Bugs: Asterisk vmail.cgi vulnerability
Matt Riddell of SineApps has posted details of the vulnerability. Good Job!
Assurance.com.au - Vulnerability Advisory
-----------------------------------------------
Release Date:
07-Nov-2005
Software:
Asterisk Web-VoiceMail (Comedian VoiceMail)
http://www.asterisk.org/
Asterisk is a complete PBX in software. It runs on Linux, BSD and MacOSX and provides all of the features you would expect from a PBX and more.
Asterisk does voice over IP in many protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware.
Versions affected:
Asterisk Versions <= 1.0.9
Asterisk Beta Versions <= 1.2.0-beta1
Asterisk @ Home Versions <= 1.5
Asterisk @ Home Beta Versions <= 2.0 Beta 4
Vulnerability discovered:
A vulnerability in the voicemail retrieval system allows an authenticated user to download any .wav/.WAV file from the system, including other users voicemail messages.
http://www.assurance.com.au/
Low - Insecure web-ui causes breach of privacy
Vulnerability information:
vmail.cgi doesn't clean a parameter passed by the web user which is later used to open a file and return a raw stream to the user. This allows any authenticated user of the voicemail system to listen to other peoples messages, or to open any file with the extension .wav/.WAV on the system.
Example
This will return:
/var/spool/asterisk/voicemail/default
/201/INBOX/msg0001.wav
when logged in as the 'extension 200' user.
Solution:
Asterisk has released patches for the vulnerabilities.
Ensure you are running Asterisk versions > 1.0.9 / 1.2.0-beta1
Ensure you are running Asterisk @ Home versions > 1.5 / 2.0 beta 4
References:
Assurance.com.au advisory
http://www.assurance.com.au/advisories/200511-asterisk.txt
Asterisk advisory note:
http://www.asterisk.org/changelog
Credit:
Adam Pointon of Assurance.com.au
http://www.assurance.com.au/
Disclosure timeline:
17-Oct-2005 - Discovered during a quick audit of the asterisk web ui
18-Oct-2005 - Email sent to support and the primary author
18-Oct-2005 - Immediate response received
31-Oct-2005 - Patched version committed to CVS
07-Nov-2005 - Advisory released
Assurance.com.au - Vulnerability Advisory
-----------------------------------------------
Release Date:
07-Nov-2005
Software:
Asterisk Web-VoiceMail (Comedian VoiceMail)
http://www.asterisk.org/
Asterisk is a complete PBX in software. It runs on Linux, BSD and MacOSX and provides all of the features you would expect from a PBX and more.
Asterisk does voice over IP in many protocols, and can interoperate with almost all standards-based telephony equipment using relatively inexpensive hardware.
Versions affected:
Asterisk Versions <= 1.0.9
Asterisk Beta Versions <= 1.2.0-beta1
Asterisk @ Home Versions <= 1.5
Asterisk @ Home Beta Versions <= 2.0 Beta 4
Vulnerability discovered:
A vulnerability in the voicemail retrieval system allows an authenticated user to download any .wav/.WAV file from the system, including other users voicemail messages.
http://www.assurance.com.au/
Low - Insecure web-ui causes breach of privacy
Vulnerability information:
vmail.cgi doesn't clean a parameter passed by the web user which is later used to open a file and return a raw stream to the user. This allows any authenticated user of the voicemail system to listen to other peoples messages, or to open any file with the extension .wav/.WAV on the system.
Example
This will return:
/var/spool/asterisk/voicemail/default
/201/INBOX/msg0001.wav
when logged in as the 'extension 200' user.
Solution:
Asterisk has released patches for the vulnerabilities.
Ensure you are running Asterisk versions > 1.0.9 / 1.2.0-beta1
Ensure you are running Asterisk @ Home versions > 1.5 / 2.0 beta 4
References:
Assurance.com.au advisory
http://www.assurance.com.au/advisories/200511-asterisk.txt
Asterisk advisory note:
http://www.asterisk.org/changelog
Credit:
Adam Pointon of Assurance.com.au
http://www.assurance.com.au/
Disclosure timeline:
17-Oct-2005 - Discovered during a quick audit of the asterisk web ui
18-Oct-2005 - Email sent to support and the primary author
18-Oct-2005 - Immediate response received
31-Oct-2005 - Patched version committed to CVS
07-Nov-2005 - Advisory released
posted by Dal at
9:42 AM
