CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
EPSS
Percentile
94.5%
The firmware download protocol implemented in the version of Asterisk running on the remote host does not initiate a handshake. By spoofing an IAX2 FWDOWNL request, an unauthenticated, remote attacker may be able to leverage this issue to flood a third-party host with unwanted firmware packets from the affected host.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(33564);
script_version("1.17");
script_cvs_date("Date: 2018/11/15 20:50:21");
script_cve_id("CVE-2008-3264");
script_bugtraq_id(30350);
script_xref(name:"Secunia", value:"31178");
script_name(english:"Asterisk IAX2 FWDOWNL Request Spoofing Remote DoS");
script_summary(english:"Sends an FWDOWNL request");
script_set_attribute(attribute:"synopsis", value:
"The remote VoIP service can be abused to conduct an amplification
attack against third-party hosts.");
script_set_attribute(attribute:"description", value:
"The firmware download protocol implemented in the version of Asterisk
running on the remote host does not initiate a handshake. By spoofing
an IAX2 FWDOWNL request, an unauthenticated, remote attacker may be able
to leverage this issue to flood a third-party host with unwanted
firmware packets from the affected host.");
script_set_attribute(attribute:"see_also", value:"http://downloads.digium.com/pub/security/AST-2008-011.html");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/494676/30/0/threaded");
script_set_attribute(attribute:"solution", value:
"Upgrade to Asterisk Open Source 1.4.21.2 / 1.2.30, Asterisk Business
Edition C.2.0.3 / C.1.10.3 / B.2.5.4, s800i (Asterisk Appliance) 1.2.0.1
or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(287);
script_set_attribute(attribute:"plugin_publication_date", value:"2008/07/24");
script_set_attribute(attribute:"patch_publication_date", value:"2008/07/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:asterisk:open_source");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Denial of Service");
script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
script_dependencies("iax2_detection.nasl");
script_require_keys("Services/udp/iax2");
exit(0);
}
include("audit.inc");
include("byte_func.inc");
port = get_kb_item("Services/udp/iax2");
if (!port) port = 4569;
if (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, "UDP");
soc = open_sock_udp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port, "UDP");
# Send a FWDOWNL request.
src_call = rand() % 0xff;
firmware = "iaxy";
req =
mkword((1 << 15) | src_call) + # 'F' bit + source call number
mkword(0) + # 'R' bit + dest call number
mkdword(0) + # timestamp
mkbyte(0) + # OSeqno
mkbyte(0) + # ISeqno
mkbyte(6) + # frametype, 6 => IAX frame
mkbyte(0x24) + # 'C' bit + subclass, 0x24 => FWDOWNL request
# information elements
mkbyte(0x20) + # DEVICETYPE
mkbyte(strlen(firmware)) +
firmware +
mkbyte(0x23) + # FWBLOCKDESC
mkbyte(0x04) +
mkdword(2);
send(socket:soc, data:req);
res = recv(socket:soc, length:128);
if (strlen(res) == 0) exit(0);
# There's a problem if we get an FWDATA response.
if (
getword(blob:res, pos:0) > 0x8000 &&
getword(blob:res, pos:2) & 0x7fff == src_call &&
getbyte(blob:res, pos:10) == 6 &&
getbyte(blob:res, pos:11) == 0x25
) security_warning(port:port, proto:"udp");