260). If the file name length is longer – the copy will overflow the variable and trigger a stack overflow.file_listfilenamePJ_MAXPATHfilename

CVE-2021-43303 is a buffer overflow vulnerability in – a function that dumps call statistics to a given buffer:pjsua_call_dump

PJ_DEF(pj_status_t) pjsua_call_dump( pjsua_call_id call_id,
                     pj_bool_t with_media,
                     char *buffer,
                     unsigned maxlen,
                     const char *indent)
{
    ...
    char tmp[128];
    ...
    /* tmp is being populated here */
    ...
    len = (int)pj_ansi_strlen(tmp);
    pj_ansi_strcpy(buffer, tmp);
    ...
}

The function uses in order to store the statistics temporarily and then copies it to the output argument without validating that is at most (which can be up to 128).tmpbuffermaxlenlen

This can lead to a buffer overflow if the capacity of the given parameter is smaller than .bufferlen

Fixing the vulnerabilities

In order to fully fix these vulnerabilities, we recommend upgrading PJSIP to version 2.12.

Acknowledgement

We would like to thank the PJSIP maintainers for quickly verifying the reported vulnerabilities and fixing them.

Finding vulnerable versions with JFrog Xray

In addition to exposing new security vulnerabilities and threats, JFrog provides developers and security teams easy access to the latest relevant information for their software – including the use of PJSIP open-source library versions and associated CVEs – with automated security scanning by JFrog Xray SCA tool.

 

原文始发于 JFrog :JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library

版权声明:admin 发表于 2022年3月2日 下午12:49。
转载请注明:JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...