Asterisk
  1. Asterisk
  2. ASTERISK-20052

Security Vulnerability: remote crash vulnerability in app_voicemail

    Details

    • Regression:
      No

      Description

      Reported By: Nicolas Bouliane - Avencall Security Labs
      Summary: app_voicemail remote crash vulnerability
      Nature of Advisory: Denial of Service
      Tested with Asterisk version: 1.8.13.0

      Description:

      The app_voicemail code call free() twice on the same memory address under some circumstance.
      Further reading: CWE-415 Double Free => http://cwe.mitre.org/data/definitions/415.html

      close_mailbo) is called once for the Urgent-mailbox and once for the INPUT-mailbox,
      each time freeing data if a message was received after the mailbox was opened.

      8032 done:
      8033 if (vms->deleted && last_msg_idx)

      { 8034 ast_free(vms->deleted); 8035 }

      8036 if (vms->heard && last_msg_idx)

      { 8037 ast_free(vms->heard); 8038 }

      8039
      8040 return 0;

      Steps:

      1 - You leave an urgent and a normal message to your voicemail.
      2 - You log into your voicemail, the menu is offered to you, you press nothing and wait.

      3 - From another call, you leave an urgent and a normal message to the voicemail.

      4 - In the voicemail menu, you now press '1' to listen to the urgent message.
      5 - You press '7' to delete the message, and then it close the Urgent-mailbox and switch to INBOX.
      6 - You press '#' to exit.
      7 - Asterisk crash.

      Another way:

      From step 4, once you've press '1' to listen to the urgent message, you can press '4' and '6' successively
      to navigate from the Urgent-mailbox to INPUT, which will call close_mailbo) twice, and execute the same
      piece of code.

      To leave an urgent message, you must press '4' after your message is recorded. You then press '1' to save it.

        Issue Links

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              Unassigned
              Reporter:
              Matt Jordan
              Issue Participants:
            • Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: