[原文]Stack-based buffer overflow in the function that parses commands in Asterisk 1.0.7, when the 'write = command' option is enabled, allows remote attackers to execute arbitrary code via a command that has two double quotes followed by a tab character.
A remote overflow exists in Asterisk Manager Interface. The Asterisk Manager Interface fails to perform proper bounds checking on management command strings resulting in a buffer overflow. With a specially crafted request, an attacker can cause a remote buffer overflow, resulting in a loss of integrity.
Upgrade to version 1.0.8 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): ensure the parameter "write = command" is never enabled within manager.conf
Discovery of this issue is credited to Wade Alcorn.
Asterisk Asterisk 1.0.7
Asterisk Asterisk CVS HEAD
Asterisk manager interface is prone to a remote buffer overflow vulnerability. The issue manifests due to a lack of sufficient boundary checks performed by command line interface processing routines. Reports indicate that the issue may only be exploited if the manager interface is accessible and an attacker is able to write commands to the interface.
Under certain circumstances a remote attacker may exploit this issue to execute arbitrary code in the context of the affected software.
An exploit was developed by the discoverer o this issue. This exploit s not believed to be publicly available.
The vendor has released an update (1.08) to address this issue. Customers are advised to contact the vendor for further information regarding obtaining and applying this update.