CVE-2007-2293

Asterisk - Stack-Based Buffer Overflow in SIP Channel T.38 SDP Parser

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-2293. PoCs published by Barrie Dempster.

AI-analyzed exploit summary This exploit leverages a stack-based buffer overflow in Asterisk's SIP implementation when 't38 fax over SIP' is enabled. The malicious SIP INVITE packet contains an overly long 'T38FaxUdpEC' attribute to trigger the vulnerability, potentially allowing remote code execution or denial-of-service.

Description

Multiple stack-based buffer overflows in the process_sdp function in chan_sip.c of the SIP channel T.38 SDP parser in Asterisk before 1.4.3 allow remote attackers to execute arbitrary code via a long (1) T38FaxRateManagement or (2) T38FaxUdpEC SDP parameter in an SIP message, as demonstrated using SIP INVITE.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Barrie Dempster · textdosmultiple
https://www.exploit-db.com/exploits/29901

This exploit leverages a stack-based buffer overflow in Asterisk's SIP implementation when 't38 fax over SIP' is enabled. The malicious SIP INVITE packet contains an overly long 'T38FaxUdpEC' attribute to trigger the vulnerability, potentially allowing remote code execution or denial-of-service.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Asterisk Open Source < 1.4.3, AsteriskNOW Beta < 6, Asterisk Appliance Developer Kit < 0.4.0
No auth needed
Prerequisites: T38 fax over SIP enabled in sip.conf
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Barrie Dempster · textdosmultiple
https://www.exploit-db.com/exploits/29900

This exploit targets a stack-based buffer overflow in Asterisk's SIP implementation when T.38 fax is enabled. The PoC sends a malformed SIP INVITE with an overly long T38FaxRateManagement field to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Asterisk Open Source < 1.4.3, AsteriskNOW Beta < 6, Asterisk Appliance Developer Kit < 0.4.0
No auth needed
Prerequisites: T.38 fax over SIP enabled in sip.conf
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/35368
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/23648
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1534
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/466883/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/472804/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/33895
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24977
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1018337
Patch vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1017951
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/2645
Various Sources x_refsource_confirm
http://www.asterisk.org/files/ASA-2007-010.pdf

Scores

EPSS 0.2388
EPSS Percentile 97.6%

Details

Status published
Products (3)
asterisk/asterisk 1.4.1
asterisk/asterisk 1.4.2
asterisk/asterisk 1.4_beta
Published Apr 26, 2007
Tracked Since Feb 18, 2026