Summary: | ASTERISK-20052: Security Vulnerability: remote crash vulnerability in app_voicemail | ||||
Reporter: | Matt Jordan (mjordan) | Labels: | |||
Date Opened: | 2012-06-26 12:21:18 | Date Closed: | 2012-07-05 17:18:42 | ||
Priority: | Critical | Regression? | No | ||
Status: | Closed/Complete | Components: | Applications/app_voicemail | ||
Versions: | 1.8.13.0 10.5.1 10.5.1-digiumphones | Frequency of Occurrence | |||
Related Issues: |
| ||||
Environment: | Attachments: | ||||
Description: | Reported By: Nicolas Bouliane - Avencall Security Labs Summary: app_voicemail remote crash vulnerability Nature of Advisory: Denial of Service Tested with Asterisk version: 1.8.13.0 Description: The app_voicemail code call free() twice on the same memory address under some circumstance. Further reading: CWE-415 Double Free => http://cwe.mitre.org/data/definitions/415.html close_mailbo) is called once for the Urgent-mailbox and once for the INPUT-mailbox, each time freeing data if a message was received after the mailbox was opened. 8032 done: 8033 if (vms->deleted && last_msg_idx) { 8034 ast_free(vms->deleted); 8035 } 8036 if (vms->heard && last_msg_idx) { 8037 ast_free(vms->heard); 8038 } 8039 8040 return 0; Steps: 1 - You leave an urgent and a normal message to your voicemail. 2 - You log into your voicemail, the menu is offered to you, you press nothing and wait. 3 - From another call, you leave an urgent and a normal message to the voicemail. 4 - In the voicemail menu, you now press '1' to listen to the urgent message. 5 - You press '7' to delete the message, and then it close the Urgent-mailbox and switch to INBOX. 6 - You press '#' to exit. 7 - Asterisk crash. Another way: From step -4-, once you've press '1' to listen to the urgent message, you can press '4' and '6' successively to navigate from the Urgent-mailbox to INPUT, which will call close_mailbo) twice, and execute the same piece of code. To leave an urgent message, you must press '4' after your message is recorded. You then press '1' to save it. | ||||
Comments: |