[NEWS] Remote Crash Vulnerability in Asterisk's IAX2 Channel Driver



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Remote Crash Vulnerability in Asterisk's IAX2 Channel Driver
------------------------------------------------------------------------


SUMMARY

The Asterisk IAX2 channel driver, chan_iax2, has a remotely exploitable
crash vulnerability. A NULL pointer exception can occur when Asterisk
receives a LAGRQ or LAGRP frame that is part of a valid session and
includes information elements. The session used to exploit this issue does
not have to be authenticated. It can simply be a NEW packet sent with an
invalid username.

DETAILS

Vulnerable Systems:
* Asterisk Open Source versions prior to 1.2.22
* Asterisk Open Source versions prior to 1.4.8
* Asterisk Business Edition versions prior to B.2.2.1
* AsteriskNOW prerelease versions prior to beta7
* Asterisk Appliance Developer Kit versions prior to 0.5.0
* s800i (Asterisk Appliance) versions prior to 1.0.2

Immune Systems:
* Asterisk Open Source version 1.2.22
* Asterisk Open Source version 1.4.8
* Asterisk Business Edition B.2.2.1
* AsteriskNOW Beta7
* Asterisk Appliance Developer Kit version 0.5.0
* s800i (Asterisk Appliance) version 1.0.2

The code that parses the incoming frame correctly parses the information
elements of IAX frames. It then sets a pointer to NULL to indicate that
there is not a raw data payload associated with this frame. However, it
does not set the variable that indicates the number of bytes in the raw
payload back to zero. Since the raw data length is non-zero, the code
handling LAGRQ and LAGRP frames tries to copy data from a NULL pointer,
causing a crash.

Resolution:
All users that have chan_iax2 enabled should upgrade to the appropriate
version listed in the corrected in section of this advisory.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3763>
CVE-2007-3763


ADDITIONAL INFORMATION

The information has been provided by <mailto:kpfleming@xxxxxxxxxx> Kevin
P. Fleming.
The original article can be found at:
<http://ftp.digium.com/pub/asa/ASA-2007-015.pdf>
http://ftp.digium.com/pub/asa/ASA-2007-015.pdf



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Asterisk IAX2 Video Frame Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Asterisk IAX2 Video Frame Buffer Overflow ...
    (Securiteam)
  • [NEWS] Stack Buffer Overflow in Asterisks IAX2 Channel Driver
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Stack Buffer Overflow in Asterisk's IAX2 Channel Driver ... The Asterisk IAX2 channel driver, chan_iax2, has a remotely exploitable ... voice or video frame with a data payload larger than 4 kB. ...
    (Securiteam)
  • [UNIX] SIP Channel Driver BYE Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The handling of the BYE with Also transfer method was broken during the ... Asterisk Open Source versions prior to 1.4.17 ... Asterisk Business Edition versions prior to C.1.0-beta8 ...
    (Securiteam)
  • [UNIX] IAX2 Channel Driver Resource Exhaustion Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The IAX2 channel driver in Asterisk is vulnerable to a Denial of Service ...
    (Securiteam)
  • [UNIX] Asterisk Skinny Unauthenticated Heap Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Asterisk Skinny Unauthenticated Heap Overflow ... Asterisk is "The Opensource PBX", ... Asterisk version 1.2.12.1 and prior ...
    (Securiteam)