Asterisk Project Security Advisory - AST-2007-022
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Buffer overflows in voicemail when using IMAP |
| | storage |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Remotely and locally exploitable buffer overflows |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Minor |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | October 9, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Russell Bryant |
| | |
| | Mark Michelson |
|--------------------+---------------------------------------------------|
| Posted On | October 9, 2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | October 10, 2007 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Mark Michelson |
|--------------------+---------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The function "sprintf" was used heavily throughout the |
| | IMAP-specific voicemail code. After auditing the code, |
| | two vulnerabilities were discovered, both buffer |
| | overflows. |
| | |
| | The following buffer overflow required write access to |
| | Asterisk's configuration files in order to be exploited. |
| | |
| | 1) If a combination of the astspooldir (set in |
| | asterisk.conf), the voicemail context, and voicemail |
| | mailbox, were very long, then there was a buffer |
| | overflow when playing a message or forwarding a message |
| | (in the case of forwarding, the context and mailbox in |
| | question are the context and mailbox that the message |
| | was being forwarded to). |
| | |
| | The following buffer overflow could be exploited |
| | remotely. |
| | |
| | 2) If any one of, or any combination of the Content-type |
| | or Content-description headers for an e-mail that |
| | Asterisk recognized as a voicemail message contained |
| | more than a 1024 characters, then a buffer would |
| | overflow while listening to a voicemail message via a |
| | telephone. It is important to note that this did NOT |
| | affect users who get their voicemail via an e-mail |
| | client. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | "sprintf" calls have been changed to "snprintf" wherever |
| | space was not specifically allocated to the buffer prior |
| | to the sprintf call. This includes places which are not |
| | currently prone to buffer overflows. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | Unaffected |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.13 |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | A.x.x | Unaffected |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | B.x.x | Unaffected |
|----------------------------------+-------------+-----------------------|
| AsteriskNOW | pre-release | Unaffected |
|----------------------------------+-------------+-----------------------|
| Asterisk Appliance Developer Kit | 0.x.x | Unaffected |
|----------------------------------+-------------+-----------------------|
| s800i (Asterisk Appliance) | 1.0.x | Unaffected |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 1.4.13 |
|------------------------------------------+-----------------------------|
|------------------------------------------+-----------------------------|
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2007-022.pdf and |
| http://downloads.digium.com/pub/security/AST-2007-022.html. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|--------------------+---------------------------+-----------------------|
| October 9, 2007 | mmichelson@digium.com | Initial Release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2007-022
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.