From advisories@atstake.com Thu Sep 11 16:50:19 2003 From: "@stake Advisories" To: vulnwatch@vulnwatch.org Date: Thu, 11 Sep 2003 16:15:35 -0400 Subject: [VulnWatch] Asterisk CallerID CDR SQL Injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Asterisk CallerID CDR SQL Injection Release Date: 09/11/2003 Application: Asterisk Platform: Linux (x86) Severity: An attacker is able to obtain remote access to the database/host via the CallerID string Authors: Ollie Whitehouse [ollie@atstake.com] Vendor Status: Informed / CVS Updated 9th of September 2003 CVE Candidate: CAN-2003-0779 Reference: www.atstake.com/research/advisories/2003/a091103-1.txt Overview: Asterisk (http://www.asterisk.org/) is a complete PBX (Private Branch eXchange) in software. It runs on Linux and provides all of the features you would expect from a PBX and more. Asterisk does voice over IP with three protocols (SIP, IAX v1 and v2, and H323), and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware. Call Detail Records (CDRs) are generated by telephony systems in order to perform a number of functions such as billing and rating. CDRs contain a number of fields that identify useful information about the call including source, destination, and other items such as CallerID. These can be generated numerous times during the call to indicate the state of the call as well. @stake found an issue while conducting a source code review of the CDR logging functionality. It is possible to perform SQL injection if an attacker can supply a malformed CallerID string. The interesting thing to note about this vulnerability is that is can not only be launched via VoIP protocols, but also through fixed-line connections (i.e. POTS - Plain Old Telephone System). Details: @stake discovered that minimal input validation occurred between CDR generation and the acceptance of this data as part of the SQL query. SQL injection is covered in great details in: i) SQL Injection http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf ii) Advanced SQL Injection http://www.ngssoftware.com/papers/advanced_sql_injection.pdf As a result, it is possible for a remote unauthenticated user to perform arbitrary database operations. Recommendation: @stake notified the author of this particular code on the 17th of August. The author developed and deployed a patch silently to the CVS on the 9th of September. @stake recommends that if you have not deployed a CVS version since the 9th of September 2003 to immediately do so. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2003-0779 Asterisk CallerID CDR SQL injection @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc @stake is currently seeking application security experts to fill several consulting positions. Applicants should have strong application development skills and be able to perform application security design reviews, code reviews, and application penetration testing. Please send resumes to jobs@atstake.com. Copyright 2003 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP2DXsEe9kNIfAm4yEQJwjwCeIiLUirU+hXo5bOu+72byxKKx5GIAoLxk SlTyCUqbrBRlJl+k4CScWJOx =5Vb3 -----END PGP SIGNATURE-----