Asterisk main/utils.c ast_uri_encode() CallerID Information Overflow (AST-2011-001)

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.

Synopsis :

The version of Asterisk installed on the remote host contains a
buffer overflow vulnerability.

Description :

Using a specially crafted caller ID string, an authenticated user
placing an outgoing call through the remote Asterisk server can cause
a buffer overflow leading to an application crash or execution of
arbitrary code.

Successful exploitation may require that the SIP channel driver is
configured with the 'pedantic' option enabled.

See also :

Solution :

Upgrade to Asterisk / / / / / /, Asterisk Business Edition C.3.6.2 or

Risk factor :

Medium / CVSS Base Score : 6.5
CVSS Temporal Score : 4.8
Public Exploit Available : false

Family: Gain a shell remotely

Nessus Plugin ID: 51644 ()

Bugtraq ID: 45839

CVE ID: CVE-2011-0495