exploit the possibilities

Asterisk Project Security Advisory - AST-2012-003

Asterisk Project Security Advisory - AST-2012-003
Posted Mar 16, 2012
Authored by Matt Jordan | Site asterisk.org

Asterisk Project Security Advisory - An attacker attempting to connect to an HTTP session of the Asterisk Manager Interface can send an arbitrarily long string value for HTTP Digest Authentication. This causes a stack buffer overflow, with the possibility of remote code injection.

tags | advisory, remote, web, overflow
MD5 | 397821839758278f437c9b144d3db54f

Asterisk Project Security Advisory - AST-2012-003

Change Mirror Download
               Asterisk Project Security Advisory - AST-2012-003

Product Asterisk
Summary Stack Buffer Overflow in HTTP Manager
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On 03/15/2012
Reported By Russell Bryant
Posted On 03/15/2012
Last Updated On March 15, 2012
Advisory Contact Matt Jordan < mjordan AT digium DOT com >
CVE Name

Description An attacker attempting to connect to an HTTP session of the
Asterisk Manager Interface can send an arbitrarily long
string value for HTTP Digest Authentication. This causes a
stack buffer overflow, with the possibility of remote code
injection.

Resolution Upgrade to one of the versions of Asterisk listed in the
"Corrected In" section, or apply a patch specified in the
"Patches" section.

Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 10.x All versions

Corrected In
Product Release
Asterisk Open Source 1.8.10.1
Asterisk Open Source 10.2.1

Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diff v1.8
http://downloads.asterisk.org/pub/security/AST-2012-003-10.diff v10

Links https://issues.asterisk.org/jira/browse/ASTERISK-19542

Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at http://downloads.digium.com/pub/security/.pdf
and http://downloads.digium.com/pub/security/.html

Revision History
Date Editor Revisions Made
03-15-2012 Matt Jordan Initial release

Asterisk Project Security Advisory - AST-2012-003
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close