lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1K41Jh-00007r-59@mail.digium.com>
Date: Wed, 04 Jun 2008 17:18:49 -0500
From: "Asterisk Security Team" <security@...erisk.org>
To: full-disclosure@...ts.grok.org.uk
Subject: AST-2008-009: (Corrected subject) Remote crash
	vulnerability in ooh323 channel driver

               Asterisk Project Security Advisory - AST-2008-009

   +------------------------------------------------------------------------+
   |      Product       | Asterisk-Addons                                   |
   |--------------------+---------------------------------------------------|
   |      Summary       | Remote crash vulnerability in ooh323 channel      |
   |                    | driver                                            |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Remote crash                                      |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote unauthenticated sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Major                                             |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | May 29, 2008                                      |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Tzafrir Cohen <tzafrir DOT cohen AT xorcom DOT    |
   |                    | com>                                              |
   |--------------------+---------------------------------------------------|
   |     Posted On      | June 4, 2008                                      |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | June 4, 2008                                      |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Mark Michelson <mmichelson AT digium DOT com>     |
   |--------------------+---------------------------------------------------|
   |      CVE Name      | CVE-2008-2543                                     |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The ooh323 channel driver provided in Asterisk Addons    |
   |             | used a TCP connection to pass commands internally. The   |
   |             | payload of these packets included addresses of memory    |
   |             | which were to be freed after the command was processed.  |
   |             | By sending arbitrary data to the listening TCP socket,   |
   |             | one could cause an almost certain crash since the        |
   |             | command handler would attempt to free invalid memory.    |
   |             | This problem was made worse by the fact that the         |
   |             | listening TCP socket was bound to whatever IP address    |
   |             | was specified by the "bindaddr" option in ooh323.conf    |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | The TCP connection used by ooh323 has been replaced with  |
   |            | a pipe. The effect of this change is that data from       |
   |            | outside the ooh323 process may not be injected.           |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | N/A                   |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | N/A                   |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | N/A                   |
   |----------------------------------+-------------+-----------------------|
   |         Asterisk Addons          |    1.2.x    | All versions prior to |
   |                                  |             | 1.2.9                 |
   |----------------------------------+-------------+-----------------------|
   |         Asterisk Addons          |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.7                 |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | N/A                   |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | N/A                   |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    C.x.x    | N/A                   |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | N/A                   |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | N/A                   |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | N/A                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                 Product                  |           Release           |
   |------------------------------------------+-----------------------------|
   |           Asterisk Addons 1.2            |            1.2.9            |
   |------------------------------------------+-----------------------------|
   |           Asterisk-Addons 1.4            |            1.4.7            |
   |------------------------------------------+-----------------------------|
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2008-009.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2008-009.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |       Date        |        Editor        |       Revisions Made        |
   |-------------------+----------------------+-----------------------------|
   | Jun 3, 2008       | Mark Michelson       | Initial draft               |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2008-009
              Copyright (c) 2008 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ