[asterisk-security] AST-2007-024 - Fallacious security advisory spread on the Internet involving buffer overflow in Zaptel's sethdlc application

[Tzafrir Cohen]

On Thu, Nov 08, 2007 at 02:27:14PM -0800, Gregg Berkholtz wrote:
> If a user has limited sudo privileges, for example, only the ability to
> execute sethdlc, couldn't they exploit this vulnerability to execute
> arbitrary code as root?

The problem is lack of proper sanitation of the parameter -i (interface 
name) for both sethdlc and sethdlc-new . Thus in order to exploit this
bug, one needs to be able to pass an interface name that is long enough
to that parameter.

If you allow the user to execute the script ifup-hdlc from zaptel, this
shouldn't be a problem. I figure you should fix it fix
s/sethdlc/sethdlc-new/ .

Some further clarifications;

1. sethdlc-new
Zaptel contains both sethdlc.c and sethdlc-new.c . Both had the same
problem and were fixed. sethdlc only works with really old systems
(kernels < 2.4.22, IIRC). All others should use sethdlc-new .

2. Kernel/userspace
Unlike information published by some "security company" (and
aparantly later retracted), this is not a buffer overflow in kernel
code. sethdlc.c is not a Zaptel driver.

-- 
               Tzafrir Cohen       
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir