exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

advisory-05-013.txt

advisory-05-013.txt
Posted Jun 23, 2005
Authored by Wade Alcorn | Site portcullis-security.com

A programming error exists in the function that parses commands in the Asterisk 1.0.7 system. This is used by the manager interface if the user is allowed to submit CLI commands. The coding error can result in the overflow of one of the parameters of the calling function.

tags | advisory, overflow
SHA-256 | 1a50a0056a74c27fb6eb2b5b5d0116c261912d86824d5d8e0a21b4a8acf36b39

advisory-05-013.txt

Change Mirror Download
Portcullis Security Advisory

Wade Alcorn
wja@portcullis-security.com -
www.portcullis-security.com/advisory/advisory-05-013.txt
wade@bindshell.net - www.bindshell.net/voip/advisory-05-013.txt

Vulnerable System:

This vulnerability affects Asterisk 1.0.7 and the development Asterisk
branch (known as CVS HEAD).
http://www.asterisk.org/

Vulnerability Title:

Asterisk Manager Interface Overflow

Vulnerability discovery and development:

Wade Alcorn discovered this vulnerability whilst performing an
assessment of the Asterisk PABX software package. It was then verified
that the instruction pointer could be controlled and made to point at
arbitrary memory locations. This led to a remote shell proof-of-concept,
which provides access to the user (root by default) running Asterisk.
This will occur when the Asterisk Manager Interface is enabled and a
valid manager username and password, with command line permissions, is used.

Affected systems:

The issue was initially found and verified on the Linux Operating
System. Research is currently being undertaken to determine the extent
to which other operating systems are vulnerable.

Details:

There is a programming error in the function that parses commands in the
Asterisk system. This is used by the manager interface if the user is
allowed to submit CLI commands. The coding error can result in the
overflow of one of the parameters of the calling function. That is, the
command parsing function will return without error. However, the calling
function will cause a segmentation fault.

If the command string is specifically crafted, is it possible to use
this stack overflow to execute arbitrary code on the Asterisk system.
The resulting execution is (typically) run with root privileges.

A command consisting of a recurring string of two double quotes followed
by a tab character will induce the segmentation fault within a Call
Manager thread.

Impact:

Under the default configuration the Asterisk server does not start the
Manager interface, so a default Asterisk installation will not be
vulnerable to this avenue of attack.

The impact of this issue is mitigated by the Asterisk default
configuration. Configuration is controlled by settings in manager.conf.
The following options need to be in place for this vector of attack to
be successful:

[general]
enabled = yes
bindaddr = 127.0.0.1

[mark]
secret = mysecret
permit = 127.0.0.1
write = command

The relevant option is 'write = command'; without it, even properly
authenticated Manager interface users will be unable to exploit this
overflow.

The result of a successfully exploited Asterisk command parsing overflow
will result in a remote root shell.

Exploit:

The error in the function means that any Asterisk server with the
appropriate configuration using the Manager interface is vulnerable. It
is possible for an authenticated user to gain a remote root shell on the
system.

Vendor notified:

Mark Spencer, the primary developer of the Asterisk project, was
contacted on Thursday 19th May 2005 via email. This email contained a
summary of the vulnerability and explained Wade Alcorn had developed an
exploit for the issue.

The Asterisk development team was prompt and responsive to the
vulnerability alert. Portcullis was provided with an alternate means of
contact additional to email, if it was to be required. Wade Alcorn
(Portcullis), Mark Spencer (Asterisk), Kevin Fleming (Asterisk)
cooperatively provided and verified a solution to the problem.

Vendor response:

The Asterisk project is thankful for the efforts of Wade Alcorn and
Portcullis Computer Security to identify and diagnose the source of this
problem. Wade Alcorn was able to provide a proposed solution and a
simple means of reproducing the problem, which were instrumental in our
ability to quickly solve the issue.

Workaround/Fix:

Options
1) For a temporary workaround, disable the setting in manager.conf
detailed in the impact section.
2) Upgrade to version 1.0.8, or for development branch users, the most
recent CVS version available.

Copyright:

Copyright (c) Portcullis Computer Security Limited 2005. All rights
reserved worldwide.


*************************************************************
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation.
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.
**************************************************************

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close