[asterisk-dev] Dialstring injection - security advisory release?
Tilghman Lesher
tlesher at digium.com
Thu Feb 25 07:54:08 CST 2010
On Thursday 25 February 2010 05:47:10 Chris Mylonas wrote:
> Please also note that in my testing of the exploit:
>
> _X. with Dial(<tech>/${EXTEN}) is the potential exploit.
> _1X. is not
> _2X. is not
> _3X. is not
> ..
> ..
> _9X. is not
> _0X. is not
This is incorrect. All that additional prefixes require is that additional
numbers be prefixed to the attack string.
However, there IS another limit that potential attackers face: extensions
have a maximum limit of 79 characters (excluding NULL terminator). If you ran
enough prefix characters (about 70 or so), an attacker would not have enough
space to append the target string.
--
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-dev
mailing list