Details
-
Type:
Bug
-
Status: Closed
-
Severity:
Critical
-
Resolution: Fixed
-
Affects Version/s: 1.8.13.0, 10.5.1, 10.5.1-digiumphones
-
Target Release Version/s: 1.8.13.1, 10.5.2, 10.5.2-digiumphones
-
Component/s: Applications/app_voicemail
-
Labels:None
-
Regression:No
Description
Reported By: Nicolas Bouliane - Avencall Security Labs
Summary: app_voicemail remote crash vulnerability
Nature of Advisory: Denial of Service
Tested with Asterisk version: 1.8.13.0
Description:
The app_voicemail code call free() twice on the same memory address under some circumstance.
Further reading: CWE-415 Double Free => http://cwe.mitre.org/data/definitions/415.html
close_mailbo) is called once for the Urgent-mailbox and once for the INPUT-mailbox,
each time freeing data if a message was received after the mailbox was opened.
8032 done:
8033 if (vms->deleted && last_msg_idx)
8036 if (vms->heard && last_msg_idx)
{ 8037 ast_free(vms->heard); 8038 } 8039
8040 return 0;
Steps:
1 - You leave an urgent and a normal message to your voicemail.
2 - You log into your voicemail, the menu is offered to you, you press nothing and wait.
3 - From another call, you leave an urgent and a normal message to the voicemail.
4 - In the voicemail menu, you now press '1' to listen to the urgent message.
5 - You press '7' to delete the message, and then it close the Urgent-mailbox and switch to INBOX.
6 - You press '#' to exit.
7 - Asterisk crash.
Another way:
From step 4, once you've press '1' to listen to the urgent message, you can press '4' and '6' successively
to navigate from the Urgent-mailbox to INPUT, which will call close_mailbo) twice, and execute the same
piece of code.
To leave an urgent message, you must press '4' after your message is recorded. You then press '1' to save it.
Issue Links
- is related to
-
ASTERISK-19923
Asterisk crashing due to memory corruptions in chan_sip/voicemail
-
- Closed
-
Activity
- All
- Comments
- History
- Activity
- Transitions