Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 54886 - net-misc/asterisk 0.7.2 Multiple Logging Format String Vulnerabilities
Summary: net-misc/asterisk 0.7.2 Multiple Logging Format String Vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest major (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/bid/10569
Whiteboard: ~1 [stable+]
Keywords:
: 49393 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-06-23 05:57 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-06-23 05:57:53 UTC 
net-misc/asterisk-0.7.2 should be removed from portage. see also bug #49393 (version 0.9.0 should
prob just be marked stable and all other versions removed).


http://www.securityfocus.com/bid/10569

Asterisk PBX Multiple Logging Format String Vulnerabilities

bugtraq id
10569

object

class
Input Validation Error

cve
CVE-MAP-NOMATCH

remote
Yes

local
No

published
Jun 18, 2004

updated
Jun 18, 2004

vulnerable
Asterisk Asterisk 0.7 .0
Asterisk Asterisk 0.7.1
Asterisk Asterisk 0.7.2


not vulnerable
Asterisk Asterisk 0.9 .0

It is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions. 

An attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible. 

Due to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable. 

Versions 0.7.0 through to 0.7.2 are reported vulnerable.

A proof-of-concept exploit was provided.

http://www.securityfocus.com/data/vulnerabilities/exploits/asterisk_fmt_string.pl

It is reported that version 0.9.0 is not vulnerable to these vulnerabilities. All affected users are urged to upgrade. 

Credit:

kfinisterre@secnetops.com disclosed these vulnerabilities.
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-06-23 11:23:09 UTC 
voip/stkn: can we get a patched version in portage?
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-06-23 12:17:35 UTC 
0.9.0 is in portage and unaffected.
0.7.2 should be removed. This is probably ready for a GLSA (or for no GLSA as this is ~)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-06-25 03:10:24 UTC 
GLSA drafted, but I would like to have external confirmation of this. I find no information about this on Asterisk website/mailing-lists...
Comment 4 Stefan Knoblich (RETIRED) gentoo-dev 2004-06-25 06:18:51 UTC 
nothing about that on the asterisk-dev ml
Comment 5 Stefan Knoblich (RETIRED) gentoo-dev 2004-06-25 06:56:29 UTC 
exploit from securityfocus w/ asterisk-0.7.2:

Jun 25 15:37:29 NOTICE[65541]: chan_iax.c:3868 socket_read: Rejected connect attempt from 127.0.0.1, request 'exten=;callerid=;dnid=;context=;AAAABBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.;username=language=;formats=;version=;
Comment 6 Stefan Knoblich (RETIRED) gentoo-dev 2004-06-25 06:56:29 UTC 
exploit from securityfocus w/ asterisk-0.7.2:

Jun 25 15:37:29 NOTICE[65541]: chan_iax.c:3868 socket_read: Rejected connect attempt from 127.0.0.1, request 'exten=;callerid=;dnid=;context=;AAAABBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.;username=language=;formats=;version=;£}ÿÿ'
Comment 7 Stefan Knoblich (RETIRED) gentoo-dev 2004-06-25 07:05:46 UTC 
exploit from securityfocus w/ asterisk-0.7.2:

Jun 25 15:37:29 NOTICE[65541]: chan_iax.c:3868 socket_read: Rejected connect attempt from 127.0.0.1, request 'exten=;callerid=;dnid=;context=;AAAABBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.;username=language=;formats=;version=;
Comment 8 Stefan Knoblich (RETIRED) gentoo-dev 2004-06-25 07:05:46 UTC 
exploit from securityfocus w/ asterisk-0.7.2:

Jun 25 15:37:29 NOTICE[65541]: chan_iax.c:3868 socket_read: Rejected connect attempt from 127.0.0.1, request 'exten=;callerid=;dnid=;context=;AAAABBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.;username=language=;formats=;version=;£}ÿÿ'
Comment 9 solar (RETIRED) gentoo-dev 2004-06-25 11:20:10 UTC 
So whats the deal here? 
Are you going to move it into stable or just paste how to exploit things?

asterisk-0.2.0.ebuild:KEYWORDS="x86"
asterisk-0.5.0.ebuild:KEYWORDS="~x86"
asterisk-0.7.2.ebuild:KEYWORDS="~x86"
asterisk-0.9.0.ebuild:KEYWORDS="~x86"
Comment 10 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-06-25 16:01:32 UTC 
i think we could safely skip the glsa on this one. asterisk users are probably all running
version 0.9.0 anyway. (in fact, most want to run the cvs version, see bug 33345.)

let's just mark 0.9.0 as stable.
Comment 11 Stefan Knoblich (RETIRED) gentoo-dev 2004-06-26 00:58:55 UTC 
Removing asterisk-0.7.2 from CVS

Stabling asterisk-0.9.0 _after_ i'm back from Linuxtag and Munich
Comment 12 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-06-26 23:33:09 UTC 
*** Bug 49393 has been marked as a duplicate of this bug. ***
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-06-28 08:09:40 UTC 
Will be closed without GLSA when 0.9.0 will be marked stable.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-07-10 03:22:26 UTC 
Stefan : if LinuxTag is finished, could you mark 0.9.0 stable ?
Thanks :)
Comment 15 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-07-26 21:18:48 UTC 
stkn removed asterisk 0.7.2 from portage and marked 0.9.0 stable.

no glsa needed. closing.