[asterisk-dev] Dialstring injection - security advisory release?

[Russell Bryant]

On 02/11/2010 03:20 PM, Chris Lee wrote:
> If all variables are regarded as variables and not dialplan code then
> there is no problem.
> Why leave a potential security hole in the dialplan when it is possible
> to ensure that the dialplan does not act on code like elements of the
> variables.

This is practically impossible to implement.

What characters are "special" is entirely defined in the application. 
The pbx core handles dialplan extension matching, variable and function 
substitution, and application execution.  All substitution is taken care 
of before Dial() (or any other application is invoked).

So, there is no way for Dial() to have any idea how the string of 
arguments it has received was generated, and there is absolutely no way 
for the pbx core to know anything about how the string of arguments to 
an application will be interpreted.

There really isn't much we can do in the core other than provide all of 
the necessary tools to allow policy implementations by the dialplan writer.

Someone has suggested that we could blacklist the '&' character.  Well, 
sure, we could have an option to do that ... but that's really only one 
example of the overall 'dialplan injection' vulnerability that we're 
talking about.  What about dialing "1234,,tT" to give yourself transfer 
permissions?  There are quite a number of possibilities.

-- 
Russell Bryant
Digium, Inc. | Engineering Manager, Open Source Software
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
www.digium.com -=- www.asterisk.org -=- blogs.asterisk.org