what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-09-11.1

Atstake Security Advisory 03-09-11.1
Posted Sep 13, 2003
Authored by Atstake, Ollie Whitehouse | Site atstake.com

Atstake Security Advisory A091103-1 - The Asterisk software PBX is vulnerable to a SQL injection attack if a user is able to supply malformed CallerID data.

tags | advisory, sql injection
advisories | CVE-2003-0779
SHA-256 | 5e15bb2ff6724c97a49a179d9a726211e776427e671df463171f1f56c220d1b7

Atstake Security Advisory 03-09-11.1

Change Mirror Download
Hash: SHA1

@stake, Inc.

Security Advisory

Advisory Name: Asterisk CallerID CDR SQL Injection
Release Date: 09/11/2003
Application: Asterisk
Platform: Linux (x86)
Severity: An attacker is able to obtain remote access to the
database/host via the CallerID string
Authors: Ollie Whitehouse [ollie@atstake.com]
Vendor Status: Informed / CVS Updated 9th of September 2003
CVE Candidate: CAN-2003-0779
Reference: www.atstake.com/research/advisories/2003/a091103-1.txt


Asterisk (http://www.asterisk.org/) is a complete PBX (Private
Branch eXchange) in software. It runs on Linux and provides all of the
features you would expect from a PBX and more. Asterisk does voice over IP
with three protocols (SIP, IAX v1 and v2, and H323), and can interoperate
with almost all standards-based telephony equipment using relatively
inexpensive hardware.

Call Detail Records (CDRs) are generated by telephony systems in order
to perform a number of functions such as billing and rating. CDRs contain
a number of fields that identify useful information about the call
including source, destination, and other items such as CallerID. These
can be generated numerous times during the call to indicate the state of
the call as well.

@stake found an issue while conducting a source code review of the CDR
logging functionality. It is possible to perform SQL injection if an
attacker can supply a malformed CallerID string.

The interesting thing to note about this vulnerability is that is can
not only be launched via VoIP protocols, but also through fixed-line
connections (i.e. POTS - Plain Old Telephone System).


@stake discovered that minimal input validation occurred between CDR
generation and the acceptance of this data as part of the SQL query.

SQL injection is covered in great details in:

i) SQL Injection

ii) Advanced SQL Injection

As a result, it is possible for a remote unauthenticated user to
perform arbitrary database operations.


@stake notified the author of this particular code on the 17th of
August. The author developed and deployed a patch silently to the CVS
on the 9th of September.

@stake recommends that if you have not deployed a CVS version
since the 9th of September 2003 to immediately do so.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-0779 Asterisk CallerID CDR SQL injection

@stake Vulnerability Reporting Policy:

@stake Advisory Archive:

PGP Key:

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

Version: PGP 8.0


Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By