exploit the possibilities

AST-2007-024.txt

AST-2007-024.txt
Posted Nov 8, 2007
Authored by Michal Bucko, Mark Michelson | Site asterisk.org

Asterisk Project Security Advisory - This advisory is a response to a false security vulnerability published in several places on the Internet. Had Asterisk's developers been notified prior to its publication, there would be no need for this. There is a potential for a buffer overflow in the sethdlc application; however, running this application requires root access to the server, which means that exploiting this vulnerability gains the attacker no more advantage than what he already has. As such, this is a bug, not a security vulnerability.

tags | advisory, overflow, root
advisories | CVE-2007-5690
MD5 | 4e70e810f66fe1da827e00a4ea82b022

AST-2007-024.txt

Change Mirror Download
                Asterisk Project Security Advisory - AST-2007-024

+------------------------------------------------------------------------+
| Product | Zaptel |
|--------------------+---------------------------------------------------|
| Summary | Potential buffer overflow from command line |
| | application "sethdlc" |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Buffer overflow |
|--------------------+---------------------------------------------------|
| Susceptibility | Local sessions |
|--------------------+---------------------------------------------------|
| Severity | None |
|--------------------+---------------------------------------------------|
| Exploits Known | None |
|--------------------+---------------------------------------------------|
| Reported On | October 31, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Michael Bucko <michael DOT bucko AT eleytt DOT |
| | com> |
|--------------------+---------------------------------------------------|
| Posted On | October 31, 2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | November 1, 2007 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Mark Michelson <mmichelson AT digium DOT com> |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2007-5690 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Description | This advisory is a response to a false security |
| | vulnerability published in several places on the |
| | Internet. Had Asterisk's developers been notified prior |
| | to its publication, there would be no need for this. |
| | |
| | There is a potential for a buffer overflow in the |
| | sethdlc application; however, running this application |
| | requires root access to the server, which means that |
| | exploiting this vulnerability gains the attacker no more |
| | advantage than what he already has. As such, this is a |
| | bug, not a security vulnerability. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Resolution | The copy of the user-provided argument to the buffer has |
| | been limited to the length of the buffer. This fix has |
| | been committed to the Zaptel 1.2 and 1.4 repositories, |
| | but due to the lack of severity, new releases will not be |
| | immediately made. |
| | |
| | While we appreciate this programming error being brought |
| | to our attention, we would encourage security researchers |
| | to contact us prior to releasing any reports of their |
| | own, both so that we can fix any vulnerability found |
| | prior to the release of an announcement, as well as |
| | avoiding these types of mistakes (and the potential |
| | embarrassment of reporting a vulnerability that wasn't) |
| | in the future. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-----------------+----------------+-------------------------------------|
| Zaptel | 1.2.x | All versions prior to 1.2.22 |
|-----------------+----------------+-------------------------------------|
| Zaptel | 1.4.x | All versions prior to 1.4.7 |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|----------------------------+-------------------------------------------|
| Zaptel | 1.2.22, when available |
|----------------------------+-------------------------------------------|
| Zaptel | 1.4.7, when available |
|----------------------------+-------------------------------------------|
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
|Links |http://archives.neohapsis.com/archives/bugtraq/2007-10/0316.html |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2007-024.pdf and |
| http://downloads.digium.com/pub/security/AST-2007-024.html. |
+------------------------------------------------------------------------+

+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|------------+----------------+------------------------------------------|
| 10/31/2007 | Mark Michelson | Initial release |
|------------+----------------+------------------------------------------|
| 10/31/2007 | Mark Michelson | Changed severity, description, and |
| | | resolution |
+------------------------------------------------------------------------+

Asterisk Project Security Advisory - AST-2007-024
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close