The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Asterisk Multiple Vulnerabilities (AUEP and Record)
------------------------------------------------------------------------
SUMMARY
<http://www.asterisk.org/features> Asterisk-based "telephony solutions
offer a rich and flexible feature set. Asterisk offers both classical PBX
functionality and advanced features, and interoperates with traditional
standards-based telephony systems and Voice over IP systems. Asterisk
offers the features one would expect of a large proprietary PBX system
such as Voicemail, Conference Bridging, Call Queuing, and Call Detail
Records". Two security vulnerabilities have been discovered in the
Asterisk product, these vulnerabilities allow a remote attacker to cause
the program to execute arbitrary code.
DETAILS
Vulnerable Systems:
* Asterisk version 1.2.10
Immune Systems:
* Asterisk version 1.2.11
A remote stack buffer overflow condition in Asterisk's MGCP implementation
could allow for arbitrary code execution. The vulnerable code is triggered
with the use of a malformed AUEP (audit endpoint) response message.
A second issue exists in the handling of file names sent to the Record()
application which could lead to arbitrary code execution via a format
string attack or arbitrary file-overwrite via directory traversal
techniques. The impact of this vulnerability is minimal, however, as it
requires an administrator to use a client-controlled variable as part of
the filename.
Solution:
A patch for the buffer overflow is available from the following link:
<http://ftp.digium.com/pub/asterisk/asterisk-1.2.11-patch.gz>
http://ftp.digium.com/pub/asterisk/asterisk-1.2.11-patch.gz
To protect against the Record() vulnerability, do not use user-controlled
variables ( eg, ${CALLERIDNAME} ) as part of the the filename argument.
History:
08/10/06 - First contact with vendor
08/16/06 - Vendor acknowledges vulnerability
08/23/06 - Advisory released
ADDITIONAL INFORMATION
The information has been provided by Mu Security.
The original article can be found at:
<http://labs.musecurity.com/advisories/MU-200608-01.txt>
http://labs.musecurity.com/advisories/MU-200608-01.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
