[Home]

Summary:ASTERISK-20052: Security Vulnerability: remote crash vulnerability in app_voicemail
Reporter:Matt Jordan (mjordan)Labels:
Date Opened:2012-06-26 12:21:18Date Closed:2012-07-05 17:18:42
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Applications/app_voicemail
Versions:1.8.13.0 10.5.1 10.5.1-digiumphones Frequency of
Occurrence
Related
Issues:
is related toASTERISK-19923 Asterisk crashing due to memory corruptions in chan_sip/voicemail
Environment:Attachments:
Description:Reported By: Nicolas Bouliane - Avencall Security Labs
Summary: app_voicemail remote crash vulnerability
Nature of Advisory: Denial of Service
Tested with Asterisk version: 1.8.13.0

Description:

The app_voicemail code call free() twice on the same memory address under some circumstance.
Further reading: CWE-415 Double Free => http://cwe.mitre.org/data/definitions/415.html

close_mailbo) is called once for the Urgent-mailbox and once for the INPUT-mailbox,
each time freeing data if a message was received after the mailbox was opened.

8032 done:
8033         if (vms->deleted && last_msg_idx) {
8034                 ast_free(vms->deleted);
8035         }
8036         if (vms->heard && last_msg_idx) {
8037                 ast_free(vms->heard);
8038         }
8039
8040         return 0;

Steps:

1 - You leave an urgent and a normal message to your voicemail.
2 - You log into your voicemail, the menu is offered to you, you press nothing and wait.

       3 - From another call, you leave an urgent and a normal message to the voicemail.

4 - In the voicemail menu, you now press '1' to listen to the urgent message.
5 - You press '7' to delete the message, and then it close the Urgent-mailbox and switch to INBOX.
6 - You press '#' to exit.
7 - Asterisk crash.

Another way:

From step -4-, once you've press '1' to listen to the urgent message, you can press '4' and '6' successively
to navigate from the Urgent-mailbox to INPUT, which will call close_mailbo) twice, and execute the same
piece of code.

To leave an urgent message, you must press '4' after your message is recorded. You then press '1' to save it.
Comments: