[AsteriskBrasil] [NEWS] Remote Crash Vulnerability in Asterisk's IAX2 Channel Driver

Rafael Melo rafael.melo em informata.com.br
Quinta Julho 19 10:07:16 BRT 2007


PSC

>  Remote Crash Vulnerability in Asterisk's IAX2 Channel Driver
> ------------------------------------------------------------------------
>
>
> SUMMARY
>
> The Asterisk IAX2 channel driver, chan_iax2, has a remotely exploitable
> crash vulnerability. A NULL pointer exception can occur when Asterisk
> receives a LAGRQ or LAGRP frame that is part of a valid session and
> includes information elements. The session used to exploit this issue does
> not have to be authenticated. It can simply be a NEW packet sent with an
> invalid username.
>
> DETAILS
>
> Vulnerable Systems:
> * Asterisk Open Source versions prior to 1.2.22
> * Asterisk Open Source versions prior to 1.4.8
> * Asterisk Business Edition versions prior to B.2.2.1
> * AsteriskNOW prerelease versions prior to beta7
> * Asterisk Appliance Developer Kit versions prior to 0.5.0
> * s800i (Asterisk Appliance) versions prior to 1.0.2
>
> Immune Systems:
> * Asterisk Open Source version 1.2.22
> * Asterisk Open Source version 1.4.8
> * Asterisk Business Edition B.2.2.1
> * AsteriskNOW Beta7
> * Asterisk Appliance Developer Kit version 0.5.0
> * s800i (Asterisk Appliance) version 1.0.2
>
> The code that parses the incoming frame correctly parses the information
> elements of IAX frames. It then sets a pointer to NULL to indicate that
> there is not a raw data payload associated with this frame. However, it
> does not set the variable that indicates the number of bytes in the raw
> payload back to zero. Since the raw data length is non-zero, the code
> handling LAGRQ and LAGRP frames tries to copy data from a NULL pointer,
> causing a crash.
>
> Resolution:
> All users that have chan_iax2 enabled should upgrade to the appropriate
> version listed in the corrected in section of this advisory.
>
> CVE Information:
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3763>
> CVE-2007-3763
>
>
> ADDITIONAL INFORMATION
>
> The information has been provided by  <mailto:kpfleming em digium.com> Kevin
> P. Fleming.
> The original article can be found at:
> <http://ftp.digium.com/pub/asa/ASA-2007-015.pdf>
> http://ftp.digium.com/pub/asa/ASA-2007-015.pdf
>
>
>
> ========================================
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject line and 
> body to: list-unsubscribe em securiteam.com
> In order to subscribe to the mailing list, simply forward this email to: 
> list-subscribe em securiteam.com
>
>
> ====================
> ====================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without warranty of 
> any kind.
> In no event shall we be liable for any damages whatsoever including 
> direct, indirect, incidental, consequential, loss of business profits or 
> special damages.
>
>
> 



Mais detalhes sobre a lista de discussão AsteriskBrasil