Asterisk是一款PBX系统的软件,运行在Linux系统上,支持使用SIP、IAX、H323协议进行IP通话。 Asterisk的chan_skinny.c文件中的static int get_input(struct skinnysession *s)函数没有正确地验证报文头中用户所提供的长度。远程攻击者可以通过发送特制报文来触发缓冲区溢出漏洞,导致执行任意指令。 asterisk-1.2.12.1/channels/chan_skinny.c的2860-2870中的漏洞代码: ---------------- res = read(s->fd, s->inbuf, 4); // <- integer read from attacker if (res != 4) { ast_log(LOG_WARNING, "Skinny Client sent less data than expected.\n"); return -1; } dlen = letohl(*(int *)s->inbuf); // <- input 0xfffffffa // interpreted as signed if (dlen+8 > sizeof(s->inbuf)) // <- integer wrap to +2 dlen = sizeof(s->inbuf) - 8; // bypasses this check } *(int *)s->inbuf = htolel(dlen); // casting just for amusement res = read(s->fd, s->inbuf+4, dlen+4); /* <- dlen now unsigned again * permitting read() to write * up to 0xfffffffa bytes off * the end of s->inbuf */ ---------------- Asterisk Asterisk 1.2-branch <= 1.2.12.1 Asterisk Asterisk 1.0-branch <= 1.0.12 临时解决方法:...
Asterisk是一款PBX系统的软件,运行在Linux系统上,支持使用SIP、IAX、H323协议进行IP通话。 Asterisk的chan_skinny.c文件中的static int get_input(struct skinnysession *s)函数没有正确地验证报文头中用户所提供的长度。远程攻击者可以通过发送特制报文来触发缓冲区溢出漏洞,导致执行任意指令。 asterisk-1.2.12.1/channels/chan_skinny.c的2860-2870中的漏洞代码: ---------------- res = read(s->fd, s->inbuf, 4); // <- integer read from attacker if (res != 4) { ast_log(LOG_WARNING, "Skinny Client sent less data than expected.\n"); return -1; } dlen = letohl(*(int *)s->inbuf); // <- input 0xfffffffa // interpreted as signed if (dlen+8 > sizeof(s->inbuf)) // <- integer wrap to +2 dlen = sizeof(s->inbuf) - 8; // bypasses this check } *(int *)s->inbuf = htolel(dlen); // casting just for amusement res = read(s->fd, s->inbuf+4, dlen+4); /* <- dlen now unsigned again * permitting read() to write * up to 0xfffffffa bytes off * the end of s->inbuf */ ---------------- Asterisk Asterisk 1.2-branch <= 1.2.12.1 Asterisk Asterisk 1.0-branch <= 1.0.12 临时解决方法: * 禁用chan_skinny模块。 * 在防火墙过滤2000/tcp端口上的通讯。 厂商补丁: Asterisk -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.asterisk.org/
