[asterisk-dev] Dialstring injection - security advisory release?

Chris Mylonas chris at opencsta.org
Thu Feb 25 16:49:20 CST 2010


Yep.  I was wrong - sorry to add extra noise to the discussion
Thanks,


Cheers
Chris



On Fri, Feb 26, 2010 at 12:54 AM, Tilghman Lesher <tlesher at digium.com>wrote:

> On Thursday 25 February 2010 05:47:10 Chris Mylonas wrote:
> > Please also note that in my testing of the exploit:
> >
> > _X.  with Dial(<tech>/${EXTEN})  is the potential exploit.
> > _1X. is not
> > _2X. is not
> > _3X. is not
> > ..
> > ..
> > _9X. is not
> > _0X. is not
>
> This is incorrect.  All that additional prefixes require is that additional
> numbers be prefixed to the attack string.
>
> However, there IS another limit that potential attackers face:  extensions
> have a maximum limit of 79 characters (excluding NULL terminator).  If you
> ran
> enough prefix characters (about 70 or so), an attacker would not have
> enough
> space to append the target string.
>
> --
> Tilghman Lesher
> Digium, Inc. | Senior Software Developer
> twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
> Check us out at: www.digium.com & www.asterisk.org
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20100226/5d1de8c2/attachment.htm 


More information about the asterisk-dev mailing list