thr3ads.net - Secure testing team - [Secure-testing-team] Bug#675204: asterisk: AST-2012-007 (CVE-2012-2947): crash on IAX receiving HOLD without MOH class [May 2012]

If this information is useful, please help other people find it:
Share via:

Tzafrir Cohen

2012-May-30 14:13 UTC

[Secure-testing-team] Bug#675204: asterisk: AST-2012-007 (CVE-2012-2947): crash on IAX receiving HOLD without MOH class

Package: asterisk
Version: 1:1.8.11.1~dfsg-1
Severity: grave
Tags: upstream patch security
Justification: user security hole

A remotely exploitable crash vulnerability exists in the IAX2 channel
driver if an established call is placed on hold without a suggested
music class. For this to occur, the following must take place:

1. The setting mohinterpret=passthrough must be set on the end placing
   the call on hold.

2. A call must be established.

3. The call is placed on hold without a suggested music-on-hold class name.


When these conditions are true, Asterisk will attempt to use an invalid
pointer to a music-on-hold class name. Use of the invalid pointer will
either cause a crash or the music-on-hold class name will be garbage.

Issue applies to version in Stable (1.6.2.9) as well.

In the default settings used by the Debian package, on-hold music will be
defined if available (e.g. if any asterisk-moh-opsound package is
installed).

-- System Information:
Debian Release: wheezy/sid
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=he_IL.UTF-8, LC_CTYPE=he_IL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages asterisk depends on:
ii  adduser                                       3.113+nmu2
ii  asterisk-config                               1:1.8.12.0~rc3~dfsg-0.9674
ii  asterisk-core-sounds-en [asterisk-prompt-en]  1.4.21-2
ii  asterisk-modules                              1:1.8.12.0~rc3~dfsg-0.9674
ii  asterisk-sounds-main [asterisk-prompt-en]     1:1.8.3.3-0.8891
ii  libc6                                         2.13-32
ii  libcap2                                       1:2.22-1
ii  libgcc1                                       1:4.7.0-8
ii  libssl1.0.0                                   1.0.1c-1
ii  libstdc++6                                    4.7.0-8
ii  libtinfo5                                     5.9-7
ii  libxml2                                       2.7.8.dfsg-9.1

Versions of packages asterisk recommends:
ii  asterisk-moh-opsound-gsm                         2.03-1
ii  asterisk-voicemail [asterisk-voicemail-storage]  1:1.8.12.0~rc3~dfsg-0.9674
ii  sox                                              14.3.2-3

Versions of packages asterisk suggests:
pn  asterisk-dahdi   1:1.8.12.0~rc3~dfsg-0.9674
pn  asterisk-dev     1:1.8.12.0~rc3~dfsg-0.9674
pn  asterisk-doc     1:1.8.12.0~rc3~dfsg-0.9674
pn  asterisk-ooh323  <none>

-- no debconf information

Secure testing team - May 2012 - Bug#675204: asterisk: AST-2012-007 (CVE-2012-2947): crash on IAX receiving HOLD without MOH class

[Secure-testing-team] Bug#675204: asterisk: AST-2012-007 (CVE-2012-2947): crash on IAX receiving HOLD without MOH class