[asterisk-dev] AEL security

Philipp Kempgen philipp.kempgen at amooma.de
Mon Mar 19 08:40:19 MST 2007 

Steve Murphy wrote:

> On Mon, 2007-03-19 at 14:39 +0100, Philipp Kempgen wrote:
>> Steve Murphy wrote:
>>
>>> On Mon, 2007-03-19 at 12:32 +0100, Philipp Kempgen wrote:
>>>> Philipp Kempgen wrote:
>>>>
>>>>> Sergey Okhapkin wrote:
>>>>>
>>>>>> AEL needs to use extensions when compiling "switch" statement, asterisk 
>>>>>> extensions pattern match is being used for "default" case.
>>>>>>
>>>>>> On Monday 19 March 2007 06:39, Philipp Kempgen wrote:
>>>>>>> Philipp Kempgen wrote:
>>>>>>>> It seems like AEL compiles labels into extensions.
>>>>>>>> So a users could directly dial to a label which seems
>>>>>>>> like a security risk to me. Am I missing something?
>>>>>>> Need to correct myself: AEL compiles the cases in a switch
>>>>>>> block into extensions. Labels remain untouched. But that
>>>>>>> doesn't make it any better.
>>>>> Features are not an excuse for weak security. :P
>>>> And although it is implemented this way the AEL compiler could
>>>> use something like this for the default case:
>>>>
>>>> exten => 123,n,GotoIf($["${switchvar}" = "BUSY"]?user_busy)
>>>> exten => 123,n,GotoIf($["${switchvar}" = "NOANSWER"]?user_unavail)
>>>> exten => 123,n,Goto(default)
>>> Philipp--
>>>
>>> Please help me to understand the security implications here. I could
>>> invest some time and re-do the stuff for switch statements without using
>>> extensions... is it 
>>> that the creation of the extra extensions might be addressable from
>>> outside your
>>> org? So, putting Dial() commands to targets outside the org could be the
>>> risk? Are there others that I'm not thinking of? AEL compiles switch
>>> cases into extensions with names like: sw-<a generated integer>-<Case
>>> Label>, and for the
>>> default condition, it generates "." as the case label, eg. sw-32-.
>>>
>>> So, as I see it, the risk is that a clever attacker will make
>>> sip/iax/etc calls to your system with addresses like "sw-2-BUSY", (PSTN
>>> calls would only be able to provide numeric extension names) looking for
>>> a switch case that might give him a free ticket to the PSTN?
>> Exactly. One of the internal users might figure this out
>> and change settings of other users, listen to other users'
>> voicemail, whatever. Although this is not very likely I
>> see the potential risk.
> 
> Thanks, Philipp--
> 
> Could you open a bug on bugs.digium.com, and explain this there

Done that. http://bugs.digium.com/view.php?id=9316 for those who
might be interested.

Regards,
  Philipp

-- 
amooma GmbH - Bachstr. 126 - 56566 Neuwied - http://www.amooma.de
     Let's use IT to solve problems and not to create new ones.
           Asterisk? -> http://www.das-asterisk-buch.de

Geschäftsführer: Stefan Wintermeyer
Handelsregister: Neuwied B 14998

More information about the asterisk-dev mailing list