Bug#315532: asterisk: Buffer overflow in command line parser

Moritz Muehlenhoff Moritz Muehlenhoff <jmm@inutil.org>, 315532@bugs.debian.org
Thu, 23 Jun 2005 11:38:17 +0200


Package: asterisk
Severity: grave
Tags: security
Justification: user security hole

An exploitable security problem has been found in Asterisk by Wade
Alcorn:

| There is a programming error in the function that parses commands in the
| Asterisk system. This is used by the manager interface if the user is
| allowed to submit CLI commands. The coding error can result in the
| overflow of one of the parameters of the calling function. That is, the
| command parsing function will return without error. However, the calling
| function will cause a segmentation fault.
|
| If the command string is specifically crafted, is it possible to use
| this stack overflow to execute arbitrary code on the Asterisk system.
| The resulting execution is (typically) run with root privileges.
|
| A command consisting of a recurring string of two double quotes followed
| by a tab character will induce the segmentation fault within a Call
| Manager thread.

The full advisory can found at 
http://www.bindshell.net/voip/advisory-05-013.txt

Version 1.0.8 fixes this issue.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)