Vulnerabilities > CVE-2006-5444 - Unspecified vulnerability in Digium Asterisk

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
digium
nessus
exploit available

Summary

Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) in Asterisk 1.0.x before 1.0.12 and 1.2.x before 1.2.13, as used by Cisco SCCP phones, allows remote attackers to execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow.

Exploit-Db

descriptionAsterisk <= 1.0.12 / 1.2.12.1 (chan_skinny) Remote Heap Overflow (PoC). CVE-2006-5444. Dos exploits for multiple platform
idEDB-ID:2597
last seen2016-01-31
modified2006-10-19
published2006-10-19
reporterNoam Rathaus
sourcehttps://www.exploit-db.com/download/2597/
titleAsterisk <= 1.0.12 / 1.2.12.1 chan_skinny Remote Heap Overflow PoC

Nessus

  • NASL familyGain a shell remotely
    NASL idASTERISK_CHAN_SKINNY_DLEN_OVERFLOW.NASL
    descriptionThe chan_skinny channel driver included in the version of Asterisk running on the remote host does not properly validate the length header in incoming packets. An unauthenticated, remote attacker may be able to leverage this flaw to execute code on the affected host subject to the privileges under which Asterisk runs, generally root.
    last seen2020-06-01
    modified2020-06-02
    plugin id22878
    published2006-10-19
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22878
    titleAsterisk Skinny Channel Driver (chan_skinny) get_input Function Remote Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22878);
      script_version("1.23");
    
      script_cve_id("CVE-2006-5444");
      script_bugtraq_id(20617);
    
      script_name(english:"Asterisk Skinny Channel Driver (chan_skinny) get_input Function Remote Overflow");
      script_summary(english:"Sends a special packet to Asterisk's chan_skinny channel driver");
    
     script_set_attribute(attribute:"synopsis", value:
    "A telephony application running on the remote host is affected by a
    heap overflow vulnerability." );
     script_set_attribute(attribute:"description", value:
    "The chan_skinny channel driver included in the version of Asterisk
    running on the remote host does not properly validate the length
    header in incoming packets.  An unauthenticated, remote attacker may be
    able to leverage this flaw to execute code on the affected host
    subject to the privileges under which Asterisk runs, generally root." );
     script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/449127/30/0/threaded" );
     # http://web.archive.org/web/20061108144940/http://www.asterisk.org/node/109
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e5f58960" );
     script_set_attribute(attribute:"solution", value:
    "Either disable the chan_skinny channel driver or upgrade to Asterisk
    1.2.13 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"plugin_publication_date", value: "2006/10/19");
     script_set_attribute(attribute:"vuln_publication_date", value: "2006/10/18");
     script_set_attribute(attribute:"patch_publication_date", value: "2006/10/19");
     script_cvs_date("Date: 2019/03/06 18:38:55");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:digium:asterisk");
    script_end_attributes();
    
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Gain a shell remotely");
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_dependencies("skinny_detect.nasl");
      script_require_ports("Services/skinny", 2000);
    
      exit(0);
    }
    
    
    include("byte_func.inc");
    
    
    port = get_kb_item("Services/skinny");
    if (!port) port = 2000;
    if (!get_port_state(port)) exit(0);
    
    
    soc = open_sock_tcp(port);
    if (!soc) exit(0);
    
    
    # Send a weird request; a vulnerable version will respond while 
    # a patched one will silently drop it.
    device = "SEP6E6573737573";
    ip = split(compat::this_host(), sep:'.', keep:FALSE);
    
    set_byte_order(BYTE_ORDER_LITTLE_ENDIAN);
    req = mkdword(0x80000000) +            # message length
      mkdword(0) +                         # reserved
      mkdword(1) +                         # message id (1 => station register)
        device + mkbyte(0) +               #   name
        mkdword(0) +                       #   station userid
        mkdword(1) +                       #   station instance
        mkbyte(int(ip[0])) +               #   client ip
          mkbyte(int(ip[1])) + 
          mkbyte(int(ip[2])) + 
          mkbyte(int(ip[3])) + 
        mkdword(2) +                       #   device type (2 => 12SPplus)
        mkdword(0);                        #   max streams
    req += crap(1008-strlen(req));
    send(socket:soc, data:req);
    res = recv(socket:soc, length:1024);
    close(soc);
    
    
    # There's a problem if we get a response.
    if (
      strlen(res) > 12 && 
      getdword(blob:res, pos:0) == strlen(res) - 8 &&
      (
        getdword(blob:res, pos:8) == 0x81 ||
        (getdword(blob:res, pos:8) == 0x9d && string("No Authority: ", device) >< res)
      )
    ) security_hole(port);
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_ASTERISK-2272.NASL
    descriptionThis update fixes 2 security problem in the PBX software Asterisk. CVE-2006-5444: Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) as used by Cisco SCCP phones, allows remote attackers to execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow. CVE-2006-5445: A vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk on SUSE Linux 10.1 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of
    last seen2020-06-01
    modified2020-06-02
    plugin id27156
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27156
    titleopenSUSE 10 Security Update : asterisk (asterisk-2272)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update asterisk-2272.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27156);
      script_version ("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:28");
    
      script_cve_id("CVE-2006-5444", "CVE-2006-5445");
    
      script_name(english:"openSUSE 10 Security Update : asterisk (asterisk-2272)");
      script_summary(english:"Check for the asterisk-2272 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes 2 security problem in the PBX software Asterisk.
    
    CVE-2006-5444: Integer overflow in the get_input function in the
    Skinny channel driver (chan_skinny.c) as used by Cisco SCCP phones,
    allows remote attackers to execute arbitrary code via a certain dlen
    value that passes a signed integer comparison and leads to a
    heap-based buffer overflow.
    
    CVE-2006-5445: A vulnerability in the SIP channel driver
    (channels/chan_sip.c) in Asterisk on SUSE Linux 10.1 allows remote
    attackers to cause a denial of service (resource consumption) via
    unspecified vectors that result in the creation of 'a real pvt
    structure' that uses more resources than necessary."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected asterisk package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.1", reference:"asterisk-1.2.5-12.8") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1229.NASL
    descriptionAdam Boileau discovered an integer overflow in the Skinny channel driver in Asterisk, an Open Source Private Branch Exchange or telephone system, as used by Cisco SCCP phones, which allows remote attackers to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id23790
    published2006-12-11
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23790
    titleDebian DSA-1229-1 : asterisk - integer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1229. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23790);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2006-5444");
      script_bugtraq_id(20617);
      script_xref(name:"CERT", value:"521252");
      script_xref(name:"DSA", value:"1229");
    
      script_name(english:"Debian DSA-1229-1 : asterisk - integer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Adam Boileau discovered an integer overflow in the Skinny channel
    driver in Asterisk, an Open Source Private Branch Exchange or
    telephone system, as used by Cisco SCCP phones, which allows remote
    attackers to execute arbitrary code."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1229"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the asterisk packages.
    
    For the stable distribution (sarge) this problem has been fixed in
    version 1.0.7.dfsg.1-2sarge4."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/12/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/11");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"asterisk", reference:"1.0.7.dfsg.1-2sarge4")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-config", reference:"1.0.7.dfsg.1-2sarge4")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-dev", reference:"1.0.7.dfsg.1-2sarge4")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-doc", reference:"1.0.7.dfsg.1-2sarge4")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-gtk-console", reference:"1.0.7.dfsg.1-2sarge4")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-h323", reference:"1.0.7.dfsg.1-2sarge4")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-sounds-main", reference:"1.0.7.dfsg.1-2sarge4")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-web-vmail", reference:"1.0.7.dfsg.1-2sarge4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200610-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200610-15 (Asterisk: Multiple vulnerabilities) Asterisk contains buffer overflows in channels/chan_mgcp.c from the MGCP driver and in channels/chan_skinny.c from the Skinny channel driver for Cisco SCCP phones. It also dangerously handles client-controlled variables to determine filenames in the Record() function. Finally, the SIP channel driver in channels/chan_sip.c could use more resources than necessary under unspecified circumstances. Impact : A remote attacker could execute arbitrary code by sending a crafted audit endpoint (AUEP) response, by sending an overly large Skinny packet even before authentication, or by making use of format strings specifiers through the client-controlled variables. An attacker could also cause a Denial of Service by resource consumption through the SIP channel driver. Workaround : There is no known workaround for the format strings vulnerability at this time. You can comment the lines in /etc/asterisk/mgcp.conf, /etc/asterisk/skinny.conf and /etc/asterisk/sip.conf to deactivate the three vulnerable channel drivers. Please note that the MGCP channel driver is disabled by default.
    last seen2020-06-01
    modified2020-06-02
    plugin id22930
    published2006-10-31
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22930
    titleGLSA-200610-15 : Asterisk: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200610-15.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22930);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:43");
    
      script_cve_id("CVE-2006-4345", "CVE-2006-4346", "CVE-2006-5444", "CVE-2006-5445");
      script_xref(name:"GLSA", value:"200610-15");
    
      script_name(english:"GLSA-200610-15 : Asterisk: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200610-15
    (Asterisk: Multiple vulnerabilities)
    
        Asterisk contains buffer overflows in channels/chan_mgcp.c from the
        MGCP driver and in channels/chan_skinny.c from the Skinny channel
        driver for Cisco SCCP phones. It also dangerously handles
        client-controlled variables to determine filenames in the Record()
        function. Finally, the SIP channel driver in channels/chan_sip.c could
        use more resources than necessary under unspecified circumstances.
      
    Impact :
    
        A remote attacker could execute arbitrary code by sending a crafted
        audit endpoint (AUEP) response, by sending an overly large Skinny
        packet even before authentication, or by making use of format strings
        specifiers through the client-controlled variables. An attacker could
        also cause a Denial of Service by resource consumption through the SIP
        channel driver.
      
    Workaround :
    
        There is no known workaround for the format strings vulnerability at
        this time. You can comment the lines in /etc/asterisk/mgcp.conf,
        /etc/asterisk/skinny.conf and /etc/asterisk/sip.conf to deactivate the
        three vulnerable channel drivers. Please note that the MGCP channel
        driver is disabled by default."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200610-15"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Asterisk users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-misc/asterisk-1.2.13'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/10/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/31");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-misc/asterisk", unaffected:make_list("ge 1.2.13", "rge 1.0.12"), vulnerable:make_list("lt 1.2.13", "lt 1.0.12"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Asterisk");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_069.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:069 (asterisk). Two security problem have been found and fixed in the PBX software Asterisk. CVE-2006-5444: Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) as used by Cisco SCCP phones, allows remote attackers to potentially execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow. CVE-2006-5445: A vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk on SUSE Linux 10.1 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of
    last seen2019-10-28
    modified2007-02-18
    plugin id24446
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24446
    titleSUSE-SA:2006:069: asterisk
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:069
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(24446);
     script_version ("1.9");
     
     name["english"] = "SUSE-SA:2006:069: asterisk";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2006:069 (asterisk).
    
    
    Two security problem have been found and fixed in the PBX software
    Asterisk.
    
    CVE-2006-5444: Integer overflow in the get_input function in the
    Skinny channel driver (chan_skinny.c) as used by Cisco SCCP phones,
    allows remote attackers to potentially execute arbitrary code via a
    certain dlen value that passes a signed integer comparison and leads
    to a heap-based buffer overflow.
    
    CVE-2006-5445: A vulnerability in the SIP channel driver
    (channels/chan_sip.c) in Asterisk on SUSE Linux 10.1 allows remote
    attackers to cause a denial of service (resource consumption)
    via unspecified vectors that result in the creation of 'a real pvt
    structure' that uses more resources than necessary." );
     script_set_attribute(attribute:"solution", value:
    "http://www.novell.com/linux/security/advisories/2006_69_asterisk.html" );
     script_set_attribute(attribute:"risk_factor", value:"High" );
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the asterisk package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"asterisk-1.0.9-4.6", release:"SUSE10.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"asterisk-1.0.6-4.6", release:"SUSE9.3") )
    {
     security_hole(0);
     exit(0);
    }
    

References