[asterisk-dev] AST-2008-009: (Corrected subject) Remote crash vulnerability in ooh323 channel driver
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Thu Jun 5 08:22:29 CDT 2008
On Wed, Jun 04, 2008 at 05:18:48PM -0500, Asterisk Security Team wrote:
> Asterisk Project Security Advisory - AST-2008-009
>
> +------------------------------------------------------------------------+
> | Product | Asterisk-Addons |
> |--------------------+---------------------------------------------------|
> | Summary | Remote crash vulnerability in ooh323 channel |
> | | driver |
> |--------------------+---------------------------------------------------|
> | Nature of Advisory | Remote crash |
> |--------------------+---------------------------------------------------|
> | Susceptibility | Remote unauthenticated sessions |
> |--------------------+---------------------------------------------------|
> | Severity | Major |
> |--------------------+---------------------------------------------------|
> | Exploits Known | No |
> |--------------------+---------------------------------------------------|
> | Reported On | May 29, 2008 |
> |--------------------+---------------------------------------------------|
> | Reported By | Tzafrir Cohen <tzafrir DOT cohen AT xorcom DOT |
> | | com> |
> |--------------------+---------------------------------------------------|
> | Posted On | June 4, 2008 |
> |--------------------+---------------------------------------------------|
> | Last Updated On | June 4, 2008 |
> |--------------------+---------------------------------------------------|
> | Advisory Contact | Mark Michelson <mmichelson AT digium DOT com> |
> |--------------------+---------------------------------------------------|
> | CVE Name | CVE-2008-2543 |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Description | The ooh323 channel driver provided in Asterisk Addons |
> | | used a TCP connection to pass commands internally. The |
> | | payload of these packets included addresses of memory |
> | | which were to be freed after the command was processed. |
> | | By sending arbitrary data to the listening TCP socket, |
> | | one could cause an almost certain crash since the |
> | | command handler would attempt to free invalid memory. |
> | | This problem was made worse by the fact that the |
> | | listening TCP socket was bound to whatever IP address |
> | | was specified by the "bindaddr" option in ooh323.conf |
> +------------------------------------------------------------------------+
>
> +------------------------------------------------------------------------+
> | Resolution | The TCP connection used by ooh323 has been replaced with |
> | | a pipe. The effect of this change is that data from |
> | | outside the ooh323 process may not be injected. |
> +------------------------------------------------------------------------+
Work around:
For those of you who can't spare the time to update the asterisk-addons
installation and don't use chan_ooh323c, simply make sure that either
this module is disabled, or there is no /etc/asterisk/ooh323c.conf .
In either case, this volnerable part of the code in the module will not
be exposed.
If you do use chan_ooh323c: to update, patch or whatever ASAP.
And thanks again to Mark Michelson.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list