[asterisk-dev] Dialstring injection - security advisory release?

Mon Feb 22 13:01:30 CST 2010

On Mon, Feb 22, 2010 at 4:38 PM, Nick Lewis <Nick.Lewis at atltelecom.com> wrote:
>>The issue
>>that brought this to light is explicitly related to the Dial()
>>application and its sub-parsing of arguments. While this is
>>very common, and there are other applications that also use
>>'&' for sub-parsing, none of them are vulnerable to the sort of
>>attacks that Dial() is, and so escaping this character for them
>>is just wasteful and inefficient.
>
> Is it wise to have every function determine its own syntax for arrays?
> Perhaps native *dpl support for arrays would be worthwhile
>
>>Given that, I really can't see the justification for a massive,
>>system-wide audit of all possible characters that might be able
>>to be mis-used, and a subsequent automatic escaping of them,
>>necessitating significant dialplan changes for users upgrading
>>to a version containing these changes.
>
> Some have suggested a config option to reject all non-alphanumeric
> characters (even those that cannot currently be misused - avoiding the
> need for an audit). An alternative is to automatically escape all
> non-alphanumeric characters. This may require the programmer to manually
> escape some literals but seems less drastic.
>
> I accept that such a change may add work for those dialplan programmers
> that use 'strange' characters in their extensions but I suspect that it
> may reduce the work of most dialplan programmers who do not use
> 'strange' characters in their extensions and are just wanting to make
> their dialplans secure
>

Isn't the problem solved by using exact dialplan patterns only
allowing numbers or alpha-numeric characters? I have all calls going
through strict mask pattern, for example:

_XXXXX => internal calls
_18XXXXXXXXX => toll free calls

etc.

The problem is only when somebody uses mask "_X." everywhere. As for
security "." could change meaning to "any alpha-numeric character"
(with setting to reverse functionality for those who really want weird
extensions), plus introduce a new symbol (let's assume question mark
"?") to match zero or more digits only. So, samples and everything
else could use _X? which is safe at very beginning. Additionally if
necessary backward compatible any-character could be allowed by new
symbol.

So:

_X? => Dial(SIP/${EXTEN}) ; - safe, accepts only digits
_X. =>  Dial(SIP/${EXTEN}) ; - safe, accepts only [0-9a-zA-Z#*]
_X* =>  Dial(SIP/${FILTER(${EXTEN})}) ; - also safe, bad characters
are filtered out
_X* =>  Dial(SIP/${EXTEN}) ; - not safe. Documentation should issue
warning next to this, asking to re-consider and use only in
combination with FILTER()

Regards,
Atis

-- 
Atis Lezdins,
VoIP Project Manager / Developer,
IQ Labs Inc,
atis at iq-labs.net
Skype: atis.lezdins
Cell Phone: +371 28806004
Cell Phone: +1 800 7300689
Work phone: +1 800 7502835