[UNIX] IMAP Storage Buffer Overflows in Asterisk's Voicemail



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



IMAP Storage Buffer Overflows in Asterisk's Voicemail
------------------------------------------------------------------------


SUMMARY

The function "sprintf" was used heavily throughout the Asterisk
IMAP-specific voicemail code. After auditing the code, two vulnerabilities
were discovered, both buffer overflows.

DETAILS

Vulnerable Systems:
* Asterisk Open Source version 1.4.12 and prior

Immune Systems:
* Asterisk Open Source version 1.4.13

The following buffer overflow required write access to Asterisk's
configuration files in order to be exploited.

1) If a combination of the astspooldir (set in asterisk.conf), the
voicemail context, and voicemail mailbox, were very long, then there was a
buffer overflow when playing a message or forwarding a message (in the
case of forwarding, the context and mailbox in question are the context
and mailbox that the message was being forwarded to).

The following buffer overflow could be exploited remotely.

2) If any one of, or any combination of the Content-type or
Content-description headers for an e-mail that Asterisk recognized as a
voicemail message contained more than a 1024 characters, then a buffer
would overflow while listening to a voicemail message via a telephone. It
is important to note that this did NOT affect users who get their
voicemail via an e-mail client.

Resolution:
"sprintf" calls have been changed to "snprintf" wherever space was not
specifically allocated to the buffer prior to the sprintf call. This
includes places which are not currently prone to buffer overflows.


ADDITIONAL INFORMATION

The information has been provided by <mailto:asteriskteam@xxxxxxxxxx> The
Asterisk Development Team.
The original article can be found at:
<http://downloads.digium.com/pub/security/AST-2007-022.html>
http://downloads.digium.com/pub/security/AST-2007-022.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NEWS] PocketPC MMS Code Injection/Execution Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PocketPC MMS Code Injection/Execution Vulnerability ... Multiple buffer overflows in MMS message parser ... Content-Type ...
    (Securiteam)
  • [NEWS] Libxml2 Remote Buffer Overflows
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Several buffer overflows were found in various code portions in libxml2. ... * A buffer overflow exists when parsing a proxy URL with FTP information ...
    (Securiteam)
  • [UNIX] xloadimage Multiple Vulnerabilities (Buffer Overflow, Command Execution)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... to execute arbitrary commands via malformed images. ... Multiple buffer overflow in xloadimage allow remote attackers to execute ... Under Linux the buffer overflows allow remote attackers to execute ...
    (Securiteam)
  • [UNIX] GNU Anubis Buffer Overflows and Format String Bugs
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GNU Anubis is "an outgoing mail ... Ulf Harnhammar has found two buffer overflows and three format string bugs ...
    (Securiteam)