[asterisk-dev] Dialplan oddities with recent Asterisk ?
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Feb 12 05:52:16 CST 2010
Am 11.02.2010 13:49, schrieb Leif Madsen:
> Klaus Darilion wrote:
>> The vulnerability is not just the Dial application. Every dialplan
>> action which uses ${EXTEN} can be in danger!
>>
>> Of course it also depends on your PSTN connectivity if such patterns may
>> arive at your Asterisk server. Maybe calls arive via DUNDI? ....
>
> Well, a call doesn't arrive via DUNDi, it still arrives by the same methods as
> usual. DUNDi is just the lookup portion of the call to determine where Dial()
> places a call.
>
> Perhaps you meant "request" and not "call"?
Of course you are right.
I meant if an Asterisk box is configured to receive incoming calls from
more-or-less unknown persons routed by DUNDI (or ENUM), it might be
possible to call this certain Asterisk box and specifying a target which
was not even announced,e.g.
E.g. somebody has the phone numbers +43123456[000-999] These numbers is
are announced vie ENUM and DUNDI to let other people call in for free.
Therefore this box has an dialplan:
context fromUnauthorized {
_+43123456! => Dial(SIP/${EXTEN:9});
}
Those, such a box would be vulnerable.
regards
klaus
More information about the asterisk-dev
mailing list