[NEWS] Remote Crash Vulnerability in Asterisk's IAX2 Channel Driver
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 19 Jul 2007 14:57:18 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Remote Crash Vulnerability in Asterisk's IAX2 Channel Driver
The Asterisk IAX2 channel driver, chan_iax2, has a remotely exploitable
crash vulnerability. A NULL pointer exception can occur when Asterisk
receives a LAGRQ or LAGRP frame that is part of a valid session and
includes information elements. The session used to exploit this issue does
not have to be authenticated. It can simply be a NEW packet sent with an
* Asterisk Open Source versions prior to 1.2.22
* Asterisk Open Source versions prior to 1.4.8
* Asterisk Business Edition versions prior to B.2.2.1
* AsteriskNOW prerelease versions prior to beta7
* Asterisk Appliance Developer Kit versions prior to 0.5.0
* s800i (Asterisk Appliance) versions prior to 1.0.2
* Asterisk Open Source version 1.2.22
* Asterisk Open Source version 1.4.8
* Asterisk Business Edition B.2.2.1
* AsteriskNOW Beta7
* Asterisk Appliance Developer Kit version 0.5.0
* s800i (Asterisk Appliance) version 1.0.2
The code that parses the incoming frame correctly parses the information
elements of IAX frames. It then sets a pointer to NULL to indicate that
there is not a raw data payload associated with this frame. However, it
does not set the variable that indicates the number of bytes in the raw
payload back to zero. Since the raw data length is non-zero, the code
handling LAGRQ and LAGRP frames tries to copy data from a NULL pointer,
causing a crash.
All users that have chan_iax2 enabled should upgrade to the appropriate
version listed in the corrected in section of this advisory.
The information has been provided by <mailto:kpfleming@xxxxxxxxxx> Kevin
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Stack Buffer Overflow in Asterisk's IAX2 Channel Driver
- Next by Date: [UNIX] Oracle Database Buffer Overflows and DoS Vulnerabilities in Public Procedures of MDSYS.MD (DB12)
- Previous by thread: [NEWS] Stack Buffer Overflow in Asterisk's IAX2 Channel Driver
- Next by thread: [UNIX] Oracle Database Buffer Overflows and DoS Vulnerabilities in Public Procedures of MDSYS.MD (DB12)