CVE-2006-2898
CVSS7.5
发布时间 :2006-06-07 06:02:00
修订时间 :2011-03-07 00:00:00
NMCOPS    

[原文]The IAX2 channel driver (chan_iax2) for Asterisk 1.2.x before 1.2.9 and 1.0.x before 1.0.11 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via truncated IAX 2 (IAX2) video frames, which bypasses a length check and leads to a buffer overflow involving negative length check. NOTE: the vendor advisory claims that only a DoS is possible, but the original researcher is reliable.


[CNNVD]Asterisk IAX2 远程内存破坏漏洞(CNNVD-200606-166)

        Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。
        Asterisk的IAX消息解析的实现上存在内存破坏漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        IAX协议的所有通讯都依赖于4569/UDP端口。协议使用15位的标识号在同一UDP端口上多路传输几个IAX2流。IAX2消息被称为帧,Asterisk源码包的iax2.h头文件中定义了几个基本的帧类型。
        IAX2完整帧使用如下的12字节首部:
        struct ast_iax2_full_hdr {
        unsigned short scallno; /*Source call number -- high bit must be 1*/
        unsigned short dcallno; /*Destination call number -- high bit is 1 if
        retransmission */
        unsigned int ts; /* 32-bit timestamp in milliseconds (from 1st
        transmission) */
        unsigned char oseqno; /* Packet number (outgoing) */
        unsigned char iseqno; /* Packet number (next incoming expected) */
        unsigned char type; /* Frame type */
        unsigned char csub; /* Compressed subclass */
        unsigned char iedata[0];
        } __attribute__ ((__packed__));
        IAX2的mini-frame使用4字节的首部:
        struct ast_iax2_mini_hdr {
        unsigned short callno; /* Source call number -- high bit must be 0,
        rest must be non-zero */
        unsigned short ts; /* 16-bit Timestamp (high 16 bits from last
        ast_iax2_full_hdr) */
        /* Frametype implicitly VOICE_FRAME */
        /* subclass implicit from last
        ast_iax2_full_hdr */
        unsigned char data[0];
        } __attribute__ ((__packed__));
        
        以下6字节的报文首部用于支持视频帧:
        struct ast_iax2_video_hdr {
        unsigned short zeros; /* Zeros field -- must be zero */
        unsigned short callno; /* Video call number */
        unsigned short ts; /* Timestamp and mark if present */
        unsigned char data[0];
        } __attribute__ ((__packed__));
        Asterisk的channels/chan_iax2.c文件中实现的socket_read()函数从网络读取IAX2报文。
        以下节选自该文件的revision 29849:
        static int socket_read(int *id, int fd, short events, void *cbdata)
        {
        struct sockaddr_in sin;
        int res;
        int updatehistory=1;
        int new = NEW_PREVENT;
        unsigned char buf[4096];
        void *ptr;
        socklen_t len = sizeof(sin);
        ...
        res = recvfrom(fd, buf, sizeof(buf), 0,(struct sockaddr *) &sin,
         &len);
        if (res < 0) {
        if (errno != ECONNREFUSED)
        ast_log(LOG_WARNING, "Error: 临时解决方法:
        * 在边界阻断到4569/udp端口的入站报文。
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://ftp.digium.com/pub/telephony/asterisk/releases/asterisk-1.0.11.tar.gz
        http://ftp.digium.com/pub/telephony/asterisk/releases/asterisk-1.2.9.tar.gz\n",
        strerror(errno));
        handle_error();
        return 1;
        }
        if(test_losspct) { /* simulate random loss condition */
        if( (100.0*rand()/(RAND_MAX+1.0)) < test_losspct)
        return 1;
        }
        [A] if (res < sizeof(struct ast_iax2_mini_hdr)) {
        ast_log(LOG_WARNING,
        "midget packet received (%d of %d min)\n", res,
        (int)sizeof(struct ast_iax2_mini_hdr));
        return 1;
        }
        if ((vh->zeros == 0) & & (ntohs(vh->callno) & 0x8000)) {
        /* This is a video frame, get call number */
        fr->callno = find_callno(ntohs(vh->callno) & ~0x8000,
        dcallno, &sin, new,1, fd);
        [B] minivid = 1;
        } else if (meta->zeros == 0) {
        ....
        在[A]执行了长度检查以确保从网络读取的字节数不少于完整的mini frame首部所需的字节数。如果通过了这个检查,就会进一步检查判断报文是否属于[B]的启用视频的会话。由于IAX2 mini-frame所需的首部长度小于视频帧的首部长度,因此Asterisk不会拒绝大于等于字节但小于6字节的截短了的视频帧。
        之后的视频帧处理是由以下执行流完成的:
        ...
        } else if (minivid) {
        f.frametype = AST_FRAME_VIDEO;
        if (iaxs[fr->callno]->videoformat > 0)
        f.subclass = iaxs[fr->callno]->videoformat
        | (ntohs(vh->ts) & 0x8000 ? 1: 0);
        else {
        ast_log(LOG_WARNING,
        "Received mini frame before first full video frame\n ");
        iax2_vnak(fr->callno);
        ast_mutex_unlock( &iaxsl[fr->callno]);
        return 1;
        }
        [C] f.datalen = res - sizeof(struct ast_iax2_video_hdr);
        if (f.datalen)
        f.data = buf + sizeof(struct ast_iax2_video_hdr);
        else
        f.data = NULL;
        ...
        }
        ...
        [D] iax_frame_wrap(fr, &f)
        在[C]处视频负载的长度是通过从网络读取的字节数(recvfrom()调用的返回代码)减去视频首部(视频首部中所需要的字节数)的方法来计算的,因此如果收到了截短的视频帧,这个减法的结果可能是负数,存储在f.datalen,而f.data会指向接收报文边界以外的内存。
        之后在[D]调用了iax2-parser.c中实现的iax_frame_wrap()函数:
        void iax_frame_wrap(struct iax_frame *fr, struct ast_frame *f)
        {
        fr->af.frametype = f->frametype;
        fr->af.subclass = f->subclass;
        fr->af.mallocd = 0; /* Our frame is static relative to the
        container */
        fr->af.datalen = f->datalen;
        fr->af.samples = f->samples;
        fr->af.offset = AST_FRIENDLY_OFFSET;
        fr->af.src = f->src;
        fr->af.delivery.tv_sec = 0;
        fr->af.delivery.tv_usec = 0;
        fr->af.data = fr->afdata;
        if (fr->af.datalen) {
        #if __BYTE_ORDER == __LITTLE_ENDIAN
        /* We need to byte-swap slinear samples from network
        byte order */
        if ((fr->af.frametype == AST_FRAME_VOICE) & &
        (fr->af.subclass ==AST_FORMAT_SLINEAR)) {
        ast_swapcopy_samples(fr->af.data, f->data,
        fr->af.samples);
        } else
        #endif
        [E] memcpy(f

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:digium:asterisk:1.2.7Digium Asterisk 1.2.7
cpe:/a:digium:asterisk:1.0.9Digium Asterisk 1.0.9
cpe:/a:digium:asterisk:1.0.10Digium Asterisk 1.0.10
cpe:/a:digium:asterisk:1.2.0_beta1
cpe:/a:digium:asterisk:1.0.7Digium Asterisk 1.0.7
cpe:/a:digium:asterisk:1.2.8Digium Asterisk 1.2.8
cpe:/a:digium:asterisk:1.2.6Digium Asterisk 1.2.6
cpe:/a:digium:asterisk:1.0.8Digium Asterisk 1.0.8
cpe:/a:digium:asterisk:1.2.0_beta2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2898
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2898
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-166
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18295
(PATCH)  BID  18295
http://www.securityfocus.com/archive/1/archive/1/436127/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060606 Asterisk 1.2.9 and Asterisk 1.0.11 Released - Security Fix
http://securitytracker.com/id?1016236
(PATCH)  SECTRACK  1016236
http://secunia.com/advisories/20497
(VENDOR_ADVISORY)  SECUNIA  20497
http://xforce.iss.net/xforce/xfdb/27045
(UNKNOWN)  XF  asterisk-iax2-videoframe-bo(27045)
http://www.vupen.com/english/advisories/2006/2181
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2181
http://www.securityfocus.com/archive/1/archive/1/436671/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060609 CORE-2006-0330: Asterisk PBX truncated video frame vulnerability
http://www.novell.com/linux/security/advisories/2006_38_security.html
(UNKNOWN)  SUSE  SUSE-SR:2006:015
http://www.gentoo.org/security/en/glsa/glsa-200606-15.xml
(UNKNOWN)  GENTOO  GLSA-200606-15
http://www.debian.org/security/2006/dsa-1126
(UNKNOWN)  DEBIAN  DSA-1126
http://www.asterisk.org/node/95
(UNKNOWN)  CONFIRM  http://www.asterisk.org/node/95
http://secunia.com/advisories/21222
(VENDOR_ADVISORY)  SECUNIA  21222
http://secunia.com/advisories/20899
(VENDOR_ADVISORY)  SECUNIA  20899
http://secunia.com/advisories/20658
(VENDOR_ADVISORY)  SECUNIA  20658

- 漏洞信息

Asterisk IAX2 远程内存破坏漏洞
高危 缓冲区溢出
2006-06-07 00:00:00 2006-08-23 00:00:00
远程  
        Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。
        Asterisk的IAX消息解析的实现上存在内存破坏漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        IAX协议的所有通讯都依赖于4569/UDP端口。协议使用15位的标识号在同一UDP端口上多路传输几个IAX2流。IAX2消息被称为帧,Asterisk源码包的iax2.h头文件中定义了几个基本的帧类型。
        IAX2完整帧使用如下的12字节首部:
        struct ast_iax2_full_hdr {
        unsigned short scallno; /*Source call number -- high bit must be 1*/
        unsigned short dcallno; /*Destination call number -- high bit is 1 if
        retransmission */
        unsigned int ts; /* 32-bit timestamp in milliseconds (from 1st
        transmission) */
        unsigned char oseqno; /* Packet number (outgoing) */
        unsigned char iseqno; /* Packet number (next incoming expected) */
        unsigned char type; /* Frame type */
        unsigned char csub; /* Compressed subclass */
        unsigned char iedata[0];
        } __attribute__ ((__packed__));
        IAX2的mini-frame使用4字节的首部:
        struct ast_iax2_mini_hdr {
        unsigned short callno; /* Source call number -- high bit must be 0,
        rest must be non-zero */
        unsigned short ts; /* 16-bit Timestamp (high 16 bits from last
        ast_iax2_full_hdr) */
        /* Frametype implicitly VOICE_FRAME */
        /* subclass implicit from last
        ast_iax2_full_hdr */
        unsigned char data[0];
        } __attribute__ ((__packed__));
        
        以下6字节的报文首部用于支持视频帧:
        struct ast_iax2_video_hdr {
        unsigned short zeros; /* Zeros field -- must be zero */
        unsigned short callno; /* Video call number */
        unsigned short ts; /* Timestamp and mark if present */
        unsigned char data[0];
        } __attribute__ ((__packed__));
        Asterisk的channels/chan_iax2.c文件中实现的socket_read()函数从网络读取IAX2报文。
        以下节选自该文件的revision 29849:
        static int socket_read(int *id, int fd, short events, void *cbdata)
        {
        struct sockaddr_in sin;
        int res;
        int updatehistory=1;
        int new = NEW_PREVENT;
        unsigned char buf[4096];
        void *ptr;
        socklen_t len = sizeof(sin);
        ...
        res = recvfrom(fd, buf, sizeof(buf), 0,(struct sockaddr *) &sin,
         &len);
        if (res < 0) {
        if (errno != ECONNREFUSED)
        ast_log(LOG_WARNING, "Error: 临时解决方法:
        * 在边界阻断到4569/udp端口的入站报文。
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://ftp.digium.com/pub/telephony/asterisk/releases/asterisk-1.0.11.tar.gz
        http://ftp.digium.com/pub/telephony/asterisk/releases/asterisk-1.2.9.tar.gz\n",
        strerror(errno));
        handle_error();
        return 1;
        }
        if(test_losspct) { /* simulate random loss condition */
        if( (100.0*rand()/(RAND_MAX+1.0)) < test_losspct)
        return 1;
        }
        [A] if (res < sizeof(struct ast_iax2_mini_hdr)) {
        ast_log(LOG_WARNING,
        "midget packet received (%d of %d min)\n", res,
        (int)sizeof(struct ast_iax2_mini_hdr));
        return 1;
        }
        if ((vh->zeros == 0) & & (ntohs(vh->callno) & 0x8000)) {
        /* This is a video frame, get call number */
        fr->callno = find_callno(ntohs(vh->callno) & ~0x8000,
        dcallno, &sin, new,1, fd);
        [B] minivid = 1;
        } else if (meta->zeros == 0) {
        ....
        在[A]执行了长度检查以确保从网络读取的字节数不少于完整的mini frame首部所需的字节数。如果通过了这个检查,就会进一步检查判断报文是否属于[B]的启用视频的会话。由于IAX2 mini-frame所需的首部长度小于视频帧的首部长度,因此Asterisk不会拒绝大于等于字节但小于6字节的截短了的视频帧。
        之后的视频帧处理是由以下执行流完成的:
        ...
        } else if (minivid) {
        f.frametype = AST_FRAME_VIDEO;
        if (iaxs[fr->callno]->videoformat > 0)
        f.subclass = iaxs[fr->callno]->videoformat
        | (ntohs(vh->ts) & 0x8000 ? 1: 0);
        else {
        ast_log(LOG_WARNING,
        "Received mini frame before first full video frame\n ");
        iax2_vnak(fr->callno);
        ast_mutex_unlock( &iaxsl[fr->callno]);
        return 1;
        }
        [C] f.datalen = res - sizeof(struct ast_iax2_video_hdr);
        if (f.datalen)
        f.data = buf + sizeof(struct ast_iax2_video_hdr);
        else
        f.data = NULL;
        ...
        }
        ...
        [D] iax_frame_wrap(fr, &f)
        在[C]处视频负载的长度是通过从网络读取的字节数(recvfrom()调用的返回代码)减去视频首部(视频首部中所需要的字节数)的方法来计算的,因此如果收到了截短的视频帧,这个减法的结果可能是负数,存储在f.datalen,而f.data会指向接收报文边界以外的内存。
        之后在[D]调用了iax2-parser.c中实现的iax_frame_wrap()函数:
        void iax_frame_wrap(struct iax_frame *fr, struct ast_frame *f)
        {
        fr->af.frametype = f->frametype;
        fr->af.subclass = f->subclass;
        fr->af.mallocd = 0; /* Our frame is static relative to the
        container */
        fr->af.datalen = f->datalen;
        fr->af.samples = f->samples;
        fr->af.offset = AST_FRIENDLY_OFFSET;
        fr->af.src = f->src;
        fr->af.delivery.tv_sec = 0;
        fr->af.delivery.tv_usec = 0;
        fr->af.data = fr->afdata;
        if (fr->af.datalen) {
        #if __BYTE_ORDER == __LITTLE_ENDIAN
        /* We need to byte-swap slinear samples from network
        byte order */
        if ((fr->af.frametype == AST_FRAME_VOICE) & &
        (fr->af.subclass ==AST_FORMAT_SLINEAR)) {
        ast_swapcopy_samples(fr->af.data, f->data,
        fr->af.samples);
        } else
        #endif
        [E] memcpy(f

- 公告与补丁

        

- 漏洞信息 (F48654)

Debian Linux Security Advisory 1126-1 (PacketStormID:F48654)
2006-07-28 00:00:00
Debian  debian.org
advisory,remote
linux,debian
CVE-2006-2898
[点击下载]

Debian Security Advisory 1126-1 - A problem has been discovered in the IAX2 channel driver of Asterisk, an Open Source Private Branch Exchange and telephony toolkit, which may allow a remote to cause a crash of the Asterisk server.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1126-1                    security@debian.org
http://www.debian.org/security/                             Martin Schulze
July 27th, 2006                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : asterisk
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2006-2898
BugTraq ID     : 18295

A problem has been discovered in the IAX2 channel driver of Asterisk,
an Open Source Private Branch Exchange and telephony toolkit, which
may allow a remote to cause au crash of the Asterisk server.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 1.0.7.dfsg.1-2sarge3.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your asterisk packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3.dsc
      Size/MD5 checksum:     1259 cee8373afe6f44b36ea61e04d63b67ca
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3.diff.gz
      Size/MD5 checksum:    70172 5510f5699aee64b06f8d8db4e62ca275
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz
      Size/MD5 checksum:  2929488 0d0f718ccd7a06ab998c3f637df294c0

  Architecture independent components:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge3_all.deb
      Size/MD5 checksum:    61532 58e631534a5c34740dce182177a3e16b
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge3_all.deb
      Size/MD5 checksum:    83300 92e5c344ae1022fbb8264dfeda02d2c2
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge3_all.deb
      Size/MD5 checksum:  1577638 796103a2c2152b1da96ee557845c4ea0
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge3_all.deb
      Size/MD5 checksum:  1180198 3ffd1657b6ae3824d849107288bfd393
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge3_all.deb
      Size/MD5 checksum:    28290 bd1dca8dcf7dbe19614415d83454534b

  Alpha architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_alpha.deb
      Size/MD5 checksum:  1477586 e6f5a94ca3b89eb61f2b7cba32532b0f
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_alpha.deb
      Size/MD5 checksum:    31326 76c73e029c258daab79db1c3e2fe87f9
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_alpha.deb
      Size/MD5 checksum:    21354 4f86990f289a85e40b07b83a1bfbbaeb

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_amd64.deb
      Size/MD5 checksum:  1333258 39d6b98db096bcf6fa4db45bc578450a
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_amd64.deb
      Size/MD5 checksum:    30738 1b542c9cf1701f3c74250135989a53fc
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_amd64.deb
      Size/MD5 checksum:    21348 162f687406dd17fba17f059310e9669b

  ARM architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_arm.deb
      Size/MD5 checksum:  1262736 d88b5f4a1d7a1429f8ffd48da9f46816
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_arm.deb
      Size/MD5 checksum:    29466 d24a9a1f6f57b1b1b4f5eb3ecb44a70f
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_arm.deb
      Size/MD5 checksum:    21356 440be66143a663f0698e0236fd92e164

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_i386.deb
      Size/MD5 checksum:  1171422 49ba67f54d8a1bdd331e5f383a0c260f
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_i386.deb
      Size/MD5 checksum:    29758 6125fda845413e5785dbd5d7c679a392
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_i386.deb
      Size/MD5 checksum:    21354 f258d72d58eb640660e0efac297edc5f

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_ia64.deb
      Size/MD5 checksum:  1771180 cc15c68a1a3551f3c6a3db01572fb872
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_ia64.deb
      Size/MD5 checksum:    32880 683dca0a82cadc16ad38c0c65fce4763
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_ia64.deb
      Size/MD5 checksum:    21354 9d3caf73141a753723050a52c7109047

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_hppa.deb
      Size/MD5 checksum:  1448108 4e2074b1ca5ba9dffdda252e0a829ee4
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_hppa.deb
      Size/MD5 checksum:    31384 3f5a1bd65ee55389445b0487eac8c368
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_hppa.deb
      Size/MD5 checksum:    21352 ce35dfb46609b19f617472396e552e72

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_m68k.deb
      Size/MD5 checksum:  1184680 3f73cbf0c391fc41c04d67cfe29e0001
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_m68k.deb
      Size/MD5 checksum:    30130 4e7f290a74e7b682073718e8edc1cc8a
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_m68k.deb
      Size/MD5 checksum:    21356 62ce31ac95d033e589f42a015fddf66b

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_mips.deb
      Size/MD5 checksum:  1263882 52bca4c81f91b8eecb6e557a769e8d64
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_mips.deb
      Size/MD5 checksum:    29342 b9d7659f65d8a4d6f9fad86073a72b9f
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_mips.deb
      Size/MD5 checksum:    21354 0a69634f046b529d1b72d49746a138b2

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_mipsel.deb
      Size/MD5 checksum:  1270240 2aa0c58b551845a4a2a5b07b4660432c
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_mipsel.deb
      Size/MD5 checksum:    29276 b3e996a206805436b280aa1c7468a311
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_mipsel.deb
      Size/MD5 checksum:    21356 845710e845334fe95bd53b34259fecf3

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_powerpc.deb
      Size/MD5 checksum:  1425078 29e124b6584659daf5ae62400961b065
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_powerpc.deb
      Size/MD5 checksum:    31080 409b172a4b64d79765a9b481c25c43c7
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_powerpc.deb
      Size/MD5 checksum:    21356 09f7bab0bc72f03ff52a7ad77614ffd8

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_s390.deb
      Size/MD5 checksum:  1312432 de1a22506fd0d5e30be34db44095fc77
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_s390.deb
      Size/MD5 checksum:    30762 ade33ddd646fca9653a31598df8aa9ce
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_s390.deb
      Size/MD5 checksum:    21354 63662843c514334226737f60d1b5cab6

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_sparc.deb
      Size/MD5 checksum:  1274188 3aa3d901a56583bd0ef815761e9bf34d
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_sparc.deb
      Size/MD5 checksum:    29728 71656321b8a63a875d56edb760cbf385
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_sparc.deb
      Size/MD5 checksum:    21350 f96215e4d19ef628a057a8e6dbe9716f


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEyF30W5ql+IAeqTIRAt5iAJ9her05bPSniUNcdqt59KAEPyWm8QCfRrLj
otLHweSY1Rj4tweUJV4e1Rs=
=pbKB
-----END PGP SIGNATURE-----

    

- 漏洞信息

26187
Asterisk chan_iax2 IAX2 Channel Driver Unspecified DoS
Denial of Service
Loss of Availability
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-06-05 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.2.9.1, 1.0.11.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Asterisk IAX2 Remote Buffer Overflow Vulnerability
Boundary Condition Error 18295
Yes No
2006-06-06 12:00:00 2006-07-28 04:42:00
Damian Saura, Alejandro Lozanoff, Eduardo Koch, Norberto Kueffner and Ivan Arce from Core Security Technologies discovered this vulnerability.

- 受影响的程序版本

S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 10.1
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Asterisk Asterisk 1.2.8
Asterisk Asterisk 1.2.7
Asterisk Asterisk 1.2.6
Asterisk Asterisk 1.2 .0-beta2
Asterisk Asterisk 1.2 .0-beta1
Asterisk Asterisk 1.0.10
Asterisk Asterisk 1.0.9
Asterisk Asterisk 1.0.8
Asterisk Asterisk 1.0.7
Asterisk Asterisk 0.9 .0
Asterisk Asterisk 0.7.2
Asterisk Asterisk 0.7.1
Asterisk Asterisk 0.7 .0
Asterisk Asterisk 0.4
Asterisk Asterisk 0.3
Asterisk Asterisk 0.2
Asterisk Asterisk 0.1.9 -1
Asterisk Asterisk 0.1.9
Asterisk Asterisk 0.1.8
Asterisk Asterisk 0.1.7
Asterisk Asterisk 1.2.9
Asterisk Asterisk 1.0.11

- 不受影响的程序版本

Asterisk Asterisk 1.2.9
Asterisk Asterisk 1.0.11

- 漏洞讨论

Asterisk is prone to a remote buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

This vulnerability allows remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the server, denying further service to legitimate users.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

To address this issue, the vendor has released versions 1.0.11 (for the 1.0.x strain) and 1.2.9 (for the 1.2.x strain).

Please see the referenced vendor advisories for more information.


Asterisk Asterisk 1.0.10

Asterisk Asterisk 1.0.7

Asterisk Asterisk 1.0.8

Asterisk Asterisk 1.0.9

Asterisk Asterisk 1.2 .0-beta1

Asterisk Asterisk 1.2 .0-beta2

Asterisk Asterisk 1.2.6

Asterisk Asterisk 1.2.7

Asterisk Asterisk 1.2.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站