Tried, Tested and Proven

Security Advisory 05 – 013 – Asterisk Manager Interface Overflow

Vulnerable System:

This vulnerability affects Asterisk 1.0.7 and the development Asterisk branch (known as CVS HEAD).http://www.asterisk.org/

Vulnerability discovery and development:

Wade Alcorn discovered this vulnerability whilst performing an assessment of the Asterisk PABX software package. It was then verified that the instruction pointer could be controlled and made to point at arbitrary memory locations. This led to a remote shell proof-of-concept, which provides access to the user (root by default) running Asterisk. This will occur when the Asterisk Manager Interface is enabled and a valid manager username and password, with command line permissions, is used.

Affected Systems:

The issue was initially found and verified on the Linux Operating System. Research is currently being undertaken to determine the extent to which other operating systems are vulnerable.

Details:

There is a programming error in the function that parses commands in the Asterisk system. This is used by the manager interface if the user is allowed to submit CLI commands. The coding error can result in the overflow of one of the parameters of the calling function. That is, the command parsing function will return without error. However, the calling function will cause a segmentation fault.

If the command string is specifically crafted, is it possible to use this stack overflow to execute arbitrary code on the Asterisk system.

The resulting execution is (typically) run with root privileges.

A command consisting of a recurring string of two double quotes followed by a tab character will induce the segmentation fault within a Call Manager thread.

Impact:

Under the default configuration the Asterisk server does not start the Manager interface, so a default Asterisk installation will not be vulnerable to this avenue of attack.

The impact of this issue is mitigated by the Asterisk default configuration. Configuration is controlled by settings in manager.conf.

The following options need to be in place for this vector of attack to be successful:

 [general]

enabled = yes

bindaddr = 127.0.0.1

[mark]

secret = mysecret

permit = 127.0.0.1

write = command

The relevant option is ‘write = command’; without it, even properly authenticated Manager interface users will be unable to exploit this overflow. The result of a successfully exploited Asterisk command parsing overflow will result in a remote root shell.

Exploit:

The error in the function means that any Asterisk server with the appropriate configuration using the Manager interface is vulnerable. It is possible for an authenticated user to gain a remote root shell on the system.

Vendor notified:

Mark Spencer, the primary developer of the Asterisk project, was contacted on Thursday 19th May 2005 via email. This email contained a summary of the vulnerability and explained Wade Alcorn had developed an exploit for the issue.

The Asterisk development team was prompt and responsive to the vulnerability alert. Portcullis was provided with an alternate means of contact additional to email, if it was to be required. Wade Alcorn (Portcullis), Mark Spencer (Asterisk), Kevin Fleming (Asterisk) cooperatively provided and verified a solution to the problem.

Vendor response:

The Asterisk project is thankful for the efforts of Wade Alcorn and Portcullis Computer Security to identify and diagnose the source of this problem. Wade Alcorn was able to provide a proposed solution and a simple means of reproducing the problem, which were instrumental in our ability to quickly solve the issue.

Workaround/Fix:

Options

1) For a temporary workaround, disable the setting in manager.conf detailed in the impact section.
2) Upgrade to version 1.0.8, or for development branch users, the most recent CVS version available.

Copyright:

Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.