The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Asterisk Manager Interface Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
" <http://www.asterisk.org/> Asterisk is a complete PBX in software. It
runs on Linux and provides all of the features you would expect from a PBX
and more."
A Buffer Overflow with manager interface allow attackers to execute
arbitrary code with root privileges.
DETAILS
Vulnerable Systems:
* Asterisk version 1.0.7
Immune Systems:
* Asterisk version 1.0.8
There is a programming error with the function that parses commands in the
Asterisk system. This is used by the manager interface if the user is
allowed to submit CLI commands. The coding error can result in the
overflow with one of the parameters of the calling function. That is, the
command parsing function will return without error. However, the calling
function will cause a segmentation fault.
If the command string is specifically crafted, is it possible to use this
stack overflow to execute arbitrary code on the Asterisk system. The
resulting execution is (typically) run with root privileges. A command
consisting of a recurring string of two double quotes followed by a tab
character will induce the segmentation fault within a Call Manager thread.
Under the default configuration the Asterisk server does not start the
Manager interface, so a default Asterisk installation will not be
vulnerable to this avenue of attack.
The impact of this issue is mitigated by the Asterisk default
configuration. Configuration is controlled by settings in manager.conf:
[general]
enabled = yes
bindaddr = 127.0.0.1
[mark]
secret = mysecret
permit = 127.0.0.1
write = command
The relevant option is 'write = command'; without it, even properly
authenticated Manager interface users will be unable to exploit this
overflow.
The error in the function means that any Asterisk server with the
appropriate configuration using the Manager interface is vulnerable. It is
possible for an authenticated user to gain a remote root shell on the
system.
Workaround:
* For a temporary workaround, disable the setting in manager.conf
detailed in the impact section.
* Upgrade to version 1.0.8 or higher.
ADDITIONAL INFORMATION
The information has been provided by <mailto:wja@portcullis-security.com>
Wade Alcorn .
The original article can be found at:
<http://www.portcullis-security.com/advisory/advisory-05-013.txt>
http://www.portcullis-security.com/advisory/advisory-05-013.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
