[asterisk-dev] AEL security

Steve Murphy murf at parsetree.com
Mon Mar 19 06:16:27 MST 2007 

On Mon, 2007-03-19 at 12:32 +0100, Philipp Kempgen wrote:
> Philipp Kempgen wrote:
> 
> > Sergey Okhapkin wrote:
> > 
> >> AEL needs to use extensions when compiling "switch" statement, asterisk 
> >> extensions pattern match is being used for "default" case.
> >>
> >> On Monday 19 March 2007 06:39, Philipp Kempgen wrote:
> >>> Philipp Kempgen wrote:
> >>>> It seems like AEL compiles labels into extensions.
> >>>> So a users could directly dial to a label which seems
> >>>> like a security risk to me. Am I missing something?
> >>> Need to correct myself: AEL compiles the cases in a switch
> >>> block into extensions. Labels remain untouched. But that
> >>> doesn't make it any better.
> > 
> > Features are not an excuse for weak security. :P
> 
> And although it is implemented this way the AEL compiler could
> use something like this for the default case:
> 
> exten => 123,n,GotoIf($["${switchvar}" = "BUSY"]?user_busy)
> exten => 123,n,GotoIf($["${switchvar}" = "NOANSWER"]?user_unavail)
> exten => 123,n,Goto(default)

Philipp--

Please help me to understand the security implications here. I could
invest some time and re-do the stuff for switch statements without using
extensions... is it 
that the creation of the extra extensions might be addressable from
outside your
org? So, putting Dial() commands to targets outside the org could be the
risk? Are there others that I'm not thinking of? AEL compiles switch
cases into extensions with names like: sw-<a generated integer>-<Case
Label>, and for the
default condition, it generates "." as the case label, eg. sw-32-.

So, as I see it, the risk is that a clever attacker will make
sip/iax/etc calls to your system with addresses like "sw-2-BUSY", (PSTN
calls would only be able to provide numeric extension names) looking for
a switch case that might give him a free ticket to the PSTN? As I see
it, the context is one meant for incoming calls, so if the context
doesn't allow dialing outside your network, you should be OK? But if you
have some sort of magic extension, that provides
dialtone, you could be cooked, right? Any other scenarios?

murf




> 
> 
> Regards,
>   Philipp
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3239 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-dev/attachments/20070319/9c4d7970/smime.bin

More information about the asterisk-dev mailing list