[Asterisk-bugs] [Asterisk 0010198]: Important vulnerability after native transfer: the transferred gets context privileges
noreply at bugs.digium.com
noreply at bugs.digium.com
Fri Jul 13 08:23:38 CDT 2007
The following issue has been UNset as DUPLICATE OF issue 0009565.
======================================================================
http://bugs.digium.com/view.php?id=10198
======================================================================
Reported By: ibc
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 10198
Category: Core-General
Reproducibility: always
Severity: major
Priority: normal
Status: new
Asterisk Version: 1.4.4
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Disclaimer on File?: No
Request Review:
======================================================================
Date Submitted: 07-13-2007 03:47 CDT
Last Modified: 07-13-2007 08:23 CDT
======================================================================
Summary: Important vulnerability after native transfer: the
transferred gets context privileges
Description:
Any common company using a PBX needs:
- Calls between local users can be transferred in both directions --> tT
- Outgoing calls can be transferred just by the local caller --> T
In Asterisk this is a simple context/dialplan for that common need:
----------------------------------------------------------------------------
[users]
; In internal calls we want bidirectional transfer -> tT
exten => _2XX,1,Dial(SIP/${EXTEN}|60|tT)
; In outgoing calls we just want transfer by the caller (us) -> T
exten => _6XXXXXXXX,1,Dial(Zap/1/${EXTEN}|60|T)
----------------------------------------------------------------------------
This means: we DON'T want that a external called could transfer us.
Now imagine this common scenary:
- SIP/200 calls to a mobile 666777888
Dial("SIP/200", "Zap/1/666777888|60|T")
- They speak for a while and 200 wants to transfer him to 201. 200 can
transfer because the Dial had "T". It doesn't matter if the transfer is
blind or attended:
Transferring Zap/1-1 to '201' (context users) priority 1
Dial("Zap/1-1", "SIP/201|60|tT") in new stack <--- **** "tT" !!!
****
-- Called 201
- 201 answers and starts a conversation with 666777888.
The BIG vulnerability is that now the mobile CAN transfer by pressing the
DTMF code of features.conf for blind/attended trasference:
Started music on hold, class 'default', on SIP/201
-- <Zap/1-1> Playing 'pbx-transfer' (language 'en') <------
!!!!!!!!
This means that the remote called can transfer us by calling to any number
available in [users] context, that generally are all the numbers in the
world.
This is a important issue that can cost money for people/companies using
Asterisk.
I've checked this bug and more people has done it in their Asterisk. You
can check it just with the simple dialplan of above that I think is very
common.
A solution could be to check the Dial parameters after a native transfer
and sure that the called doesn't get privileges it shouldn't have.
Hope a solution for this. Best regards.
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
07-13-07 08:23 file Relationship deleted duplicate of 0009565
======================================================================
More information about the asterisk-bugs
mailing list