Asterisk Remote DoS via Unauthenticated HTTP Cookie Header Parsing (ASTERISK-23340)

Vulnerability Key Information Vulnerability ID: ASTERISK-23340 Vulnerability Type: Security Vulnerability - Stack-allocated Cookie Header in Loop Allows Unauthenticated Remote Denial of Service Attack Reporter: Matt Jordan (mjordan) Report Date: 2014-02-21 Closure Date: 2014-03-10 Priority: Critical Status: Closed/Completed Affected Versions: 1.8.25.0, 11.7.0, 12.0.0 Affected Component: Core/HTTP Description Vulnerability Details Issue Description: There is a vulnerability in the parsing of HTTP Cookie headers, as shown in the code snippet below. Key Code Snippet: Notes: - Multiple Cookie headers are supported, each being parsed within the loop. - At line 861, a temporary copy of the header content is created, and then at line 866, the actual (name, value) pairs are parsed. Root Cause Mechanism: Uses (a wrapper around and ). Risk: The function calls in a loop for each found Cookie header, with no limit on the number of Cookie headers. A remote attacker can trigger a denial of service by sending an HTTP POST request containing a large number of Cookie headers, causing the thread stack to grow and potentially overlap with other thread stacks. Potential Exploitation The possibility of exploiting this vulnerability for remote code execution, similar to techniques described here, has been explored. Mitigation Recommendation Appendix: A Python script is provided that can be used to reproduce the issue on a local host.

Goal Reached Thanks to every supporter — we hit 100%!

Asterisk Remote DoS via Unauthenticated HTTP Cookie Header Parsing (ASTERISK-23340)