security issues with asterisk 1.2.10

Tzafrir Cohen tzafrir.cohen at xorcom.com
Sun Aug 27 01:23:00 UTC 2006 

Update:

On Fri, Aug 25, 2006 at 12:50:54PM +0300, Tzafrir Cohen wrote:
> Hi
> 
> I'm trying to figure out 
> http://labs.musecurity.com/advisories/MU-200608-01.txt
> 
> There are two issues here:
> 
> 1. An issues in the MGCP channel. As I have not examined it, I must
> assume that it also affects the version in Sage until proven otherwise.
> This is also remotely exploitable. Note that most people don't use mgcp,
> and the MGCP channel of Asterisk is partially broken. I'm not sure if by
> with a default configuration the MGCP channel will manage to bind on a
> port at all.

dpatch attached. Untested yet.

> 
> 2. A format string issue with Record(). Probably in Sarge as well. Not
> in the default configuration.

Seems to be purely a configuration issue. No code change involved. The
only format interpreted in the filename is a harmless %d.

-- 
Tzafrir Cohen         sip:tzafrir at local.xorcom.com
icq#16849755          iax:tzafrir at local.xorcom.com
+972-50-7952406          jabber:tzafrir at jabber.org
tzafrir.cohen at xorcom.com     http://www.xorcom.com
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## chan_mgcp_fix.dpatch by Tzafrir Cohen <tzafrir.cohen at xorcom.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix of chan_mgcp buffer overflow. From asterisk changeset 40057

@DPATCH@
diff -urNad asterisk-1.0.11.dfsg.1/channels/chan_mgcp.c /tmp/dpep.850Zeh/asterisk-1.0.11.dfsg.1/channels/chan_mgcp.c
--- asterisk-1.0.11.dfsg.1/channels/chan_mgcp.c	2005-11-29 20:24:39.000000000 +0200
+++ /tmp/dpep.850Zeh/asterisk-1.0.11.dfsg.1/channels/chan_mgcp.c	2006-08-27 03:06:55.339659846 +0300
@@ -2347,6 +2347,9 @@
                            strncasecmp(v, p->sub->next->cxident, len)) {
                             /* connection id not found. delete it */
                             char cxident[80];
+			    if (len > (sizeof(cxident) - 1))
+				    len = sizeof(cxident) - 1;
+
                             memcpy(cxident, v, len);
                             cxident[len] = '\0';
                             if (option_verbose > 2) {

More information about the Pkg-voip-maintainers mailing list