Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2007-3762 to a friend New vulnerability? New tool? Tell us	CVE-2007-3762 Stack Buffer Overflow in Asterisk's IAX2 Channel Driver     Credit: The information has been provided by Russell Bryant. The original article can be found at: http://ftp.digium.com/pub/asa/ASA-2007-014.pdf Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2007-3762 Details Check for CVE-2007-3762 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Asterisk Open Source versions prior to 1.2.22  * Asterisk Open Source versions prior to 1.4.8  * Asterisk Business Edition versions prior to B.2.2.1  * AsteriskNOW prerelease versions prior to beta7  * Asterisk Appliance Developer Kit versions prior to 0.5.0  * s800i (Asterisk Appliance) versions prior to 1.0.2 Immune Systems:  * Asterisk Open Source version 1.2.22  * Asterisk Open Source version 1.4.8  * Asterisk Business Edition B.2.2.1  * AsteriskNOW Beta7  * Asterisk Appliance Developer Kit version 0.5.0  * s800i (Asterisk Appliance) version 1.0.2 The specific conditions that trigger the vulnerability are the following:  * iax2_write() is called with a frame with the following properties a voice or video frame  * Its 4-byte timestamp has the same high 2 bytes as the previous frame that was sent  * Its format is the one currently expected  * Its data payload is larger than 4 kB iax2_write() calls iax2_send() to send the frame. Inside of iax2_send(), there is a conditional check to determine whether the frame should be sent immediately (the now variable) or queued for transmission later. If the frame is going to be transmitted later, an iax_frame struct is dynamically allocated with a data buffer that has the exact buffer size needed to accommodate for the provided ast_frame data. However, if the frame is being sent immediately, it uses a stack allocated iax_frame, with a data buffer size of 4096 bytes. Later, the iax_frame_wrap() function is used to copy the data from the ast_frame struct into the iax_frame struct. This function assumes the iax_frame data buffer has enough space for all of the data in the ast_frame. Resolution: This issue is only exploitable when the system is configured in such a way that calls between channels that use RTP and IAX2 channels are possible. Also, some additional protection against arbitrary code execution is provided if the call involves transcoding between audio formats as this will change the contents of the frame payload. All users that have systems that connect calls between channels that use RTP and IAX2 channels should immediately update to versions listed in the corrected in section of this advisory. CVE Information: CVE-2007-3762  Comments on CVE-2007-3762:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2017 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®