[asterisk-dev] AEL security
Philipp Kempgen
philipp.kempgen at amooma.de
Mon Mar 19 06:39:41 MST 2007
Steve Murphy wrote:
> On Mon, 2007-03-19 at 12:32 +0100, Philipp Kempgen wrote:
>> Philipp Kempgen wrote:
>>
>>> Sergey Okhapkin wrote:
>>>
>>>> AEL needs to use extensions when compiling "switch" statement, asterisk
>>>> extensions pattern match is being used for "default" case.
>>>>
>>>> On Monday 19 March 2007 06:39, Philipp Kempgen wrote:
>>>>> Philipp Kempgen wrote:
>>>>>> It seems like AEL compiles labels into extensions.
>>>>>> So a users could directly dial to a label which seems
>>>>>> like a security risk to me. Am I missing something?
>>>>> Need to correct myself: AEL compiles the cases in a switch
>>>>> block into extensions. Labels remain untouched. But that
>>>>> doesn't make it any better.
>>> Features are not an excuse for weak security. :P
>> And although it is implemented this way the AEL compiler could
>> use something like this for the default case:
>>
>> exten => 123,n,GotoIf($["${switchvar}" = "BUSY"]?user_busy)
>> exten => 123,n,GotoIf($["${switchvar}" = "NOANSWER"]?user_unavail)
>> exten => 123,n,Goto(default)
>
> Philipp--
>
> Please help me to understand the security implications here. I could
> invest some time and re-do the stuff for switch statements without using
> extensions... is it
> that the creation of the extra extensions might be addressable from
> outside your
> org? So, putting Dial() commands to targets outside the org could be the
> risk? Are there others that I'm not thinking of? AEL compiles switch
> cases into extensions with names like: sw-<a generated integer>-<Case
> Label>, and for the
> default condition, it generates "." as the case label, eg. sw-32-.
>
> So, as I see it, the risk is that a clever attacker will make
> sip/iax/etc calls to your system with addresses like "sw-2-BUSY", (PSTN
> calls would only be able to provide numeric extension names) looking for
> a switch case that might give him a free ticket to the PSTN?
Exactly. One of the internal users might figure this out
and change settings of other users, listen to other users'
voicemail, whatever. Although this is not very likely I
see the potential risk.
Regards,
Philipp
--
amooma GmbH - Bachstr. 126 - 56566 Neuwied - http://www.amooma.de
Let's use IT to solve problems and not to create new ones.
Asterisk? -> http://www.das-asterisk-buch.de
Geschäftsführer: Stefan Wintermeyer
Handelsregister: Neuwied B 14998
More information about the asterisk-dev
mailing list