| Summary: | ASTERISK-01702: SECURITY: remotely exploitable heap overflow in Asterisk | ||
| Reporter: | fonetikli (fonetikli) | Labels: | |
| Date Opened: | 2004-05-26 18:25:51 | Date Closed: | 2008-01-15 14:56:27.000-0600 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Core/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | Only tested against v0.9.0 Have working remote root exploit. Only effects those using skinny protocol ****** ADDITIONAL INFORMATION ****** Problem exists in chan_skinny.c in function get_input(): res = read(s->fd, s->inbuf+4, dlen+4); dlen is read directly from user supplied data at beginning of packet, and never validated for arbitrarily large (or negative) values. please credit jonny@prophecy.net.nz in any advisories for this bug - thanks :) | ||
| Comments: | By: Mark Spencer (markster) 2004-05-26 19:03:16 Fixed in CVS. I've never heard of a heap bug being exploitable. By: fonetikli (fonetikli) 2004-05-27 02:55:23 Reminder sent to markster In that case suggest you read: http://www.w00w00.org/files/articles/heaptut.txt Do any of the major linux vendors include Asterisk as part of their distribution? If so, they really need to be notified on this one. By: Digium Subversion (svnbot) 2008-01-15 14:56:27.000-0600 Repository: asterisk Revision: 3085 U trunk/channels/chan_skinny.c ------------------------------------------------------------------------ r3085 | markster | 2008-01-15 14:56:26 -0600 (Tue, 15 Jan 2008) | 2 lines Perform proper heap bounds checking on skinny messages (bug ASTERISK-1702) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=3085 | ||