SecuriTeam - Asterisk CallerID CDR SQL Injection

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Asterisk is a complete PBX (Private Branch eXchange) in software. It runs on Linux and provides all of the features you would expect from a PBX and more. Asterisk does voice over IP with three protocols (SIP, IAX v1 and v2, and H323), and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware.

Call Detail Records (CDRs) are generated by telephony systems in order to perform a number of functions such as billing and rating. CDRs contain a number of fields that identify useful information about the call including source, destination, and other items such as CallerID. These can be generated numerous times during the call to indicate the state of the call as well.

@stake found an issue while conducting a source code review of the CDR logging functionality. It is possible to perform SQL injection if an attacker can supply a malformed CallerID string.

The interesting thing to note about this vulnerability is that is cannot only be launched via VoIP protocols, but also through fixed-line connections (i.e. POTS - Plain Old Telephone System).

Credit:
The original advisory can be downloaded from: http://www.atstake.com/research/advisories/2003/a091103-1.txt.
The information has been provided by at stake Advisories.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

@stake discovered that minimal input validation occurred between CDR generation and the acceptance of this data as part of the SQL query.

SQL injection is covered in details in:
1) SQL Injection - http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

2) Advanced SQL Injection - http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

As a result, it is possible for a remote unauthenticated user to perform arbitrary database operations.

Recommendation:
@stake notified the author of this particular code on the 17th of August. The author developed and deployed a patch silently to the CVS on the 9th of September.

@stake recommends that if you have not deployed a CVS version since the 9th of September 2003 to immediately do so.

	Publique! CMS and SQL Injection Vulnerabilities
	Files2Links F2L-3000 SQL Injection Vulnerability
	HP-UX Running Apache Data Injection and DoS Vulnerability
	MIT krb5 KDC denial of service in cross-realm referral processing
	AproxEngine Multiple Vulnerabilities
	APC Switched Rack PDU XSS Vulnerability
	HP-UX Running OpenSSL Unauthorized Data Injection and Denial of Service
	HP OpenView NNM snmpviewer.exe CGI Host Header Stack Overflow Vulnerability
	HP OpenView NNM ovwebsnmpsrv.exe OVwSelection Stack Overflow Vulnerability
	HP-UX Running VRTSweb Remote Execution of Arbitrary Code and Privilege Escalation
	FreeBSD SSL and TLS Session Renegotiation vulnerability
	CoreHTTP Web Server Buffer Overflow Vulnerability
	HP OpenView Network Node Manager DoS Vulnerability
	ToutVirtual VirtualIQ Multiple Vulnerabilities
	Transport Layer Security Renegotiation Vulnerability