[Asterisk-Security] Multiple Vulnerabilities in Asterisk 1.2.10
(Fixed in 1.2.11)
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Sun Aug 27 00:04:05 MST 2006
Just a clarification, for those who intend to patch older versions:
On Fri, Aug 25, 2006 at 10:55:04AM +0200, Matt Riddell (IT) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> From: http://www.sineapps.com/news.php?rssid=1448
>
> MuLabs has posted details of multiple vulnerabilities in Asterisk 1.2.10.
>
> Excerpt:
>
> Vulnerability Details:
>
> A remote stack buffer overflow condition in Asterisk's MGCP
> implementation could allow for arbitrary code execution. The vulnerable
> code is triggered with the use of a malformed AUEP (audit endpoint)
> response message.
>
> A second issue exists in the handling of file names sent to the
> Record()application which could lead to arbitrary code execution via a
> format string attack or arbitrary file-overwrite via directory traversal
> techniques. The impact of this vulnerability is minimal, however, as it
> requires an administrator to use a client-controlled variable as part of
> the filename.
>
> Solution:
>
> Mu Security would like to thank the Asterisk security team for their
> timely response to these issues.
>
> A patch for the buffer overflow is available from the following link:
> http://ftp.digium.com/pub/asterisk/asterisk-1.2.11-patch.gz
>
> To protect against the Record() vulnerability, do not use
> user-controlled variables ( eg, ${CALLERIDNAME} ) as part of the the
> filename argument.
Note that the issue "exists in the code" in 1.2.11 just as it has
existed in 1.2.10 and before. And has much larger potential impact (as
usual) if Asterisk is run as root.
--
Tzafrir Cohen sip:tzafrir at local.xorcom.com
icq#16849755 iax:tzafrir at local.xorcom.com
+972-50-7952406 jabber:tzafrir at jabber.org
tzafrir.cohen at xorcom.com http://www.xorcom.com
More information about the Asterisk-Security
mailing list