CVE-2003-0779
CVSS7.5
发布时间 :2003-09-22 00:00:00
修订时间 :2008-09-10 15:20:25
NMCOPS    

[原文]SQL injection vulnerability in the Call Detail Record (CDR) logging functionality for Asterisk allows remote attackers to execute arbitrary SQL via a CallerID string.


[CNNVD]Asterisk CallerID电话详细记录SQL注入漏洞(CNNVD-200309-030)

        
        Asterisk是一款PBX系统的软件,运行在Linux系统上,支持使用SIP,IAX,H323协议进行IP通话。
        Call Detail Records (CDRs)在日志记录功能中对CallerID字符传缺少充分检查,远程攻击者可以利用这个漏洞操作Asterisk数据库信息。
        Call Detail Records (CDRs)是由电话系统生成的为了执行帐单和费率功能的数据库系统。其中包含多个字段可以鉴别用户信息,如源和目的打电话地址,CallerID等信息。由于对CallerID的字符串缺少充分过滤,如果攻击者提交畸形CallerID的字符串(包含SQL命令)可导致更改原系统的SQL逻辑,破坏数据库系统或获得数据库敏感信息。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:digium:asterisk:0.2Digium Asterisk 0.2
cpe:/a:digium:asterisk:0.3Digium Asterisk 0.3
cpe:/a:digium:asterisk:0.1.9Digium Asterisk 0.1.9
cpe:/a:digium:asterisk:0.1.7Digium Asterisk 0.1.7
cpe:/a:digium:asterisk:0.4Digium Asterisk 0.4
cpe:/a:digium:asterisk:0.1.8Digium Asterisk 0.1.8
cpe:/a:digium:asterisk:0.1.9.1Digium Asterisk 0.1.9.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0779
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0779
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200309-030
(官方数据源) CNNVD

- 其它链接及资源

http://www.atstake.com/research/advisories/2003/a091103-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A091103-1

- 漏洞信息

Asterisk CallerID电话详细记录SQL注入漏洞
高危 输入验证
2003-09-22 00:00:00 2006-08-23 00:00:00
远程  
        
        Asterisk是一款PBX系统的软件,运行在Linux系统上,支持使用SIP,IAX,H323协议进行IP通话。
        Call Detail Records (CDRs)在日志记录功能中对CallerID字符传缺少充分检查,远程攻击者可以利用这个漏洞操作Asterisk数据库信息。
        Call Detail Records (CDRs)是由电话系统生成的为了执行帐单和费率功能的数据库系统。其中包含多个字段可以鉴别用户信息,如源和目的打电话地址,CallerID等信息。由于对CallerID的字符串缺少充分过滤,如果攻击者提交畸形CallerID的字符串(包含SQL命令)可导致更改原系统的SQL逻辑,破坏数据库系统或获得数据库敏感信息。
        

- 公告与补丁

        厂商补丁:
        Asterisk
        --------
        CVS as of September 9, 2003已经修补这个漏洞:
        
        http://www.asterisk.org/

- 漏洞信息 (F31630)

Atstake Security Advisory 03-09-11.1 (PacketStormID:F31630)
2003-09-13 00:00:00
Atstake,Ollie Whitehouse  atstake.com
advisory,sql injection
CVE-2003-0779
[点击下载]

Atstake Security Advisory A091103-1 - The Asterisk software PBX is vulnerable to a SQL injection attack if a user is able to supply malformed CallerID data.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                            
                              @stake, Inc.
                            www.atstake.com

                           Security Advisory

Advisory Name: Asterisk CallerID CDR SQL Injection
 Release Date: 09/11/2003
  Application: Asterisk
     Platform: Linux (x86)
     Severity: An attacker is able to obtain remote access to the
               database/host via the CallerID string
      Authors: Ollie Whitehouse [ollie@atstake.com]
Vendor Status: Informed / CVS Updated 9th of September 2003
CVE Candidate: CAN-2003-0779
    Reference: www.atstake.com/research/advisories/2003/a091103-1.txt


Overview:

Asterisk (http://www.asterisk.org/) is a complete PBX (Private
Branch eXchange) in software. It runs on Linux and provides all of the
features you would expect from a PBX and more. Asterisk does voice over IP
with three protocols (SIP, IAX v1 and v2, and H323), and can interoperate
with almost all standards-based telephony equipment using relatively
inexpensive hardware.

Call Detail Records (CDRs) are generated by telephony systems in order
to perform a number of functions such as billing and rating. CDRs contain
a number of fields that identify useful information about the call
including source, destination, and other items such as CallerID. These
can be generated numerous times during the call to indicate the state of
the call as well.

@stake found an issue while conducting a source code review of the CDR
logging functionality. It is possible to perform SQL injection if  an
attacker can supply a malformed CallerID string.

The interesting thing to note about this vulnerability is that is can
not only be launched via VoIP protocols, but also through fixed-line
connections (i.e. POTS - Plain Old Telephone System).


Details:

@stake discovered that minimal input validation occurred between CDR
generation and the acceptance of this data as part of the SQL query.

SQL injection is covered in great details in:

       i) SQL Injection
       http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf   

       ii) Advanced SQL Injection
       http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

As a result, it is possible for a remote unauthenticated user to
perform arbitrary database operations.


Recommendation:

@stake notified the author of this particular code on the 17th of
August. The author developed and deployed a patch silently to the CVS
on the 9th of September.

@stake recommends that if you have not deployed a CVS version
since the 9th of September 2003 to immediately do so.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0779  Asterisk CallerID CDR SQL injection


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP2DXsEe9kNIfAm4yEQJwjwCeIiLUirU+hXo5bOu+72byxKKx5GIAoLxk
SlTyCUqbrBRlJl+k4CScWJOx
=5Vb3
-----END PGP SIGNATURE-----


    

- 漏洞信息

2547
Asterisk CallerID SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

Asterick contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "CallerID" variable in the Call Detail Records (CDR) module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

- 时间线

2003-09-13 2003-09-13
Unknow Unknow

- 解决方案

Upgrade to version 0.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Asterisk CallerID Call Detail Records SQL Injection Vulnerability
Input Validation Error 8599
Yes No
2003-09-11 12:00:00 2009-07-11 11:56:00
The discovery of this vulnerability has been credited to @stake.

- 受影响的程序版本

Asterisk Asterisk 0.4
Asterisk Asterisk 0.3
Asterisk Asterisk 0.2
Asterisk Asterisk 0.1.9 -1
Asterisk Asterisk 0.1.9
Asterisk Asterisk 0.1.8
Asterisk Asterisk 0.1.7

- 漏洞讨论

Asterisk is prone to SQL injection attacks via malformed Call Detail Records (CDR) data. The problem specifically occurs when handling CallerID data within CDR data. The vulnerability occurs due to insufficient sanitization and could allow for the execution of SQL commands on the system. This could potentially be exploited by an attacker to influence the logic of SQL queries or to exploit vulnerabilities in the underlying database. Other attacks may also be possible.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

This issue is said to have been addressed in the CVS tree on September 9th. This information has not been confirmed by Symantec.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站