[asterisk-dev] Dialstring injection - security advisory release?
BJ Weschke
bweschke at gmail.com
Thu Feb 25 19:04:36 CST 2010
On Tue, Feb 23, 2010 at 11:56 AM, Kevin P. Fleming <kpfleming at digium.com> wrote:
> Leif Madsen wrote:
>
>> How many of those companies with guest access are allowing outbound dialing from
>> the guest account though? I'd hope closer to zero than to one :)
>
> That's the whole point! If the context that 'guest' calls land in does
> not have 'outbound dialing access' (meaning it doesn't have any
> extensions that can be dialed that dial out through DAHDI/g0), but it
> does have an _X. extension that can be used to dial 'internal
> extensions' in the PBX, then it's vulnerable! A guest caller can 'call'
> "201&DAHDI/g0/19769769767" and they are using the system in a way it was
> not intended.
>
Right. It's been quite a while since I've looked at AsteriskNow or
other "plug and play" PBX setups based on Asterisk, but I'd venture to
guess these systems all fall prey to one or more of the following
below:
a) the use of common context names from a "canned" dialplan with no FILTER/etc
b) guest SIP URI dialing being allowed
c) you're an admin that takes the attitude of "it's my PBX, it works
so I don't need to update it"
There's likely a worm or something else coming in the not too distant
future that's going to make life miserable for this audience, and they
probably don't even know it.
That being said, is/was the canned dial plan from AsteriskNow ever
vulnerable and I trust it has been protected already if so? :-)
BJ
--
Bird's The Word Technologies, Inc.
http://www.btwtech.com/
More information about the asterisk-dev
mailing list