Vulnerabilities > CVE-2007-3762 - Unspecified vulnerability in Asterisk products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
asterisk
nessus

Summary

Stack-based buffer overflow in the IAX2 channel driver (chan_iax2) in Asterisk before 1.2.22 and 1.4.x before 1.4.8, Business Edition before B.2.2.1, AsteriskNOW before beta7, Appliance Developer Kit before 0.5.0, and s800i before 1.0.2 allows remote attackers to execute arbitrary code by sending a long (1) voice or (2) video RTP frame.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200802-11.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200802-11 (Asterisk: Multiple vulnerabilities) Multiple vulnerabilities have been found in Asterisk: Russel Bryant reported a stack-based buffer overflow in the IAX2 channel driver (chan_iax2) when bridging calls between chan_iax2 and any channel driver that uses RTP for media (CVE-2007-3762). Chris Clark and Zane Lackey (iSEC Partners) reported a NULL pointer dereference in the IAX2 channel driver (chan_iax2) (CVE-2007-3763). Will Drewry (Google Security) reported a vulnerability in the Skinny channel driver (chan_skinny), resulting in an overly large memcpy (CVE-2007-3764). Will Drewry (Google Security) reported a vulnerability in the IAX2 channel driver (chan_iax2), that does not correctly handle unauthenticated transactions using a 3-way handshake (CVE-2007-4103). Impact : By sending a long voice or video RTP frame, a remote attacker could possibly execute arbitrary code on the target machine. Sending specially crafted LAGRQ or LAGRP frames containing information elements of IAX frames, or a certain data length value in a crafted packet, or performing a flood of calls not completing a 3-way handshake, could result in a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id31294
    published2008-02-27
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31294
    titleGLSA-200802-11 : Asterisk: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200802-11.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31294);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:44");
    
      script_cve_id("CVE-2007-3762", "CVE-2007-3763", "CVE-2007-3764", "CVE-2007-4103");
      script_xref(name:"GLSA", value:"200802-11");
    
      script_name(english:"GLSA-200802-11 : Asterisk: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200802-11
    (Asterisk: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been found in Asterisk:
        Russel Bryant reported a stack-based buffer overflow in the IAX2 channel
        driver (chan_iax2) when bridging calls between chan_iax2 and any
        channel driver that uses RTP for media (CVE-2007-3762).
        Chris
        Clark and Zane Lackey (iSEC Partners) reported a NULL pointer
        dereference in the IAX2 channel driver (chan_iax2)
        (CVE-2007-3763).
        Will Drewry (Google Security) reported a
        vulnerability in the Skinny channel driver (chan_skinny), resulting in
        an overly large memcpy (CVE-2007-3764).
        Will Drewry (Google
        Security) reported a vulnerability in the IAX2 channel driver
        (chan_iax2), that does not correctly handle unauthenticated
        transactions using a 3-way handshake (CVE-2007-4103).
      
    Impact :
    
        By sending a long voice or video RTP frame, a remote attacker could
        possibly execute arbitrary code on the target machine. Sending
        specially crafted LAGRQ or LAGRP frames containing information elements
        of IAX frames, or a certain data length value in a crafted packet, or
        performing a flood of calls not completing a 3-way handshake, could
        result in a Denial of Service.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200802-11"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Asterisk users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-misc/asterisk-1.2.17-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/02/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/27");
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-misc/asterisk", unaffected:make_list("rge 1.2.17-r1", "ge 1.2.21.1-r1"), vulnerable:make_list("lt 1.2.21.1-r1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Asterisk");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_ASTERISK-3977.NASL
    descriptionThis update fixes multiple bugs in asterisk that allowed remote attackers to crash the asterisk server or even execute arbitrary code (CVE-2007-3762, CVE-2007-3763, CVE-2007-3764).
    last seen2020-06-01
    modified2020-06-02
    plugin id27158
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27158
    titleopenSUSE 10 Security Update : asterisk (asterisk-3977)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update asterisk-3977.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27158);
      script_version ("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:29");
    
      script_cve_id("CVE-2007-3762", "CVE-2007-3763", "CVE-2007-3764");
    
      script_name(english:"openSUSE 10 Security Update : asterisk (asterisk-3977)");
      script_summary(english:"Check for the asterisk-3977 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes multiple bugs in asterisk that allowed remote
    attackers to crash the asterisk server or even execute arbitrary code
    (CVE-2007-3762, CVE-2007-3763, CVE-2007-3764)."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected asterisk package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/07/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.1|SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1 / 10.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.1", reference:"asterisk-1.2.5-12.15") ) flag++;
    if ( rpm_check(release:"SUSE10.2", reference:"asterisk-1.2.13-25") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "asterisk");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1358.NASL
    descriptionSeveral remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1306
    last seen2020-06-01
    modified2020-06-02
    plugin id25938
    published2007-08-28
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25938
    titleDebian DSA-1358-1 : asterisk - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1358. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(25938);
      script_version("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2007-1306", "CVE-2007-1561", "CVE-2007-2294", "CVE-2007-2297", "CVE-2007-2488", "CVE-2007-3762", "CVE-2007-3763", "CVE-2007-3764");
      script_xref(name:"DSA", value:"1358");
    
      script_name(english:"Debian DSA-1358-1 : asterisk - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several remote vulnerabilities have been discovered in Asterisk, a
    free software PBX and telephony toolkit. The Common Vulnerabilities
    and Exposures project identifies the following problems :
    
      - CVE-2007-1306
        'Mu Security' discovered that a NULL pointer dereference
        in the SIP implementation could lead to denial of
        service.
    
      - CVE-2007-1561
        Inria Lorraine discovered that a programming error in
        the SIP implementation could lead to denial of service.
    
      - CVE-2007-2294
        It was discovered that a NULL pointer dereference in the
        manager interface could lead to denial of service.
    
      - CVE-2007-2297
        It was discovered that a programming error in the SIP
        implementation could lead to denial of service.
    
      - CVE-2007-2488
        Tim Panton and Birgit Arkestein discovered that a
        programming error in the IAX2 implementation could lead
        to information disclosure.
    
      - CVE-2007-3762
        Russell Bryant discovered that a buffer overflow in the
        IAX implementation could lead to the execution of
        arbitrary code.
    
      - CVE-2007-3763
        Chris Clark and Zane Lackey discovered that several NULL
        pointer dereferences in the IAX2 implementation could
        lead to denial of service.
    
      - CVE-2007-3764
        Will Drewry discovered that a programming error in the
        Skinny implementation could lead to denial of service."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-1306"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-1561"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-2294"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-2297"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-2488"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-3762"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-3763"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-3764"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2007/dsa-1358"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the Asterisk packages.
    
    For the oldstable distribution (sarge) these problems have been fixed
    in version 1.0.7.dfsg.1-2sarge5.
    
    For the stable distribution (etch) these problems have been fixed in
    version 1:1.2.13~dfsg-2etch1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:asterisk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/08/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/08/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"asterisk", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-config", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-dev", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-doc", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-gtk-console", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-h323", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-sounds-main", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"3.1", prefix:"asterisk-web-vmail", reference:"1.0.7.dfsg.1-2sarge5")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-bristuff", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-classic", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-config", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-dev", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-doc", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-h323", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-sounds-main", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"asterisk-web-vmail", reference:"1:1.2.13~dfsg-2etch1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 24949 CVE(CAN) ID: CVE-2007-3762 Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。 Asterisk IAX2隧道驱动(chan_iax2)中存在栈溢出漏洞,远程攻击者可能利用此漏洞控制服务器。 如果向chan_iax2传送了数据负载大于4 kB的RTP帧的话,就可能触发这个漏洞。如果要触发这个漏洞,调用iax2_write()的帧应满足以下条件: * 语音或视频帧 * 4字节的时间戳与之前所发送帧高2字节相同 * 格式为预期格式 * 数据负载大于4kB iax2_write()调用iax2_send()发送帧。在iax2_send()中,有一个条件检查确定是否应立即发送帧或排在队列中。如果确定应在队列中之后发送,就会动态的分配iax_frame结构,数据缓冲区大小为ast_frame数据的大小。但是,如果立即发送帧的话,就会使用栈分配的iax_frame,数据缓冲区大小为4096字节。之后,使用iax_frame_wrap()函数将数据从ast_frame结构拷贝到了iax_frame结构,这就可能触发溢出。 Asterisk Asterisk 1.4.x Asterisk Asterisk 1.2.x Asterisk Asterisk 1.0.x Asterisk Business Edition B.x.x Asterisk Business Edition A.x.x Asterisk AsteriskNOW &lt; beta7 Asterisk Appliance Developer Kit 0.x.x Asterisk s800i 1.0.x 厂商补丁: Asterisk -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="ftp://ftp.digium.com/pub/telephony/asterisk" target="_blank">ftp://ftp.digium.com/pub/telephony/asterisk</a> <a href="http://www.asterisknow.org/" target="_blank">http://www.asterisknow.org/</a> <a href="ftp://ftp.digium.com/pub/telephony/aadk/" target="_blank">ftp://ftp.digium.com/pub/telephony/aadk/</a>
idSSV:2028
last seen2017-11-19
modified2007-07-22
published2007-07-22
reporterRoot
titleAsterisk IAX2隧道驱动IAX2_Write函数远程栈溢出漏洞