[asterisk-dev] Dialstring injection - security advisory release?

[Leif Madsen]

Russell Bryant wrote:
> ----- "Leif Madsen" <leif.madsen at asteriskdocs.org> wrote:
> 
>> It also seems like you need to know a lot about someones dialplan
>> before being able to use this kind of attack. If you're not allowing guest access
>> to your system (and subsequently not allowing guests to dial out from your
>> system), then you need to be authenticated.
> 
> What about companies that allow themselves to be called via SIP URI dialing?  How common is that these days?  Is it increasing?  We certainly allow guest VoIP calls to Digium (see the "demo" in the sample dialplan of every Asterisk version since I have been around, at least).
> 
> If this kind of access is available, then you don't need to know much.  An exploit of a SIP trunk would obviously require some knowledge, but not for TDM access.  What percentage of PRIs out there do you think are accessed by dialing DAHDI/g0/${FOO}  (a vast majority, I would guess).

How many of those companies with guest access are allowing outbound dialing from 
the guest account though? I'd hope closer to zero than to one :)

>> If someone is able to authenticate to your system who shouldn't be,
>> then that's another entire issue. If someone who is supposed to authenticate to
>> you and is also sending an attack such as this, then perhaps you have bigger
>> issues to deal with.
>>
>> While the possibility for "bad things" to happen, it feels as though a
>> practical attack of this nature is a remote possibility.
> 
> A useful exploit of a buffer overflow vulnerability takes much more sophistication than an exploit based on this issue, yet we (justifiably so) take those issues _VERY_ seriously.  I don't think this issue should be discounted.

I certainly agree with that.

Leif Madsen.