[asterisk-dev] Dialstring injection - security advisory release?

Russell Bryant russell at digium.com
Tue Feb 23 09:08:03 CST 2010


----- "Leif Madsen" <leif.madsen at asteriskdocs.org> wrote:

> It also seems like you need to know a lot about someones dialplan
> before being able to use this kind of attack. If you're not allowing guest access
> to your system (and subsequently not allowing guests to dial out from your
> system), then you need to be authenticated.

What about companies that allow themselves to be called via SIP URI dialing?  How common is that these days?  Is it increasing?  We certainly allow guest VoIP calls to Digium (see the "demo" in the sample dialplan of every Asterisk version since I have been around, at least).

If this kind of access is available, then you don't need to know much.  An exploit of a SIP trunk would obviously require some knowledge, but not for TDM access.  What percentage of PRIs out there do you think are accessed by dialing DAHDI/g0/${FOO}  (a vast majority, I would guess).

> If someone is able to authenticate to your system who shouldn't be,
> then that's another entire issue. If someone who is supposed to authenticate to
> you and is also sending an attack such as this, then perhaps you have bigger
> issues to deal with.
> 
> While the possibility for "bad things" to happen, it feels as though a
> practical attack of this nature is a remote possibility.

A useful exploit of a buffer overflow vulnerability takes much more sophistication than an exploit based on this issue, yet we (justifiably so) take those issues _VERY_ seriously.  I don't think this issue should be discounted.

--
Russell Bryant
Digium, Inc. | Engineering Manager, Open Source Software
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
www.digium.com -=- www.asterisk.org -=- blogs.asterisk.org



More information about the asterisk-dev mailing list