Vulnerabilities > CVE-2008-5744 - Numeric Errors vulnerability in Asterisk Zaptel 1.2/1.2.27/1.4

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

asterisk

CWE-189

nessus

NVD

Published: 2008-12-26

Updated: 2017-08-08

Summary

Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI) 1.4.11 and earlier allows local users in the dialout group to overwrite an integer value in kernel memory by writing to /dev/zap/ctl, related to an incorrect tor2 patch for CVE-2008-5396 that uses the wrong variable in a range check against the value of lc->sync.

Vulnerable Configurations

Part	Description	Count
Application	Asterisk Asterisk Zaptel 1.2 Asterisk Zaptel 1.2.27 Asterisk Zaptel 1.4 Asterisk Zaptel *	4

Common Weakness Enumeration (CWE)

CWE-189 - Numeric Errors

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1699.NASL
description	An array index error in zaptel, a set of drivers for telephony hardware, could allow users to crash the system or escalate their privileges by overwriting kernel memory (CVE-2008-5396 ).
last seen	2020-06-01
modified	2020-06-02
plugin id	35333
published	2009-01-12
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/35333
title	Debian DSA-1699-1 : zaptel - array index error
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1699. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(35333); script_version("1.11"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2008-5396", "CVE-2008-5744"); script_bugtraq_id(32575); script_xref(name:"DSA", value:"1699"); script_name(english:"Debian DSA-1699-1 : zaptel - array index error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "An array index error in zaptel, a set of drivers for telephony hardware, could allow users to crash the system or escalate their privileges by overwriting kernel memory (CVE-2008-5396 )." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507459" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510583" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-5396" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1699" ); script_set_attribute( attribute:"solution", value: "Upgrade the zaptel package. For the stable distribution (etch), this problem has been fixed in version 1.2.11.dfsg-1+etch1." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zaptel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/01/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/01/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"libtonezone-dev", reference:"1.2.11.dfsg-1+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libtonezone1", reference:"1.2.11.dfsg-1+etch1")) flag++; if (deb_check(release:"4.0", prefix:"zaptel", reference:"1.2.11.dfsg-1+etch1")) flag++; if (deb_check(release:"4.0", prefix:"zaptel-source", reference:"1.2.11.dfsg-1+etch1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 32575 CVE(CAN) ID: CVE-2008-5396,CVE-2008-5744 zaptel软件包是用于配置Zapata电话内核驱动的用户工具。由于对ZT_SPANCONFIG ioctl相关的sync字段缺少检查，导致Zaptel中的torisa.c驱动的torisa_spanconfig()函数和dahdi/tor2.c驱动的tor2_spanconfig()函数存在数组索引错误。dialout组中的本地用户可以通过写入/dev/zap/ctl覆盖内核内存中的整数值，导致拒绝服务或获得权限提升。 Diginum Zaptel 1.4.x Diginum Zaptel 1.2.x 厂商补丁： Diginum ------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://svn.digium.com/view/zaptel?view=rev&revision=4587 target=_blank rel=external nofollow>http://svn.digium.com/view/zaptel?view=rev&revision=4587</a> <a href=http://svn.digium.com/view/zaptel?view=rev&revision=4588 target=_blank rel=external nofollow>http://svn.digium.com/view/zaptel?view=rev&revision=4588</a> <a href=http://svn.digium.com/view/dahdi?view=rev&revision=5590 target=_blank rel=external nofollow>http://svn.digium.com/view/dahdi?view=rev&revision=5590</a>
id	SSV:4605
last seen	2017-11-19
modified	2008-12-30
published	2008-12-30
reporter	Root
title	zaptel多个驱动数组索引漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Seebug

References