what you don't know can hurt you

Asterisk Project Security Advisory - AST-2012-003

Asterisk Project Security Advisory - AST-2012-003
Posted Mar 16, 2012
Authored by Matt Jordan | Site asterisk.org

Asterisk Project Security Advisory - An attacker attempting to connect to an HTTP session of the Asterisk Manager Interface can send an arbitrarily long string value for HTTP Digest Authentication. This causes a stack buffer overflow, with the possibility of remote code injection.

tags | advisory, remote, web, overflow
MD5 | 397821839758278f437c9b144d3db54f

Asterisk Project Security Advisory - AST-2012-003

Change Mirror Download
               Asterisk Project Security Advisory - AST-2012-003

Product Asterisk
Summary Stack Buffer Overflow in HTTP Manager
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On 03/15/2012
Reported By Russell Bryant
Posted On 03/15/2012
Last Updated On March 15, 2012
Advisory Contact Matt Jordan < mjordan AT digium DOT com >
CVE Name

Description An attacker attempting to connect to an HTTP session of the
Asterisk Manager Interface can send an arbitrarily long
string value for HTTP Digest Authentication. This causes a
stack buffer overflow, with the possibility of remote code
injection.

Resolution Upgrade to one of the versions of Asterisk listed in the
"Corrected In" section, or apply a patch specified in the
"Patches" section.

Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 10.x All versions

Corrected In
Product Release
Asterisk Open Source 1.8.10.1
Asterisk Open Source 10.2.1

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diff v1.8
http://downloads.asterisk.org/pub/security/AST-2012-003-10.diff v10

Links https://issues.asterisk.org/jira/browse/ASTERISK-19542

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at http://downloads.digium.com/pub/security/.pdf
and http://downloads.digium.com/pub/security/.html

Revision History
Date Editor Revisions Made
03-15-2012 Matt Jordan Initial release

Asterisk Project Security Advisory - AST-2012-003
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close