[Asterisk-bugs] [Asterisk 0010198]: Important vulnerability after native transfer: the transferred gets context privileges

noreply at bugs.digium.com noreply at bugs.digium.com
Fri Jul 13 08:23:38 CDT 2007


The following issue has been UNset as DUPLICATE OF issue 0009565. 
====================================================================== 
http://bugs.digium.com/view.php?id=10198 
====================================================================== 
Reported By:                ibc
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   10198
Category:                   Core-General
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     new
Asterisk Version:           1.4.4 
SVN Branch (only for SVN checkouts, not tarball releases): N/A  
SVN Revision (number only!):  
Disclaimer on File?:        No 
Request Review:              
====================================================================== 
Date Submitted:             07-13-2007 03:47 CDT
Last Modified:              07-13-2007 08:23 CDT
====================================================================== 
Summary:                    Important vulnerability after native transfer: the
transferred gets context privileges
Description: 
Any common company using a PBX needs:

- Calls between local users can be transferred in both directions --> tT
- Outgoing calls can be transferred just by the local caller --> T

In Asterisk this is a simple context/dialplan for that common need:

----------------------------------------------------------------------------
[users]

; In internal calls we want bidirectional transfer -> tT
exten => _2XX,1,Dial(SIP/${EXTEN}|60|tT)

; In outgoing calls we just want transfer by the caller (us) -> T
exten => _6XXXXXXXX,1,Dial(Zap/1/${EXTEN}|60|T)
----------------------------------------------------------------------------

This means: we DON'T want that a external called could transfer us.


Now imagine this common scenary:

- SIP/200 calls to a mobile 666777888
    Dial("SIP/200", "Zap/1/666777888|60|T")

- They speak for a while and 200 wants to transfer him to 201. 200 can
transfer because the Dial had "T". It doesn't matter if the transfer is
blind or attended:
    Transferring Zap/1-1 to '201' (context users) priority 1
    Dial("Zap/1-1", "SIP/201|60|tT") in new stack    <--- **** "tT" !!!
****
    -- Called 201

- 201 answers and starts a conversation with 666777888.
The BIG vulnerability is that now the mobile CAN transfer by pressing the
DTMF code of features.conf for blind/attended trasference:
    Started music on hold, class 'default', on SIP/201
    -- <Zap/1-1> Playing 'pbx-transfer' (language 'en')   <------
!!!!!!!!


This means that the remote called can transfer us by calling to any number
available in [users] context, that generally are all the numbers in the
world.
This is a important issue that can cost money for people/companies using
Asterisk.

I've checked this bug and more people has done it in their Asterisk. You
can check it just with the simple dialplan of above that I think is very
common.

A solution could be to check the Dial parameters after a native transfer
and sure that the called doesn't get privileges it shouldn't have.

Hope a solution for this. Best regards.
====================================================================== 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-13-07 08:23  file           Relationship deleted     duplicate of 0009565
======================================================================




More information about the asterisk-bugs mailing list