Author: mmichelson Date: Wed Jan 28 11:34:02 2015 New Revision: 431301 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=431301 Log: Multiple revisions 431297-431298
........ r431297 | mmichelson | 2015-01-28 11:05:26 -0600 (Wed, 28 Jan 2015) | 17 lines Mitigate possible HTTP injection attacks using CURL() function in Asterisk. CVE-2014-8150 disclosed a vulnerability in libcURL where HTTP request injection can be performed given properly-crafted URLs. Since Asterisk makes use of libcURL, and it is possible that users of Asterisk may get cURL URLs from user input or remote sources, we have made a patch to Asterisk to prevent such HTTP injection attacks from originating from Asterisk. ASTERISK-24676 #close Reported by Matt Jordan Review: https://reviewboard.asterisk.org/r/4364 AST-2015-002 ........ r431298 | mmichelson | 2015-01-28 11:12:49 -0600 (Wed, 28 Jan 2015) | 3 lines Fix compilation error from previous patch. ........ Merged revisions 431297-431298 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 431299 from http://svn.asterisk.org/svn/asterisk/branches/12 Modified: branches/13/ (props changed) branches/13/funcs/func_curl.c Propchange: branches/13/ ------------------------------------------------------------------------------ Binary property 'branch-12-merged' - no diff available. Modified: branches/13/funcs/func_curl.c URL: http://svnview.digium.com/svn/asterisk/branches/13/funcs/func_curl.c?view=diff&rev=431301&r1=431300&r2=431301 ============================================================================== --- branches/13/funcs/func_curl.c (original) +++ branches/13/funcs/func_curl.c Wed Jan 28 11:34:02 2015 @@ -50,6 +50,7 @@ #include "asterisk/app.h" #include "asterisk/utils.h" #include "asterisk/threadstorage.h" +#include "asterisk/test.h" /*** DOCUMENTATION <function name="CURL" language="en_US"> @@ -568,6 +569,31 @@ AST_THREADSTORAGE_CUSTOM(curl_instance, curl_instance_init, curl_instance_cleanup); AST_THREADSTORAGE(thread_escapebuf); +/*! + * \brief Check for potential HTTP injection risk. + * + * CVE-2014-8150 brought up the fact that HTTP proxies are subject to injection + * attacks. An HTTP URL sent to a proxy contains a carriage-return linefeed combination, + * followed by a complete HTTP request. Proxies will handle this as two separate HTTP + * requests rather than as a malformed URL. + * + * libcURL patched this vulnerability in version 7.40.0, but we have no guarantee that + * Asterisk systems will be using an up-to-date cURL library. Therefore, we implement + * the same fix as libcURL for determining if a URL is vulnerable to an injection attack. + * + * \param url The URL to check for vulnerability + * \retval 0 The URL is not vulnerable + * \retval 1 The URL is vulnerable. + */ +static int url_is_vulnerable(const char *url) +{ + if (strpbrk(url, "\r\n")) { + return 1; + } + + return 0; +} + static int acf_curl_helper(struct ast_channel *chan, const char *cmd, char *info, char *buf, struct ast_str **input_str, ssize_t len) { struct ast_str *escapebuf = ast_str_thread_get(&thread_escapebuf, 16); @@ -604,6 +630,11 @@ } AST_STANDARD_APP_ARGS(args, info); + + if (url_is_vulnerable(args.url)) { + ast_log(LOG_ERROR, "URL '%s' is vulnerable to HTTP injection attacks. Aborting CURL() call.\n", args.url); + return -1; + } if (chan) { ast_autoservice_start(chan); @@ -763,12 +794,62 @@ .write = acf_curlopt_write, }; +AST_TEST_DEFINE(vulnerable_url) +{ + const char *bad_urls [] = { + "http://example.com\r\nDELETE http://example.com/everything";, + "http://example.com\rDELETE http://example.com/everything";, + "http://example.com\nDELETE http://example.com/everything";, + "\r\nhttp://example.com";, + "\rhttp://example.com";, + "\nhttp://example.com";, + "http://example.com\r\n";, + "http://example.com\r";, + "http://example.com\n";, + }; + const char *good_urls [] = { + "http://example.com";, + "http://example.com/%5Cr%5Cn";, + }; + int i; + enum ast_test_result_state res = AST_TEST_PASS; + + switch (cmd) { + case TEST_INIT: + info->name = "vulnerable_url"; + info->category = "/funcs/func_curl/"; + info->summary = "cURL vulnerable URL test"; + info->description = + "Ensure that any combination of '\\r' or '\\n' in a URL invalidates the URL"; + case TEST_EXECUTE: + break; + } + + for (i = 0; i < ARRAY_LEN(bad_urls); ++i) { + if (!url_is_vulnerable(bad_urls[i])) { + ast_test_status_update(test, "String '%s' detected as valid when it should be invalid\n", bad_urls[i]); + res = AST_TEST_FAIL; + } + } + + for (i = 0; i < ARRAY_LEN(good_urls); ++i) { + if (url_is_vulnerable(good_urls[i])) { + ast_test_status_update(test, "String '%s' detected as invalid when it should be valid\n", good_urls[i]); + res = AST_TEST_FAIL; + } + } + + return res; +} + static int unload_module(void) { int res; res = ast_custom_function_unregister(&acf_curl); res |= ast_custom_function_unregister(&acf_curlopt); + + AST_TEST_UNREGISTER(vulnerable_url); return res; } @@ -786,6 +867,8 @@ res = ast_custom_function_register(&acf_curl); res |= ast_custom_function_register(&acf_curlopt); + + AST_TEST_REGISTER(vulnerable_url); return res; } -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits
