[asterisk-users] VPN between Asterisk server and phone client

Wed May 2 18:31:03 MST 2007

Any network service could potentially harbor a buffer overflow, etc that
could result in remote command execution. Provided someone find a similar
bug and it's exploitable, they would theoretically be able to spawn a shell
with the same rights as Asterisk. Generally, it's better to run services as
nobody. I would be hesitant to allow management of VPN's from within
Asterisk.

Check out this link: http://mixter.void.ru/exploit.html
It's a basic tutorial on writing shell code for buffer overflows. The basic
idea is you find some condition where you can cause the application to seg
fault and if you are lucky, it will allow you to write your shell code to
memory, gain control of the stack pointer, and make your shell code run.
These types of exploits have to be tailored to specific OS's and
architectures. Shellcode that works on a BSD system will not work on Solaris
or Redhat, etc... Generally you can reuse the delivery code by swapping out
the shell code for whatever you are attacking.

I'm not stating these currently exist in Asterisk, but theoretically it is
likely and we just don't know about it yet. Prudence suggest that we don't
help the hackers any more than we have to in case they find it first. I
think it would be really difficult to lockdown VPN if Asterisk manages it's
operation. Asterisk would have to have execution rights to the VPN binaries
or an intermediate script at the very least.

Just my 2 cents. 

--------------------------------------------------
Salvatore Giudice
Salvatore.Giudice at VoIPSecurityTraining.com

VoIP Security Training, LLC
http://VoIPSecurityTraining.com

848 N. Rainbow Blvd. #1676
Las Vegas, NV 89107
Phone: (617) 959-7625
Fax: (214) 279-2906

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Kai-Uwe Jensen
Sent: Wednesday, May 02, 2007 8:13 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] VPN between Asterisk server and phone client

On 5/2/07, Salvatore Giudice <Salvatore.Giudice at voipsecuritytraining.com>
wrote:
> If you run it on the fly, doesn't that mean that the Asterisk user will
have
> permissions to configure VPN's? Nobody sees a problem with that? I
thinking
> that if you knock over the Asterisk service and get shell execution rights
> as Asterisk, you could be able to start tunnels for things other than
voice.
> It's like giving a hacker a great way to hide their activities from your
IDS
> without having to bother to get root first to install an encrypted data
> pipe.

That's true, the asterisk user needs to be able to invoke the
"start_vpn" script or program. That does not mean that the asterisk
user will have to have superuser rights to configure VPNs. You could
make the start_vpn program setuid to a user that has those rights (and
in that case, you probably don't want start_vpn to be a script). Also,
openvpn typically starts "predefined" VPNs. To define a new one,
someone would have to have access to the file system.

When you say "knock over the Asterisk servoce and get shell execution
rights", how would that happen, exactly? I can think of DoS attacks
and other stuff, but am wondering how "knocking over Asterisk" will
give someone shell execution rights? As I said above, you would want
to make the function to start a VPN connection as safe as possible.
That would include NOT using scripts, and employing other verification
methods.
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users