[asterisk-dev] AST-2007-024 - Fallacious security advisory spread on the Internet involving buffer overflow in Zaptel's sethdlc application

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Nov 9 11:11:11 CST 2007


Hi again,

On Fri, Nov 09, 2007 at 12:20:29PM +0100, Vadim Lebedev wrote:
> 
> If this sethdlc program is installed as setuid root for some  reason it,
> DOES represent security risk

My previous reply might have been a bit too harsh:

yes, this is a bug. and it is good that it has been corrected. It should
have been corrected before or not even existed. There's just no reason
to over-react.

What triggered my response here is the way this bug was reported. The
author posted to bugtraq before even contacting the developers. And as
the author's advisory was very thin on details it looked very alarming.
If this issue has been communicated directly to any of Asterisk's or
Zaptel's developers, I'm sure that it would have been fixed faster.

If you can segfault anything in Asterisk or Zaptel, this is most likely
a bug in that program (even with faulty input / system, you should get
an error message rather than a segfault). Please report those.

One utility in Zaptel which is probably in somewhat of a position to
being exploitable is ztcfg: it is being run automatically at system
startup by root, and feeds data to kernel modules. In order to do that,
it parses data from a config file that at least under certain setups is
writable by non-root (in fact, it should be possible to run ztcfg by
the asterisk user rather than by root).

-- 
               Tzafrir Cohen       
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the asterisk-dev mailing list