Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnwatch: ASA-2007-015: Remote Crash Vulnerability in IAX2 channel driver

ASA-2007-015: Remote Crash Vulnerability in IAX2 channel driver

From: Kevin P. Fleming <kpfleming_at_digium.com>
Date: Tue, 17 Jul 2007 17:58:38 -0500

               Asterisk Project Security Advisory - ASA-2007-015

   +------------------------------------------------------------------------+
   | Product | Asterisk |
   |--------------------+---------------------------------------------------|
   | Summary | Remote Crash Vulnerability in IAX2 channel driver |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Denial of Service |
   |--------------------+---------------------------------------------------|
   | Susceptibility | Remote Unauthenticated Sessions |
   |--------------------+---------------------------------------------------|
   | Severity | Critical |
   |--------------------+---------------------------------------------------|
   | Exploits Known | No |
   |--------------------+---------------------------------------------------|
   | Reported On | July 13, 2007 |
   |--------------------+---------------------------------------------------|
   | Reported By | Chris Clark and Zane Lackey, iSEC Partners |
   |--------------------+---------------------------------------------------|
   | Posted On | July 17, 2007 |
   |--------------------+---------------------------------------------------|
   | Last Updated On | July 17, 2007 |
   |--------------------+---------------------------------------------------|
   | Advisory Contact | Russell Bryant <russell_at_digium.com> |
   |--------------------+---------------------------------------------------|
   | CVE Name | CVE-2007-3763 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The Asterisk IAX2 channel driver, chan_iax2, has a |
   | | remotely exploitable crash vulnerability. A NULL pointer |
   | | exception can occur when Asterisk receives a LAGRQ or |
   | | LAGRP frame that is part of a valid session and includes |
   | | information elements. The session used to exploit this |
   | | issue does not have to be authenticated. It can simply |
   | | be a NEW packet sent with an invalid username. |
   | | |
   | | The code that parses the incoming frame correctly parses |
   | | the information elements of IAX frames. It then sets a |
   | | pointer to NULL to indicate that there is not a raw data |
   | | payload associated with this frame. However, it does not |
   | | set the variable that indicates the number of bytes in |
   | | the raw payload back to zero. Since the raw data length |
   | | is non-zero, the code handling LAGRQ and LAGRP frames |
   | | tries to copy data from a NULL pointer, causing a crash. |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | All users that have chan_iax2 enabled should upgrade to |
   | | the appropriate version listed in the corrected in |
   | | section of this advisory. |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Affected Versions |
   |------------------------------------------------------------------------|
   | Product | Release | |
   | | Series | |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Open Source | 1.0.x | All versions |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Open Source | 1.2.x | All versions prior to |
   | | | 1.2.22 |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Open Source | 1.4.x | All versions prior to |
   | | | 1.4.8 |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Business Edition | A.x.x | All versions |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Business Edition | B.x.x | All versions prior to |
   | | | B.2.2.1 |
   |----------------------------------+-------------+-----------------------|
   | AsteriskNOW | pre-release | All versions prior to |
   | | | beta7 |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit | 0.x.x | All versions prior to |
   | | | 0.5.0 |
   |----------------------------------+-------------+-----------------------|
   | s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
   | | | 1.0.2 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Corrected In |
   |------------------------------------------------------------------------|
   | Product | Release |
   |-------------------+----------------------------------------------------|
   | Asterisk Open | 1.2.22 and 1.4.8, available from |
   | Source | ftp://ftp.digium.com/pub/telephony/asterisk |
   |-------------------+----------------------------------------------------|
   | Asterisk Business | B.2.2.1, available from the Asterisk Business |
   | Edition | Edition user portal on http://www.digium.com or |
   | | |
   | | via Digium Technical Support |
   |-------------------+----------------------------------------------------|
   | AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
   | | Beta5 and Beta6 users can update using the system |
   | | update feature in the appliance control panel. |
   |-------------------+----------------------------------------------------|
   | Asterisk | 0.5.0, available from |
   | Appliance | |
   | Developer Kit | ftp://ftp.digium.com/pub/telephony/aadk/ |
   |-------------------+----------------------------------------------------|
   | s800i (Asterisk | 1.0.2 |
   | Appliance) | |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Links | |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at |
   | http://www.asterisk.org/security. |
   | |
   | This document may be superseded by later versions; if so, the latest |
   | version will be posted at |
   | http://ftp.digium.com/pub/asa/ASA-2007-015.pdf. |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Revision History |
   |------------------------------------------------------------------------|
   | Date | Editor | Revisions Made |
   |-------------------+-------------------------+--------------------------|
   | July 17, 2007 | russell_at_digium.com | Initial Release |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - ASA-2007-015
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.
Received on Jul 18 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos