security issues with asterisk 1.2.10

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Aug 25 09:50:54 UTC 2006


Hi

I'm trying to figure out 
http://labs.musecurity.com/advisories/MU-200608-01.txt

There are two issues here:

1. An issues in the MGCP channel. As I have not examined it, I must
assume that it also affects the version in Sage until proven otherwise.
This is also remotely exploitable. Note that most people don't use mgcp,
and the MGCP channel of Asterisk is partially broken. I'm not sure if by
with a default configuration the MGCP channel will manage to bind on a
port at all.

2. A format string issue with Record(). Probably in Sarge as well. Not
in the default configuration.

-- 
Tzafrir Cohen         sip:tzafrir at local.xorcom.com
icq#16849755          iax:tzafrir at local.xorcom.com
+972-50-7952406          jabber:tzafrir at jabber.org
tzafrir.cohen at xorcom.com     http://www.xorcom.com



More information about the Pkg-voip-maintainers mailing list