Multiple vendor IAXclient library truncated frame buffer overflow
| iaxclient-truncated-frame-bo (27047) |  High Risk |
Description:
The IAXclient library, which is used by multiple vendors to implement the IAX2 VoIP protocol, is vulnerable to multiple buffer overflows, caused by improper handling of truncated frames. By sending specially-crafted truncated full-frame or mini-frame UDP packets to a vulnerable application, a remote attacker could overflow a buffer to cause the affected application to crash or possibly execute arbitrary code on the affected system.
Consequences:
Gain Access
Remedy:
For iaxComm:
Upgrade to the latest version (1.2.0 or later), available from the iaxComm Web site. See References.
For Kiax:
Upgrade to the latest version (0.8.51 or later), available from SourceForge.net. See References.
For IDE FISK:
Upgrade to the latest version (1.37 or later), available from asterisKGuru.com. See References.
For LoudHush:
Upgrade to the latest version (1.3.7 or later), available from the LoudHush Web site. See References.
For Gentoo Linux (Kiax):
Refer to Gentoo Linux Security Announcement GLSA 2006-06-30 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for patch or upgrade information. See References.
References:
- asterisKGuru.com: Idefisk softphone.
- BugTraq Mailing List, Fri Jun 09 2006 - 16:30:53 CDT : CORE-2006-0327: IAXclient truncated frames vulnerabilities.
- iaxComm Web site: iaxComm.
- LoudHush 1.3.7 Change Log: LoudHush 1.3.7.
- LoudHush Web site: LoudHush: IAX soft phone for OS X.
- SourceForge.net: Kiax 0.8.51.
- BID-18307: IAXClient Multiple Truncated IAX Frames Remote Buffer Overflow Vulnerabilities
- CVE-2006-2923: The iax_net_read function in the iaxclient open source library, as used in multiple products including (a) LoudHush 1.3.6, (b) IDE FISK 1.35 and earlier, (c) Kiax 0.8.5 and earlier, (d) DIAX, (e) Ziaxphone, (f) IAX Phone, (g) X-lite, (h) MediaX, (i) Extreme Networks ePhone, and (j) iaxComm before 1.2.0, allows remote attackers to execute arbitrary code via crafted IAX 2 (IAX2) packets with truncated (1) full frames or (2) mini-frames, which are detected in a length check but still processed, leading to buffer overflows related to negative length values.
- GLSA-200606-30: Kiax: Arbitrary code execution
- SA20466: LoudHush iaxclient Buffer Overflow Vulnerability
- SA20560: IDE FISK iaxclient Buffer Overflow Vulnerability
- SA20567: Kiax iaxclient Buffer Overflow Vulnerability
- SA20623: iaxComm iaxclient Buffer Overflow Vulnerability
- VUPEN/ADV-2006-2180: LoudHush iaxclient Remote Code Execution and Denial of Service Vulnerabilities
- VUPEN/ADV-2006-2284: iaxComm iaxclient Remote Code Execution and Denial of Service Vulnerabilities
- VUPEN/ADV-2006-2285: Kiax iaxclient Remote Command Execution and Denial of Service Vulnerabilities
- VUPEN/ADV-2006-2286: IDEFISK iaxclient Remote Code Execution and Denial of Service Vulnerabilities
Platforms Affected:
- Gentoo Linux
- Kagi LoudHush 1.3.6 and prior
- Kiax Kiax 0.8.5 and prior
- Michael Van Donselaar iaxComm prior to 1.2.0
- Zoiper IDE FISK 1.35 and prior
Reported:
Jun 09, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net