[asterisk-dev] Dialstring injection - security advisory release?

Chris Mylonas chris at opencsta.org
Thu Feb 25 05:47:10 CST 2010


Please also note that in my testing of the exploit:

_X.  with Dial(<tech>/${EXTEN})  is the potential exploit.
_1X. is not
_2X. is not
_3X. is not
..
..
_9X. is not
_0X. is not


It's only the _X. pattern.   (I have not tested _ZX.)


Please don't rely on this alone.  Test it yourself and confirm/knock-down
this.

[test-exploit2]
exten = _X.,1,NoOp(################ TEST THAT THREAT)
exten = _X.,n,NoOp(################ TEST THAT THREAT)
exten = _X.,n,NoOp(################ TEST THAT THREAT)
exten = _X.,n,NoOp(################ TEST THAT THREAT)
exten = _X.,n,NoOp(################ EXTEN: ${EXTEN})
exten = _X.,n,Dial(SIP/${EXTEN})
exten = _X.,n,Hangup

[test-exploit3]
exten = _1X.,1,NoOp(################ TEST THAT THREAT)
exten = _1X.,n,NoOp(################ TEST THAT THREAT)
exten = _1X.,n,NoOp(################ TEST THAT THREAT)
exten = _1X.,n,NoOp(################ TEST THAT THREAT)
exten = _1X.,n,NoOp(################ EXTEN: ${EXTEN})
exten = _1X.,n,Dial(SIP/${EXTEN})
exten = _1X.,n,Hangup

[test-exploit4]
exten = _ZX.,1,NoOp(################ TEST THAT THREAT)
exten = _ZX.,n,NoOp(################ TEST THAT THREAT)
exten = _ZX.,n,NoOp(################ TEST THAT THREAT)
exten = _ZX.,n,NoOp(################ TEST THAT THREAT)
exten = _ZX.,n,NoOp(################ EXTEN: ${EXTEN})
exten = _ZX.,n,Dial(SIP/${EXTEN})
exten = _ZX.,n,Hangup



Cheers
Chris

On Thu, Feb 25, 2010 at 9:22 PM, Benny Amorsen
<benny+usenet at amorsen.dk<benny%2Busenet at amorsen.dk>
> wrote:

> Atis Lezdins <atis at iq-labs.net> writes:
>
> > Isn't the problem solved by using exact dialplan patterns only
> > allowing numbers or alpha-numeric characters? I have all calls going
> > through strict mask pattern, for example:
> >
> > _XXXXX => internal calls
> > _18XXXXXXXXX => toll free calls
>
> Many countries have variable-length numbers.
>
>
> /Benny
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20100225/1d8f0903/attachment.htm 


More information about the asterisk-dev mailing list