JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library
JFrog’s Security Research team is constantly looking for new and previously unknown security vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered 5 security vulnerabilities in PJSIP, a widely used open-source multimedia communication library developed by Teluu.
By triggering these newly discovered vulnerabilities, an attacker can cause arbitrary code execution in the application that uses the PJSIP library.
JFrog Security responsibly disclosed these vulnerabilities and worked with PJSIP’s maintainers on verifying the fix to these reported security vulnerabilities.
What is the PJSIP library used for?
PJSIP supplies an API that can be used by IP telephony applications such as VoIP phones and conference applications. It is used today by the world’s most popular communication applications such as WhatsApp and BlueJeans. PJSIP is also used by Asterisk, the ubiquitous open-source PBX (private branch exchange) implementation.
The disclosed PJSIP security vulnerabilities
| CVE ID | Description | Impact | JFrog CVSS |
| CVE-2021-43299 | Stack overflow in PJSUA API when calling pjsua_player_create |
Code Execution | 8.1 |
| CVE-2021-43300 | Stack overflow in PJSUA API when calling pjsua_recorder_create |
Code Execution | 8.1 |
| CVE-2021-43301 | Stack overflow in PJSUA API when calling pjsua_playlist_create |
Code Execution | 8.1 |
| CVE-2021-43302 | Read out-of-bounds in PJSUA API when calling pjsua_recorder_create |
Denial of Service | 5.9 |
| CVE-2021-43303 | Buffer overflow in PJSUA API when calling pjsua_call_dump |
Denial of Service | 5.9 |
Who is impacted by the PJSIP vulnerabilities?
Any projects that use the PJSIP library before version 2.12 and pass attacker-controlled arguments to any of the following APIs are vulnerable:
pjsua_player_create– argument must be attacker-controlledfilenamepjsua_recorder_create– argument must be attacker-controlledfilenamepjsua_playlist_create– argument must be (partially) attacker-controlledfile_namespjsua_call_dump– argument capacity must be smaller than 128 bytesbuffer
Technical breakdown
PJSIP offers a library named PJSUA that supplies an API for SIP applications. The basic PJSUA APIs are also wrapped by object-oriented APIs. PJSUA offers a rich Media Manipulation API, where we have spotted the following vulnerabilities:
CVE-2021-43299 was found in (OO wrapper – ) which creates a file player and automatically adds this player to the conference bridge.pjsua_player_createAudioMediaPlayer::createPlayer
This function contains a stack overflow vulnerability:
PJ_DEF(pj_status_t) pjsua_player_create( const pj_str_t *filename,
unsigned options,
pjsua_player_id *p_id)
{
unsigned slot, file_id;
char path[PJ_MAXPATH];
...
pj_memcpy(path, filename->ptr, filename->slen);
path[filename->slen] = '\0';
...
}filename->ptr is being copied to without verifying that (the filename size) is at most ’s allocated size which is pathfilename->slenpathPJ_MAXPATH<c/ode> (260). Therefore, passing a filename longer than 260 characters will cause a stack overflow.
CVE-2021-43300 and CVE-2021-43302 were found in (OO wrapper – ) which creates a file recorder and automatically connects this recorder to the conference bridge.pjsua_recorder_create()AudioMediaRecorder::createRecorder
This function contains a stack overflow vulnerability:
PJ_DEF(pj_status_t) pjsua_recorder_create( const pj_str_t *filename,
unsigned enc_type,
void *enc_param,
pj_ssize_t max_size,
unsigned options,
pjsua_recorder_id *p_id)
{
...
char path[PJ_MAXPATH];
pj_str_t ext;
...
/* Determine the file format */
ext.ptr = filename->ptr + filename->slen - 4;
ext.slen = 4;
if (pj_stricmp2(&ext, ".wav") == 0)
file_format = FMT_WAV;
else if (pj_stricmp2(&ext, ".mp3") == 0)
file_format = FMT_MP3;
else {
...
}
...
pj_memcpy(path, filename->ptr, filename->slen);
path[filename->slen] = '\0';
...
}ext.ptr is set to and is set to , later is called with in order to compare the extension of the file against or .filename->ptr + filename->slen - 4ext.slen4pj_stricmp2ext“.wav”“.mp3”
The issue disclosed as CVE-2021-43302 is that doesn’t check if the length of is at least 4. If is shorter than , will cause a read out-of-bounds while comparing the strings.pjsua_recorder_createfilenamefilename4pj_stricmp2
CVE-2021-43300 is similar to CVE-2021-43299: is being copied with to the stack variable without checking that is at most the allocated size which is (260).filename->ptrmemcpypathfilename->slenpathPJ_MAXPATH
CVE-2021-43301 is another similar stack overflow vulnerability that was found in (OO wrapper – ) which creates a file playlist media port and automatically adds the port to the conference bridge.
calls with the argument mapped as :pjsua_playlist_createAudioMediaPlayer::createPlaylistpjsua_playlist_createpjmedia_wav_playlist_createfile_namesfile_list
PJ_DEF(pj_status_t) pjmedia_wav_playlist_create(pj_pool_t *pool,
const pj_str_t *port_label,
const pj_str_t file_list[],
int file_count,
unsigned ptime,
unsigned options,
pj_ssize_t buff_size,
pjmedia_port **p_port)
{
...
char filename[PJ_MAXPATH]; /* filename for open operations. */
...
/* Be sure all files exist */
for (index=0; index<file_count; index++) {
PJ_ASSERT_RETURN(file_list[index].slen < PJ_MAXPATH, PJ_ENAMETOOLONG); pj_memcpy(filename, file_list[index].ptr, file_list[index].slen); filename[file_list[index].slen] = '\0'; /* Check the file really exists. */ if (!pj_file_exists(filename)) { PJ_LOG(4,(THIS_FILE, "WAV playlist error: file '%s' not found", filename)); return PJ_ENOTFOUND; } } ... /* ok run this for all files to be sure all are good for playback. */ for (index=file_count-1; index>=0; index--) {
pjmedia_wave_hdr wavehdr;
pj_ssize_t size_to_read, size_read;
/* we end with the last one so we are good to go if still in function*/
pj_memcpy(filename, file_list[index].ptr, file_list[index].slen);
filename[file_list[index].slen] = '\0';
...
}
...
}The function copies each file name from to without checking if its length is at most (260). If the file name length is longer – the copy will overflow the variable and trigger a stack overflow.file_listfilenamePJ_MAXPATHfilename
CVE-2021-43303 is a buffer overflow vulnerability in – a function that dumps call statistics to a given buffer:pjsua_call_dump
PJ_DEF(pj_status_t) pjsua_call_dump( pjsua_call_id call_id,
pj_bool_t with_media,
char *buffer,
unsigned maxlen,
const char *indent)
{
...
char tmp[128];
...
/* tmp is being populated here */
...
len = (int)pj_ansi_strlen(tmp);
pj_ansi_strcpy(buffer, tmp);
...
}The function uses in order to store the statistics temporarily and then copies it to the output argument without validating that is at most (which can be up to 128).tmpbuffermaxlenlen
This can lead to a buffer overflow if the capacity of the given parameter is smaller than .bufferlen
Fixing the vulnerabilities
In order to fully fix these vulnerabilities, we recommend upgrading PJSIP to version 2.12.
Acknowledgement
We would like to thank the PJSIP maintainers for quickly verifying the reported vulnerabilities and fixing them.
Finding vulnerable versions with JFrog Xray
In addition to exposing new security vulnerabilities and threats, JFrog provides developers and security teams easy access to the latest relevant information for their software – including the use of PJSIP open-source library versions and associated CVEs – with automated security scanning by JFrog Xray SCA tool.
原文始发于 JFrog :JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library
转载请注明:JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library | CTF导航
相关文章
