<span style="font-family: courier new,monospace;"><font face="arial,helvetica,sans-serif">Summary:<br>README-SERIOUSLY.txt might need a bit of adjusting - doesn't seem to work as expected the suggestion. Who tested it?<br>
</font></span><span style="font-family: courier new,monospace;">exten = _X.,n,Dial(SIP/${FILTER(0-9,${EXTEN})}) - will stop the calls (all of them)<br></span><span style="font-family: courier new,monospace;">exten = _X.,n,Dial(SIP/${FILTER(${EXTEN})}) - turns ${EXTEN} to an empty string</span> <br>
<span style="font-family: courier new,monospace;">exten = _X.,n,Dial(SIP/${EXTEN}) - exploit is executed as expected when ${EXTEN}</span><br><span style="font-family: courier new,monospace;"><font face="arial,helvetica,sans-serif"><br>
<br>Rant:<br>G'day list,<br><br>It's late, and my better half rang about an hour ago to come home. I said 20 minutes, she said 10. So either way, I've gotta do some sweet-talking (luckily I've eaten, otherwise it's cooking as too)<br>
<br>Here is my test dialplan code:<br></font><br>[test-exploit2]<br>exten = _X.,1,NoOp(################ TEST THAT THREAT)<br>exten = _X.,n,NoOp(################ TEST THAT THREAT)<br>exten = _X.,n,NoOp(################ TEST THAT THREAT)<br>
exten = _X.,n,NoOp(################ TEST THAT THREAT)<br>exten = _X.,n,NoOp(################ EXTEN: ${EXTEN})<br>exten = _X.,n,Dial(SIP/${FILTER(0-9,${EXTEN})})<br>exten = _X.,n,Hangup<br><br><br><br><font face="arial,helvetica,sans-serif">Here is the asterisk CLI output. My dialstring was 7878&SIP/MYPROVIDER/0433998648 which got filtered down to 78780433998648 - so at least there's no toll fraud.<br>
<br>I've got to say, for my first test - this appears to be a really hard thing to crack into.<br>1. You have to know the outbound trunk you want to target - Zap/g0 would be the easiest. SIP/IAX2 you'd have to guess the trunk name.<br>
2. _X. has to be in the dialplan.<br>3. _1123X. is not subject to this expoit. Only _X.<br>4. Anonymous calling or a pretty insecure box would have to be available. Weak passwords would probably have to be the shortest route to getting entry into a box to have a shot at running this exploit.<br>
</font><br><br><br><br><br>ASTERISK CLI:<br> -- Executing [7878&SIP/ENGIN/0433998648@test-exploit2:1] NoOp("SIP/7801-00000047", "################ TEST THAT THREAT") in new stack<br> -- Executing [7878&SIP/MYPROVIDER/0433998648@test-exploit2:2] NoOp("SIP/7801-00000047", "################ TEST THAT THREAT") in new stack<br>
-- Executing [7878&SIP/</span><span style="font-family: courier new,monospace;">MYPROVIDER</span><span style="font-family: courier new,monospace;">/0433998648@test-exploit2:3] NoOp("SIP/7801-00000047", "################ TEST THAT THREAT") in new stack<br>
-- Executing [7878&SIP/</span><span style="font-family: courier new,monospace;">MYPROVIDER</span><span style="font-family: courier new,monospace;">/0433998648@test-exploit2:4] NoOp("SIP/7801-00000047", "################ TEST THAT THREAT") in new stack<br>
-- Executing [7878&SIP/</span><span style="font-family: courier new,monospace;">MYPROVIDER</span><span style="font-family: courier new,monospace;">/0433998648@test-exploit2:5] NoOp("SIP/7801-00000047", "################ EXTEN: 7878&SIP/</span><span style="font-family: courier new,monospace;">MYPROVIDER</span><span style="font-family: courier new,monospace;">/0433998648") in new stack<br>
-- Executing [7878&SIP/</span><span style="font-family: courier new,monospace;">MYPROVIDER</span><span style="font-family: courier new,monospace;">/0433998648@test-exploit2:6] Dial("SIP/7801-00000047", "SIP/78780433998648") in new stack<br>
== Using SIP RTP TOS bits 184<br> == Using SIP RTP CoS mark 5<br> == Everyone is busy/congested at this time (1:0/0/1)<br> -- Executing [7878&SIP/</span><span style="font-family: courier new,monospace;">MYPROVIDER</span><span style="font-family: courier new,monospace;">/0433998648@test-exploit2:7] Hangup("SIP/7801-00000047", "") in new stack<br>
<br><br><br><font face="arial,helvetica,sans-serif">I'd prepare something a little more nicely laid out - but I wanna GTFO :)<br><br><br>All the talk of "safe" equivalents makes me think of my safe word - blueberry muffins!<br>
<br><br>Don't hate on me for trying to be funny ;)<br><br>Cheers<br>Chris<br><br></font><br></span><br><br><div class="gmail_quote">On Tue, Feb 23, 2010 at 6:29 PM, Pavel Troller <span dir="ltr"><<a href="mailto:patrol@sinus.cz">patrol@sinus.cz</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div class="h5">><br>
><br>
> Am 22.02.2010 20:01, schrieb Atis Lezdins:<br>
> > On Mon, Feb 22, 2010 at 4:38 PM, Nick Lewis<<a href="mailto:Nick.Lewis@atltelecom.com">Nick.Lewis@atltelecom.com</a>> wrote:<br>
> ..<br>
> >> I accept that such a change may add work for those dialplan programmers<br>
> >> that use 'strange' characters in their extensions but I suspect that it<br>
> >> may reduce the work of most dialplan programmers who do not use<br>
> >> 'strange' characters in their extensions and are just wanting to make<br>
> >> their dialplans secure<br>
> >><br>
> ><br>
> > Isn't the problem solved by using exact dialplan patterns only<br>
> > allowing numbers or alpha-numeric characters? I have all calls going<br>
> > through strict mask pattern, for example:<br>
> ><br>
> > _XXXXX => internal calls<br>
> > _18XXXXXXXXX => toll free calls<br>
> ><br>
> > etc.<br>
> ><br>
> > The problem is only when somebody uses mask "_X." everywhere. As for<br>
> > security "." could change meaning to "any alpha-numeric character"<br>
> > (with setting to reverse functionality for those who really want weird<br>
> > extensions), plus introduce a new symbol (let's assume question mark<br>
> > "?") to match zero or more digits only. So, samples and everything<br>
> > else could use _X? which is safe at very beginning. Additionally if<br>
> > necessary backward compatible any-character could be allowed by new<br>
> > symbol.<br>
> ><br>
> > So:<br>
> ><br>
> > _X? => Dial(SIP/${EXTEN}) ; - safe, accepts only digits<br>
> > _X. => Dial(SIP/${EXTEN}) ; - safe, accepts only [0-9a-zA-Z#*]<br>
> > _X* => Dial(SIP/${FILTER(${EXTEN})}) ; - also safe, bad characters<br>
> > are filtered out<br>
> > _X* => Dial(SIP/${EXTEN}) ; - not safe. Documentation should issue<br>
> > warning next to this, asking to re-consider and use only in<br>
> > combination with FILTER()<br>
><br>
> This was already suggested by several other people, but not yet<br>
> implemented :-(<br>
><br>
> regards<br>
> klaus<br>
><br>
</div></div>Hi!<br>
Please also don't forget, that now we have two pattern matchers, i.e.<br>
".", which collects digits, and "!", which triggers as soon as the match is<br>
complete, so we need TWO new symbols for their "safe" equivalents.<br>
<br>
With regards, Pavel.<br>
<div><div></div><div class="h5"><br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div></div></blockquote></div><br>