Bug#315532: asterisk: Buffer overflow in command line parser

Tzafrir Cohen tzafrir.cohen@xorcom.com
Thu, 23 Jun 2005 13:35:21 +0300

On Thu, Jun 23, 2005 at 11:38:17AM +0200, Moritz Muehlenhoff wrote:
> Package: asterisk
> Severity: grave
> Tags: security
> Justification: user security hole
> An exploitable security problem has been found in Asterisk by Wade
> Alcorn:
> | There is a programming error in the function that parses commands in the
> | Asterisk system. This is used by the manager interface if the user is
> | allowed to submit CLI commands. 

Such a user can give probably arbitrary shell commands anyway:
add somewhere in the dialplan a System, and then call it from outside.
So there isn't much urgency in fixing this hole.

OTOH, we should make it the default not to run asterisk as root.

> | The coding error can result in the
> | overflow of one of the parameters of the calling function. That is, the
> | command parsing function will return without error. However, the calling
> | function will cause a segmentation fault.
> |
> | If the command string is specifically crafted, is it possible to use
> | this stack overflow to execute arbitrary code on the Asterisk system.
> | The resulting execution is (typically) run with root privileges.
> |
> | A command consisting of a recurring string of two double quotes followed
> | by a tab character will induce the segmentation fault within a Call
> | Manager thread.
> The full advisory can found at 
> http://www.bindshell.net/voip/advisory-05-013.txt

Does not provide much more details.

> Version 1.0.8 fixes this issue.

To use 1.0.8 we still need bristuff for 1.0.8

Tzafrir Cohen     icq#16849755  +972-50-7952406
tzafrir.cohen@xorcom.com  http://www.xorcom.com