[UNIX] Asterisk Logger and Manager Format String Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Asterisk Logger and Manager Format String Vulnerability
------------------------------------------------------------------------


SUMMARY

Logging messages displayed using the Asterisk ast_verbose logging API call
are not displayed as a character string, they are displayed as a format
string. Output as a result of the Manager command "command" is not
appended to the resulting response message as a character string, it is
appended as a format string. It is possible in both instances for an
attacker to provide a formatted string as a value for input which can
cause a crash.

DETAILS

Vulnerable Systems:
* Asterisk Open Source versions prior to 1.6.0-beta6

Immune Systems:
* Asterisk Open Source version 1.6.0-beta6

Resolution:
Input given to both the ast_verbose logging API call and astman_append
function is now interpreted as a character string and not as a format
string.

Bugs:
The following two bug reports provide more information about this
vulnerability:
<http://bugs.digium.com/view.php?id=12205>
http://bugs.digium.com/view.php?id=12205
<http://bugs.digium.com/view.php?id=12206>
http://bugs.digium.com/view.php?id=12206

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1333>
CVE-2008-1333


ADDITIONAL INFORMATION

The information has been provided by <mailto:jcolp@xxxxxxxxxx> Joshua
Colp.
The original article can be found at:
<http://downloads.digium.com/pub/security/AST-2008-004.html>
http://downloads.digium.com/pub/security/AST-2008-004.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Ipswitch Multiple Vulnerabilities (IMail IMAP LIST Command DoS, Collaboration Suite SMTP Format
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Ipswitch Multiple Vulnerabilities (IMail IMAP LIST Command DoS, ... Collaboration Suite SMTP Format String) ... Remote exploitation of a denial of service vulnerability in Ipswitch ...
    (Securiteam)
  • [UNIX] TikiWiki PHP Code Evaluation Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... TikiWiki PHP Code Evaluation Vulnerability ... ' - String delimiter ...
    (Securiteam)
  • [UNIX] MySQL Authentication Scheme Bypass
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By submitting a carefully crafted authentication packet, ... the user has specified a 'scrambled' string that is as long ... stack-based buffer 'buff' can be overflowed by a long 'scramble' string. ...
    (Securiteam)
  • [NT] WebArchiveX Unsafe Methods Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... String userAgent, ... scripting' entry, but unfortunately has not changed the version number. ...
    (Securiteam)
  • [EXPL] IM Lock Insecure Registry Permission (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As ... (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) ... Dim GetCrypt, Decrypt As String ...
    (Securiteam)