CVE-2012-1184
published 2012-09-18CVE-2012-1184: Stack-based buffer overflow in the ast_parse_digest function in main/utils.c in Asterisk 1.8.x before 1.8.10.1 and 10.x before 10.2.1 allows remote attackers…
PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
16.39%
96.6th percentile
Stack-based buffer overflow in the ast_parse_digest function in main/utils.c in Asterisk 1.8.x before 1.8.10.1 and 10.x before 10.2.1 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in an HTTP Digest Authentication header.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:1.8.10.0~dfsg-1 (bullseye) | asterisk 1:1.8.10.0~dfsg-1 (bullseye) |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa5.0MEDIUM
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
tomcat: three DIGEST authentication implementation issues
vendor_redhat·2012-11-05·CVSS 5.0
CVE-2012-5885 [MEDIUM] tomcat: three DIGEST authentication implementation issues
tomcat: three DIGEST authentication implementation issues
The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.
Package: jbossweb (Red Hat JBoss BRMS 5) - Affected
Package: jbossweb (Red Hat JBoss Data Grid 6) - Affected
Package: tomcat7 (Red Hat JBoss Enterprise Web Server 2) - Not affected
Package: jbossweb (Red Hat JBoss Operations Network 3.1) - Not affected
Package: jbossweb (Red Hat
Debian
CVE-2012-1184: asterisk - Stack-based buffer overflow in the ast_parse_digest function in main/utils.c in ...
vendor_debian·2012·CVSS 7.5
CVE-2012-1184 [HIGH] CVE-2012-1184: asterisk - Stack-based buffer overflow in the ast_parse_digest function in main/utils.c in ...
Stack-based buffer overflow in the ast_parse_digest function in main/utils.c in Asterisk 1.8.x before 1.8.10.1 and 10.x before 10.2.1 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in an HTTP Digest Authentication header.
Scope: local
bullseye: resolved (fixed in 1:1.8.10.0~dfsg-1)
sid: resolved (fixed in 1:1.8.10.0~dfsg-1)
GHSA
GHSA-rh24-rxj5-hccw: Stack-based buffer overflow in the ast_parse_digest function in main/utils
ghsa_unreviewed·2022-05-17
CVE-2012-1184 [HIGH] CWE-119 GHSA-rh24-rxj5-hccw: Stack-based buffer overflow in the ast_parse_digest function in main/utils
Stack-based buffer overflow in the ast_parse_digest function in main/utils.c in Asterisk 1.8.x before 1.8.10.1 and 10.x before 10.2.1 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in an HTTP Digest Authentication header.
GHSA
Improper Access Control in Apache Tomcat
ghsa·2022-05-17·CVSS 5.0
CVE-2012-5885 [MEDIUM] CWE-284 Improper Access Control in Apache Tomcat
Improper Access Control in Apache Tomcat
The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.
OSV
CVE-2012-1184: Stack-based buffer overflow in the ast_parse_digest function in main/utils
osv·2012-09-18·CVSS 7.5
CVE-2012-1184 [HIGH] CVE-2012-1184: Stack-based buffer overflow in the ast_parse_digest function in main/utils
Stack-based buffer overflow in the ast_parse_digest function in main/utils.c in Asterisk 1.8.x before 1.8.10.1 and 10.x before 10.2.1 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in an HTTP Digest Authentication header.
No detection rules found.
Exploit-DB
Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout
exploitdb·2017-04-11·CVSS 6.9
CVE-2017-7228 [MEDIUM] Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout
Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1184
This bug report describes a vulnerability in memory_exchange() that
permits PV guest kernels to write to an arbitrary virtual address with
hypervisor privileges. The vulnerability was introduced through a
broken fix for CVE-2012-5513 / XSA-29.
The fix for CVE-2012-5513 / XSA-29 introduced the following check in
the memory_exchange() hypercall handler:
if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
!guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
{
rc = -EFAULT;
goto fail_early;
}
guest_handle_okay() calls array_access_ok(), which calls access_ok(),
which is implemented as follows:
/*
* Valid if in +ve hal
Exploit-DB
Asterisk - 'ast_parse_digest()' Stack Buffer Overflow (PoC)
exploitdb·2012-03-15
CVE-2012-1184 Asterisk - 'ast_parse_digest()' Stack Buffer Overflow (PoC)
Asterisk - 'ast_parse_digest()' Stack Buffer Overflow (PoC)
---
Description
There is a remotely exploitable stack buffer overflow in HTTP digest
authentication handling in Asterisk. This vulnerability includes the
possibility of code execution with plenty of stack space for inserting
custom code to run. I wrote an example exploit to verify that the
vulnerability and confirmed it against the latest code in the 1.8
branch.
The offending code is in main/utils.c, ast_parse_digest().
Note that the only user of ast_parse_digest appears to be HTTP AMI.
chan_sip has its own method to parse digests that does not appear to have this vulnerability.
POC
$ curl -v http://localhost:8080/amxml -H "Authorization: Digest
asdfaaaaaaaaaaaaaaaaaaaaaasdddddddddddddddddddddddddddddaaaaaaaaaaaaaaaaaaaaaaa
Bugzilla
CVE-2012-1183 CVE-2012-1184 asterisk various flaws [fedora-all]
bugzilla·2012-03-16·CVSS 4.3
CVE-2012-1183 [MEDIUM] CVE-2012-1183 CVE-2012-1184 asterisk various flaws [fedora-all]
CVE-2012-1183 CVE-2012-1184 asterisk various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=804038
Bugzilla
CVE-2012-1184 asterisk: Stack-based buffer overflow by processing certain HTTP Digest Authentication headers (AST-2012-003)
bugzilla·2012-03-16·CVSS 7.5
CVE-2012-1184 [HIGH] CVE-2012-1184 asterisk: Stack-based buffer overflow by processing certain HTTP Digest Authentication headers (AST-2012-003)
CVE-2012-1184 asterisk: Stack-based buffer overflow by processing certain HTTP Digest Authentication headers (AST-2012-003)
A stack-based buffer overflow flaw was found in the way Asterisk Manager Interface of Asterisk, open source telephony toolkit, performed processing of certain HTTP Digest Authentication headers. A remote attacker, attempting to connect to the HTTP session could send a HTTP Digest Authentication header with specially-crafted values for certain fields, which once processed by the Asterisk parse digest authorization header functionality would lead to asterisk crash, or, potentially arbitrary code execution with the privileges of the user running the application.
Upstream security advisory:
[1] http://downloads.asterisk.org/pub/security/AST-2012-003.pdf
Asterisk v1.8.1
http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diffhttp://downloads.asterisk.org/pub/security/AST-2012-003.pdfhttp://osvdb.org/80126http://secunia.com/advisories/48417http://www.asterisk.org/node/51797http://www.openwall.com/lists/oss-security/2012/03/16/10http://www.openwall.com/lists/oss-security/2012/03/16/17http://www.securitytracker.com/id?1026813https://exchange.xforce.ibmcloud.com/vulnerabilities/74083http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diffhttp://downloads.asterisk.org/pub/security/AST-2012-003.pdfhttp://osvdb.org/80126http://secunia.com/advisories/48417http://www.asterisk.org/node/51797http://www.openwall.com/lists/oss-security/2012/03/16/10http://www.openwall.com/lists/oss-security/2012/03/16/17http://www.securitytracker.com/id?1026813https://exchange.xforce.ibmcloud.com/vulnerabilities/74083
2012-09-18
Published