[asterisk-dev] Dialstring injection - security advisory release?

Nick Lewis Nick.Lewis at atltelecom.com
Tue Feb 23 12:02:38 CST 2010 

>A useful exploit of a buffer overflow 
>vulnerability takes much more 
>sophistication than an exploit based on 
>this issue, yet we (justifiably so) take 
>those issues _VERY_ seriously.  I don't 
>think this issue should be discounted.

I am glad that this issue is being taken seriously.

Perhaps it would be possible to see "&" protected in the same way that I
assume "," and "|" are, possibly by autoescaping them. It is agreed that
the main vunerability is in the Dial() application. It should be
straighforward to introduce new code in app_dial.c that disregards
escaped characters as syntax in place of the current parsing code:

while ((cur = strsep(&rest, "&")) ) {
...
}

(perhaps it could be done crudely after strsep with a check for the
presence '\' at cur-2 and if so the restoration of '&' at cur-1)

-- N_L

_____________________________________________________________________
This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre.
_____________________________________________________________________
Disclaimer of Liability
ATL Telecom Ltd shall not be held liable for any improper or incorrect use of the  information described and/or contained herein and assumes no responsibility for anyones use  of the information. In no event shall ATL Telecom Ltd be liable for any direct, indirect,  incidental, special, exemplary, or consequential damages (including, but not limited to,  procurement or substitute goods or services; loss of use, data, or profits; or business  interruption) however caused and on any theory of liability, whether in contract, strict  liability, or tort (including negligence or otherwise) arising in any way out of the use of  this system, even if advised of the possibility of such damage.

Registered Office: ATL Telecom Ltd, Fountain Lane, St. Mellons Cardiff, CF3 0FB
Registered in Wales Number 4335781

All goods and services supplied by ATL Telecom Ltd are supplied subject to ATL Telecom Ltd standard terms and conditions, available upon request.

More information about the asterisk-dev mailing list