Asterisk IMAP storage sprintf buffer overflow

asterisk-sprintf-bo (37051) The risk level is classified as MediumMedium Risk

Description:

Asterisk IMAP storage is vulnerable to a buffer overflow, caused by improper bounds checking by the sprintf function. By sending a specially-crafted voicemail with overly long input from the astspooldir, voicemail context, or voicemail mailbox, a local attacker with write access to the configuration files could overflow a buffer and execute arbitrary code on the system or cause the server to crash while playing or forwarding a message.

Platforms Affected:

  • Digium, Asterisk Open Source prior to 1.4.13

Remedy:

Refer to AST-2007-022 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Gain Access

References:

  • AST-2007-022, Buffer overflows in voicemail when using IMAP storage at http://downloads.digium.com/pub/security/AST-2007-022.pdf.
  • BID-26005: Asterisk IMAP-Specific Voicemail Multiple Buffer Overflow Vulnerabilities
  • CVE-2007-5358: Multiple buffer overflows in the voicemail functionality in Asterisk 1.4.x before 1.4.13, when using IMAP storage, might allow (1) remote attackers to execute arbitrary code via a long combination of Content-type and Content-description headers, or (2) local users to execute arbitrary code via a long combination of astspooldir, voicemail context, and voicemail mailbox fields. NOTE: vector 2 requires write access to Asterisk configuration files.
  • SA27184: Asterisk IMAP Storage Voicemail Buffer Overflow
  • SECTRACK ID: 1018804: Asterisk IMAP Voicemail Buffer Overflows Let Remote and Local Users Execute Arbitrary Code
  • VUPEN/ADV-2007-3454: Asterisk IMAP Storage Data Handling Two Buffer Overflow Vulnerabilities

Reported:

Oct 09, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page