Bug#315532: asterisk: Buffer overflow in command line parser
Tzafrir Cohen
tzafrir.cohen@xorcom.com
Thu, 23 Jun 2005 13:35:21 +0300
On Thu, Jun 23, 2005 at 11:38:17AM +0200, Moritz Muehlenhoff wrote:
> Package: asterisk
> Severity: grave
> Tags: security
> Justification: user security hole
>
> An exploitable security problem has been found in Asterisk by Wade
> Alcorn:
>
> | There is a programming error in the function that parses commands in the
> | Asterisk system. This is used by the manager interface if the user is
> | allowed to submit CLI commands.
Such a user can give probably arbitrary shell commands anyway:
add somewhere in the dialplan a System, and then call it from outside.
So there isn't much urgency in fixing this hole.
OTOH, we should make it the default not to run asterisk as root.
> | The coding error can result in the
> | overflow of one of the parameters of the calling function. That is, the
> | command parsing function will return without error. However, the calling
> | function will cause a segmentation fault.
> |
> | If the command string is specifically crafted, is it possible to use
> | this stack overflow to execute arbitrary code on the Asterisk system.
> | The resulting execution is (typically) run with root privileges.
> |
> | A command consisting of a recurring string of two double quotes followed
> | by a tab character will induce the segmentation fault within a Call
> | Manager thread.
>
> The full advisory can found at
> http://www.bindshell.net/voip/advisory-05-013.txt
Does not provide much more details.
>
> Version 1.0.8 fixes this issue.
To use 1.0.8 we still need bristuff for 1.0.8
--
Tzafrir Cohen icq#16849755 +972-50-7952406
tzafrir.cohen@xorcom.com http://www.xorcom.com