[asterisk-dev] AEL security

Steve Murphy murf at parsetree.com
Mon Mar 19 07:51:32 MST 2007 

On Mon, 2007-03-19 at 14:39 +0100, Philipp Kempgen wrote:
> Steve Murphy wrote:
> 
> > On Mon, 2007-03-19 at 12:32 +0100, Philipp Kempgen wrote:
> >> Philipp Kempgen wrote:
> >>
> >>> Sergey Okhapkin wrote:
> >>>
> >>>> AEL needs to use extensions when compiling "switch" statement, asterisk 
> >>>> extensions pattern match is being used for "default" case.
> >>>>
> >>>> On Monday 19 March 2007 06:39, Philipp Kempgen wrote:
> >>>>> Philipp Kempgen wrote:
> >>>>>> It seems like AEL compiles labels into extensions.
> >>>>>> So a users could directly dial to a label which seems
> >>>>>> like a security risk to me. Am I missing something?
> >>>>> Need to correct myself: AEL compiles the cases in a switch
> >>>>> block into extensions. Labels remain untouched. But that
> >>>>> doesn't make it any better.
> >>> Features are not an excuse for weak security. :P
> >> And although it is implemented this way the AEL compiler could
> >> use something like this for the default case:
> >>
> >> exten => 123,n,GotoIf($["${switchvar}" = "BUSY"]?user_busy)
> >> exten => 123,n,GotoIf($["${switchvar}" = "NOANSWER"]?user_unavail)
> >> exten => 123,n,Goto(default)
> > 
> > Philipp--
> > 
> > Please help me to understand the security implications here. I could
> > invest some time and re-do the stuff for switch statements without using
> > extensions... is it 
> > that the creation of the extra extensions might be addressable from
> > outside your
> > org? So, putting Dial() commands to targets outside the org could be the
> > risk? Are there others that I'm not thinking of? AEL compiles switch
> > cases into extensions with names like: sw-<a generated integer>-<Case
> > Label>, and for the
> > default condition, it generates "." as the case label, eg. sw-32-.
> > 
> > So, as I see it, the risk is that a clever attacker will make
> > sip/iax/etc calls to your system with addresses like "sw-2-BUSY", (PSTN
> > calls would only be able to provide numeric extension names) looking for
> > a switch case that might give him a free ticket to the PSTN?
> 
> Exactly. One of the internal users might figure this out
> and change settings of other users, listen to other users'
> voicemail, whatever. Although this is not very likely I
> see the potential risk.

Thanks, Philipp--

Could you open a bug on bugs.digium.com, and explain this there, and
I'll schedule a re-do that avoids the creation of extensions for
switches. I don't
see that this is a critical risk, as DISA **should** be provided with a
password, if you care about security, and Authenticate just hangs up on
failure instead of returning a result you'd want to use in a switch...
but you are right, in unexpected places, and in unexpected ways, some
wiseguy with a sip connection could be trying random (or worse yet,
thoughtful) extensions of the form sw-3-x to get potentially juicy
extensions to be executed. How fruitful this would be, I cannot predict,
but there is a possibility that it could be fruitful, I must admit.

murf

> 
> Regards,
>   Philipp
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3239 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-dev/attachments/20070319/1d2f7653/smime.bin

More information about the asterisk-dev mailing list