[UNIX] Asterisk Manager Interface Buffer Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Asterisk Manager Interface Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

" <http://www.asterisk.org/> Asterisk is a complete PBX in software. It 
runs on Linux and provides all of the features you would expect from a PBX 
and more."

A Buffer Overflow with manager interface allow attackers to execute 
arbitrary code with root privileges.

DETAILS

Vulnerable Systems:
 * Asterisk version 1.0.7

Immune Systems:
 * Asterisk version 1.0.8

There is a programming error with the function that parses commands in the 
Asterisk system. This is used by the manager interface if the user is 
allowed to submit CLI commands. The coding error can result in the 
overflow with one of the parameters of the calling function. That is, the 
command parsing function will return without error. However, the calling 
function will cause a segmentation fault.
If the command string is specifically crafted, is it possible to use this 
stack overflow to execute arbitrary code on the Asterisk system.  The 
resulting execution is (typically) run with root privileges. A command 
consisting of a recurring string of two double quotes followed by a tab 
character will induce the segmentation fault within a Call Manager thread. 
Under the default configuration the Asterisk server does not start the 
Manager interface, so a default Asterisk installation will not be 
vulnerable to this avenue of attack.
The impact of this issue is mitigated by the Asterisk default 
configuration. Configuration is controlled by settings in manager.conf:
   [general]
   enabled = yes
   bindaddr = 127.0.0.1

   [mark]
   secret = mysecret
   permit = 127.0.0.1
   write = command

The relevant option is 'write = command'; without it, even properly 
authenticated Manager interface users will be unable to exploit this 
overflow.
The error in the function means that any Asterisk server with the 
appropriate configuration using the Manager interface is vulnerable. It is 
possible for an authenticated user to gain a remote root shell on the 
system.

Workaround:
 * For a temporary workaround, disable the setting in manager.conf 
detailed in the impact section.
 * Upgrade to version 1.0.8 or higher.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:wja@xxxxxxxxxxxxxxxxxxxxxxx> 
Wade Alcorn .
The original article can be found at:  
<http://www.portcullis-security.com/advisory/advisory-05-013.txt> 
http://www.portcullis-security.com/advisory/advisory-05-013.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.