<<< Date Index >>>     <<< Thread Index >>>

AST-2007-022: Buffer overflows in voicemail when using IMAP storage



               Asterisk Project Security Advisory - AST-2007-022

   +------------------------------------------------------------------------+
   |      Product       | Asterisk                                          |
   |--------------------+---------------------------------------------------|
   |      Summary       | Buffer overflows in voicemail when using IMAP     |
   |                    | storage                                           |
   |--------------------+---------------------------------------------------|
   | Nature of Advisory | Remotely and locally exploitable buffer overflows |
   |--------------------+---------------------------------------------------|
   |   Susceptibility   | Remote Unauthenticated Sessions                   |
   |--------------------+---------------------------------------------------|
   |      Severity      | Minor                                             |
   |--------------------+---------------------------------------------------|
   |   Exploits Known   | No                                                |
   |--------------------+---------------------------------------------------|
   |    Reported On     | October 9, 2007                                   |
   |--------------------+---------------------------------------------------|
   |    Reported By     | Russell Bryant <russell@xxxxxxxxxx>               |
   |                    |                                                   |
   |                    | Mark Michelson <mmichelson@xxxxxxxxxx>            |
   |--------------------+---------------------------------------------------|
   |     Posted On      | October 9, 2007                                   |
   |--------------------+---------------------------------------------------|
   |  Last Updated On   | October 10, 2007                                  |
   |--------------------+---------------------------------------------------|
   |  Advisory Contact  | Mark Michelson <mmichelson@xxxxxxxxxx>            |
   |--------------------+---------------------------------------------------|
   |      CVE Name      |                                                   |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | The function "sprintf" was used heavily throughout the   |
   |             | IMAP-specific voicemail code. After auditing the code,   |
   |             | two vulnerabilities were discovered, both buffer         |
   |             | overflows.                                               |
   |             |                                                          |
   |             | The following buffer overflow required write access to   |
   |             | Asterisk's configuration files in order to be exploited. |
   |             |                                                          |
   |             | 1) If a combination of the astspooldir (set in           |
   |             | asterisk.conf), the voicemail context, and voicemail     |
   |             | mailbox, were very long, then there was a buffer         |
   |             | overflow when playing a message or forwarding a message  |
   |             | (in the case of forwarding, the context and mailbox in   |
   |             | question are the context and mailbox that the message    |
   |             | was being forwarded to).                                 |
   |             |                                                          |
   |             | The following buffer overflow could be exploited         |
   |             | remotely.                                                |
   |             |                                                          |
   |             | 2) If any one of, or any combination of the Content-type |
   |             | or Content-description headers for an e-mail that        |
   |             | Asterisk recognized as a voicemail message contained     |
   |             | more than a 1024 characters, then a buffer would         |
   |             | overflow while listening to a voicemail message via a    |
   |             | telephone. It is important to note that this did NOT     |
   |             | affect users who get their voicemail via an e-mail       |
   |             | client.                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | "sprintf" calls have been changed to "snprintf" wherever  |
   |            | space was not specifically allocated to the buffer prior  |
   |            | to the sprintf call. This includes places which are not   |
   |            | currently prone to buffer overflows.                      |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | Unaffected            |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | Unaffected            |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |
   |                                  |             | 1.4.13                |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    A.x.x    | Unaffected            |
   |----------------------------------+-------------+-----------------------|
   |    Asterisk Business Edition     |    B.x.x    | Unaffected            |
   |----------------------------------+-------------+-----------------------|
   |           AsteriskNOW            | pre-release | Unaffected            |
   |----------------------------------+-------------+-----------------------|
   | Asterisk Appliance Developer Kit |    0.x.x    | Unaffected            |
   |----------------------------------+-------------+-----------------------|
   |    s800i (Asterisk Appliance)    |    1.0.x    | Unaffected            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                 Product                  |           Release           |
   |------------------------------------------+-----------------------------|
   |           Asterisk Open Source           |           1.4.13            |
   |------------------------------------------+-----------------------------|
   |------------------------------------------+-----------------------------|
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |        Links        |                                                  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security.                                      |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2007-022.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2007-022.html.            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |        Date        |          Editor           |    Revisions Made     |
   |--------------------+---------------------------+-----------------------|
   | October 9, 2007    | mmichelson@xxxxxxxxxx     | Initial Release       |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2007-022
              Copyright (c) 2007 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.