[asterisk-users] VPN between Asterisk server and phone client
Steve Totaro
stevetotaro at hotmail.com
Thu May 3 05:01:35 MST 2007
Salvatore Giudice wrote:
> Any network service could potentially harbor a buffer overflow, etc that
> could result in remote command execution. Provided someone find a similar
> bug and it's exploitable, they would theoretically be able to spawn a shell
> with the same rights as Asterisk. Generally, it's better to run services as
> nobody. I would be hesitant to allow management of VPN's from within
> Asterisk.
>
> Check out this link: http://mixter.void.ru/exploit.html
> It's a basic tutorial on writing shell code for buffer overflows. The basic
> idea is you find some condition where you can cause the application to seg
> fault and if you are lucky, it will allow you to write your shell code to
> memory, gain control of the stack pointer, and make your shell code run.
> These types of exploits have to be tailored to specific OS's and
> architectures. Shellcode that works on a BSD system will not work on Solaris
> or Redhat, etc... Generally you can reuse the delivery code by swapping out
> the shell code for whatever you are attacking.
>
> I'm not stating these currently exist in Asterisk, but theoretically it is
> likely and we just don't know about it yet. Prudence suggest that we don't
> help the hackers any more than we have to in case they find it first. I
> think it would be really difficult to lockdown VPN if Asterisk manages it's
> operation. Asterisk would have to have execution rights to the VPN binaries
> or an intermediate script at the very least.
>
> Just my 2 cents.
>
> --------------------------------------------------
> Salvatore Giudice
> Salvatore.Giudice at VoIPSecurityTraining.com
>
> VoIP Security Training, LLC
> http://VoIPSecurityTraining.com
>
> 848 N. Rainbow Blvd. #1676
> Las Vegas, NV 89107
> Phone: (617) 959-7625
> Fax: (214) 279-2906
>
>
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Kai-Uwe Jensen
> Sent: Wednesday, May 02, 2007 8:13 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] VPN between Asterisk server and phone client
>
> On 5/2/07, Salvatore Giudice <Salvatore.Giudice at voipsecuritytraining.com>
> wrote:
>
>> If you run it on the fly, doesn't that mean that the Asterisk user will
>>
> have
>
>> permissions to configure VPN's? Nobody sees a problem with that? I
>>
> thinking
>
>> that if you knock over the Asterisk service and get shell execution rights
>> as Asterisk, you could be able to start tunnels for things other than
>>
> voice.
>
>> It's like giving a hacker a great way to hide their activities from your
>>
> IDS
>
>> without having to bother to get root first to install an encrypted data
>> pipe.
>>
>
> That's true, the asterisk user needs to be able to invoke the
> "start_vpn" script or program. That does not mean that the asterisk
> user will have to have superuser rights to configure VPNs. You could
> make the start_vpn program setuid to a user that has those rights (and
> in that case, you probably don't want start_vpn to be a script). Also,
> openvpn typically starts "predefined" VPNs. To define a new one,
> someone would have to have access to the file system.
>
> When you say "knock over the Asterisk servoce and get shell execution
> rights", how would that happen, exactly? I can think of DoS attacks
> and other stuff, but am wondering how "knocking over Asterisk" will
> give someone shell execution rights? As I said above, you would want
> to make the function to start a VPN connection as safe as possible.
> That would include NOT using scripts, and employing other verification
> methods.
>
One approach if you are really concerned and fit certain requirements.
Just deny all unsolicited traffic on the normal IP except on whatever
port you are running OpenVPN on and accept traffic on the OpenVPN IP.
Thanks,
Steve Totaro
www.asteriskhelpdesk.com
More information about the asterisk-users
mailing list