ID CVE-2006-5444
Summary Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) in Asterisk 1.0.x before 1.0.12 and 1.2.x before 1.2.13, as used by Cisco SCCP phones, allows remote attackers to execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow.
References
Vulnerable Configurations
  • Digium Asterisk 0.1.7
    cpe:2.3:a:digium:asterisk:0.1.7
  • Digium Asterisk 0.1.8
    cpe:2.3:a:digium:asterisk:0.1.8
  • Digium Asterisk 0.1.9
    cpe:2.3:a:digium:asterisk:0.1.9
  • Digium Asterisk 0.1.9.1
    cpe:2.3:a:digium:asterisk:0.1.9.1
  • Digium Asterisk 0.2
    cpe:2.3:a:digium:asterisk:0.2
  • Digium Asterisk 0.3
    cpe:2.3:a:digium:asterisk:0.3
  • Digium Asterisk 0.4
    cpe:2.3:a:digium:asterisk:0.4
  • Digium Asterisk 0.7
    cpe:2.3:a:digium:asterisk:0.7
  • Digium Asterisk 0.7.1
    cpe:2.3:a:digium:asterisk:0.7.1
  • Digium Asterisk 0.7.2
    cpe:2.3:a:digium:asterisk:0.7.2
  • Digium Asterisk 0.9
    cpe:2.3:a:digium:asterisk:0.9
  • Digium Asterisk 1.0
    cpe:2.3:a:digium:asterisk:1.0
  • Digium Asterisk 1.0.7
    cpe:2.3:a:digium:asterisk:1.0.7
  • Digium Asterisk 1.0.8
    cpe:2.3:a:digium:asterisk:1.0.8
  • Digium Asterisk 1.0.9
    cpe:2.3:a:digium:asterisk:1.0.9
  • Digium Asterisk 1.0.10
    cpe:2.3:a:digium:asterisk:1.0.10
  • Digium Asterisk 1.0.11
    cpe:2.3:a:digium:asterisk:1.0.11
  • Digium Asterisk 1.2.6
    cpe:2.3:a:digium:asterisk:1.2.6
  • Digium Asterisk 1.2.7
    cpe:2.3:a:digium:asterisk:1.2.7
  • Digium Asterisk 1.2.8
    cpe:2.3:a:digium:asterisk:1.2.8
  • Digium Asterisk 1.2.9
    cpe:2.3:a:digium:asterisk:1.2.9
  • Digium Asterisk 1.2.10
    cpe:2.3:a:digium:asterisk:1.2.10
  • Digium Asterisk 1.2.11
    cpe:2.3:a:digium:asterisk:1.2.11
  • Digium Asterisk 1.2.12
    cpe:2.3:a:digium:asterisk:1.2.12
  • cpe:2.3:a:digium:asterisk:1.2_beta1
    cpe:2.3:a:digium:asterisk:1.2_beta1
  • cpe:2.3:a:digium:asterisk:1.2_beta2
    cpe:2.3:a:digium:asterisk:1.2_beta2
CVSS
Base: 7.5 (as of 23-10-2006 - 16:13)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Asterisk <= 1.0.12 / 1.2.12.1 (chan_skinny) Remote Heap Overflow (PoC). CVE-2006-5444. Dos exploits for multiple platform
id EDB-ID:2597
last seen 2016-01-31
modified 2006-10-19
published 2006-10-19
reporter Noam Rathaus
source https://www.exploit-db.com/download/2597/
title Asterisk <= 1.0.12 / 1.2.12.1 chan_skinny Remote Heap Overflow PoC
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200610-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-200610-15 (Asterisk: Multiple vulnerabilities) Asterisk contains buffer overflows in channels/chan_mgcp.c from the MGCP driver and in channels/chan_skinny.c from the Skinny channel driver for Cisco SCCP phones. It also dangerously handles client-controlled variables to determine filenames in the Record() function. Finally, the SIP channel driver in channels/chan_sip.c could use more resources than necessary under unspecified circumstances. Impact : A remote attacker could execute arbitrary code by sending a crafted audit endpoint (AUEP) response, by sending an overly large Skinny packet even before authentication, or by making use of format strings specifiers through the client-controlled variables. An attacker could also cause a Denial of Service by resource consumption through the SIP channel driver. Workaround : There is no known workaround for the format strings vulnerability at this time. You can comment the lines in /etc/asterisk/mgcp.conf, /etc/asterisk/skinny.conf and /etc/asterisk/sip.conf to deactivate the three vulnerable channel drivers. Please note that the MGCP channel driver is disabled by default.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 22930
    published 2006-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22930
    title GLSA-200610-15 : Asterisk: Multiple vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1229.NASL
    description Adam Boileau discovered an integer overflow in the Skinny channel driver in Asterisk, an Open Source Private Branch Exchange or telephone system, as used by Cisco SCCP phones, which allows remote attackers to execute arbitrary code.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 23790
    published 2006-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23790
    title Debian DSA-1229-1 : asterisk - integer overflow
  • NASL family Gain a shell remotely
    NASL id ASTERISK_CHAN_SKINNY_DLEN_OVERFLOW.NASL
    description The chan_skinny channel driver included in the version of Asterisk running on the remote host does not properly validate the length header in incoming packets. An unauthenticated, remote attacker may be able to leverage this flaw to execute code on the affected host subject to the privileges under which Asterisk runs, generally root.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 22878
    published 2006-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22878
    title Asterisk Skinny Channel Driver (chan_skinny) get_input Function Remote Overflow
  • NASL family SuSE Local Security Checks
    NASL id SUSE_ASTERISK-2272.NASL
    description This update fixes 2 security problem in the PBX software Asterisk. CVE-2006-5444: Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) as used by Cisco SCCP phones, allows remote attackers to execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow. CVE-2006-5445: A vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk on SUSE Linux 10.1 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of 'a real pvt structure' that uses more resources than necessary.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27156
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27156
    title openSUSE 10 Security Update : asterisk (asterisk-2272)
refmap via4
bid 20617
bugtraq 20061018 Security-Assessment.com Advisory: Asterisk remote heap overflow
cert-vn VU#521252
confirm
debian DSA-1229
fulldisc 20061018 Asterisk remote heap overflow
gentoo GLSA-200610-15
openpkg OpenPKG-SA-2006.024
osvdb 29972
sectrack 1017089
secunia
  • 22480
  • 22651
  • 22979
  • 23212
suse SUSE-SA:2006:069
vupen ADV-2006-4097
xf asterisk-getinput-code-execution(29663)
Last major update 07-03-2011 - 21:43
Published 23-10-2006 - 13:07
Last modified 17-10-2018 - 17:42
Back to Top