VoIP Zero Day

Despite a recent warning from the FBI, the attack method used to breach an Asterisk PBX to launch Vishing attacks was probably not an 0day.

PCWorld quoted a Digium rep as saying that a buffer overflow attack would be very hard to pull off.  Sounds like he’s stuck on a document from 1996.
If you do receive [...]

Not surprisingly, Digium has yet to resolve these first two 0days that were released through this site. There is only one reference to the issues on the Digum mailing list.
Please note Tilghman’s response…
“This has already been addressed”
I’m unsure if they are either ignorant to the issue ( a.k.a. Tilghman is ignorant to his own [...]

FOR IMMEDIATE RELEASE
Remote Denial of Service Exploit Effects The Asterisk PBX
Planet Earth (MyGarageCON)—September 26th, 2008, 0420 EDT. VoIP Zero Day, the initiative to improve the quality and security of VoIP applications, today announced another remote Asterisk Denial of Service exploit for public inspection.
iaxControlNewAuthmethods
It is believed the perl script demonstrates a resource exhaustion style [...]

As Digium revs their engine for Astricon, there is now an asterisk 0day segfault now available for public inspection. Feel free to attack your own Asterisk systems, but remember attacking other systems may very well be against the law - at least in America.
We are not liable for any of your actions.
SecurityScraper.com releases: IAXControlNew

For the [...]

Currently, I possess over one dozen additional Asterisk Resource Exhaustion 0days.
Senior staff at Digium was initially notified on 08/17/08 of these discoveries and peer reviewed additional Asterisk Resource Exhaustion issues.
Two days after this, the identical disclosure was sent to additional engineering staff members at Digium. Promises were made that these people would look into [...]