Vigil@nce - Asterisk: denial of service via Station Key Pad Button
July 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A remote attacker authenticated on SCCP/Skinny can send a message
after an Off Hook message, in order to dereference a NULL pointer,
which stops the service.
Severity: 2/4
Creation date: 15/06/2012
IMPACTED PRODUCTS
– Asterisk Open Source
– Fedora
DESCRIPTION OF THE VULNERABILITY
The SCCP (Skinny Call Control Protocol) protocol is used to
communicate with Cisco products.
This protocol uses messages:
– 0x0000 : Keep Alive Message
– 0x0003 : Station Key Pad Button Message
– 0x0006 : Station Off Hook Message
– etc.
However, if Asterisk receives the Station Key Pad Button message
after the Station Off Hook message, a NULL pointer is dereferenced
in channels/chan_skinny.c.
A remote attacker authenticated on SCCP/Skinny can therefore send
a message after an Off Hook message, in order to dereference a
NULL pointer, which stops the service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Asterisk-denial-of-service-via-Station-Key-Pad-Button-11712