[VOIPSEC] trixbox vulnerability fluff

total impact totalimpact8 at gmail.com
Wed Dec 19 14:20:31 EST 2007 

than taro (aka pk) has written a vulnerability that is only accessible
through some other vulnerability:

Your ISP has been hijacked (you shouldnt use an ISP that gets hijacked -
duh)
Your router gets hacked (your fault for not securing router - this is the
main point of entry)
Someone splices into the wire (you have a much bigger problem, they have
physical access to your entire network and property)

If someone has any of the above, then they have no care for security, and a
flaw in some code that had good intentions is pretty minor, as several other
much more important systems would most likely be at risk through other
avenues.

If someone has hijacked your router, they nearly have physical access to
your network, and most likely the phone system would only be a small piece
of a larger list of vulnerable servers.

While there is genuine reason to be concerned about this problem for several
reasons, and several users have legitimately voiced their opinion as they
have the right, mr. taro is putting unnecessary urgency on an issue that is
not quite as vulnerable as he would like it to be.

Two immediate fixes have been announced to this flaw, and can be immediately
applied by anyone - the joy of community driven open source software, the
community found a problem, and created its own patch, now on to more
important development and the advancement of asterisk based PBXes - right -
wrong as mr taro would have it.

Fix 1 - at your linux CLI:
rm /var/adm/bin/recognition.pl

Fix 2 - at your linux CLI:
1. type: crontab -e then press enter
2. Place your cursor on the line that contains 'registry.pl'
3. Type 'dd' to delete the line
4. Type ':w' to save the file
5. Type ':q' to exit

Don't type the 'quotes'

Than seems to fain concern about other users and how they are vulnerable, so
there is a posted fix for them here if these other users are looking for
these security advisories here instead of the trixbox website. For the most
part his postings on several forums, bbs, and websites seem to be an
indirect way of making the trixbox group look bad for their unintentional
mistake, and making his own distro a more favorable alternative, a childish
ploy used quite widely today in politics. But I forgot - this isnt politics,
its for the benefit of the community right?

More information about the Voipsec mailing list