The results were amazing: over 50 tests crashed Asterisk. Sadly, all those crashes gave no remote execution vulnerabilities but only two bugs leading to DoS. While this may be still cool to provide instant DoS of VOIP infrastructure from the outside by sending SIP requests without authorization, there is not much to research here.
Tuesday, June 28, 2011
DoS/Asterisk/PROTOS
Lately i've been playing around with Asterisk PBX and saw the new Long Term Support 1.8.x was released not long ago. Fuzzing not sucks and i've setup a framework to hunt for some bugs but ... this is another story. Prior to protocol fuzzing i've looked into PROTOS and thought it would be useless: stable for half a year top open source PBX isn't _that_ bad in terms of security. Well, it is.
Subscribe to:
Posts (Atom)