Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

AST-2010-002: Dialplan injection vulnerability
From: "Asterisk Security Team" <security () asterisk org>
Date: Thu, 18 Feb 2010 17:46:22 -0600

               Asterisk Project Security Advisory - AST-2010-002

   +------------------------------------------------------------------------+
   |       Product        | Asterisk                                        |
   |----------------------+-------------------------------------------------|
   |       Summary        | Dialplan injection vulnerability                |
   |----------------------+-------------------------------------------------|
   |  Nature of Advisory  | Data injection vulnerability                    |
   |----------------------+-------------------------------------------------|
   |    Susceptibility    | Remote Unauthenticated Sessions                 |
   |----------------------+-------------------------------------------------|
   |       Severity       | Critical                                        |
   |----------------------+-------------------------------------------------|
   |    Exploits Known    | Yes                                             |
   |----------------------+-------------------------------------------------|
   |     Reported On      | 10/02/10                                        |
   |----------------------+-------------------------------------------------|
   |     Reported By      | Hans Petter Selasky                             |
   |----------------------+-------------------------------------------------|
   |      Posted On       | 16/02/10                                        |
   |----------------------+-------------------------------------------------|
   |   Last Updated On    | February 18, 2010                               |
   |----------------------+-------------------------------------------------|
   |   Advisory Contact   | Leif Madsen < lmadsen AT digium DOT com >       |
   |----------------------+-------------------------------------------------|
   |       CVE Name       |                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | A common usage of the ${EXTEN} channel variable in a     |
   |             | dialplan with wildcard pattern matches can lead to a     |
   |             | possible string injection vulnerability. By having a     |
   |             | wildcard match in a dialplan, it is possible to allow    |
   |             | unintended calls to be executed, such as in this         |
   |             | example:                                                 |
   |             |                                                          |
   |             | exten => _X.,1,Dial(SIP/${EXTEN})                        |
   |             |                                                          |
   |             | If you have a channel technology which can accept        |
   |             | characters other than numbers and letters (such as SIP)  |
   |             | it may be possible to craft an INVITE which sends data   |
   |             | such as 300&Zap/g1/4165551212 which would create an      |
   |             | additional outgoing channel leg that was not originally  |
   |             | intentioned by the dialplan programmer.                  |
   |             |                                                          |
   |             | Usage of the wildcard character is common in dialplans   |
   |             | that require variable number length, such as European    |
   |             | dial strings.                                            |
   |             |                                                          |
   |             | Please note that this is not limited to an specific      |
   |             | protocol or the Dial() application.                      |
   |             |                                                          |
   |             | The expansion of variables into                          |
   |             | programmatically-interpreted strings is a common         |
   |             | behavior in many script or script-like languages,        |
   |             | Asterisk included. The ability for a variable to         |
   |             | directly replace components of a command is a feature,   |
   |             | not a bug - that is the entire point of string           |
   |             | expansion.                                               |
   |             |                                                          |
   |             | However, it is often the case due to expediency or       |
   |             | design misunderstanding that a developer will not        |
   |             | examine and filter string data from external sources     |
   |             | before passing it into potentially harmful areas of      |
   |             | their dialplan. With the flexibility of the design of    |
   |             | Asterisk come these risks if the dialplan designer is    |
   |             | not suitably                                             |
   |             | cautious as to how foreign data is allowed to continue   |
   |             | into the system.                                         |
   |             |                                                          |
   |             | This security release is intended to raise awareness of  |
   |             | how it is possible to insert malicious strings into      |
   |             | dialplans, and to advise developers to read the best     |
   |             | practices documents so that they may easily avoid these  |
   |             | dangers.                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | One resolution is to wrap the ${EXTEN} channel variable   |
   |            | with the FILTER() dialplan function to only accept        |
   |            | characters which are expected by the dialplan programmer. |
   |            | The recommendation is for this to be the first priority   |
   |            | in all contexts defined as incoming contexts in the       |
   |            | channel driver configuration files.                       |
   |            |                                                           |
   |            | Examples of this and other best practices can be found in |
   |            | the new README-SERIOUSLY.bestpractices.txt document in    |
   |            | the top level folder of your Asterisk sources.            |
   |            |                                                           |
   |            | Asterisk 1.2.40 has also been released with a backport of |
   |            | the FILTER() dialplan function from 1.4 in order to       |
   |            | provide the tools required to resolve this issue in your  |
   |            | dialplan.                                                 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |           Product            | Release Series |                        |
   |------------------------------+----------------+------------------------|
   |     Asterisk Open Source     |     1.2.x      | All versions           |
   |------------------------------+----------------+------------------------|
   |     Asterisk Open Source     |     1.4.x      | All versions           |
   |------------------------------+----------------+------------------------|
   |     Asterisk Open Source     |     1.6.x      | All versions           |
   |------------------------------+----------------+------------------------|
   |  Asterisk Business Edition   |     B.x.x      | All versions           |
   |------------------------------+----------------+------------------------|
   |  Asterisk Business Edition   |     C.x.x      | All versions           |
   |------------------------------+----------------+------------------------|
   |          Switchvox           |      None      | No versions affected   |
   +------------------------------------------------------------------------+

+---------------------------------------------------------------------------------------------+
|                                          Document                                           |
|---------------------------------------------------------------------------------------------|
|                                       SVN URL                                        |Branch|
|--------------------------------------------------------------------------------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.2/README-SERIOUSLY.bestpractices.txt  |v1.2  |
|--------------------------------------------------------------------------------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.4/README-SERIOUSLY.bestpractices.txt  |v1.4  |
|--------------------------------------------------------------------------------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.6.0/README-SERIOUSLY.bestpractices.txt|v1.6.0|
|--------------------------------------------------------------------------------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.6.1/README-SERIOUSLY.bestpractices.txt|v1.6.1|
|--------------------------------------------------------------------------------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.6.2/README-SERIOUSLY.bestpractices.txt|v1.6.2|
+---------------------------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                              Corrected In                              |
   |------------------------------------------------------------------------|
   |                 Product                  |           Release           |
   |------------------------------------------+-----------------------------|
   |           Open Source Asterisk           |           1.2.40            |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |     Links      | https://issues.asterisk.org/view.php?id=16810         |
   |                |                                                       |
   |                | https://issues.asterisk.org/view.php?id=16808         |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at                     |
   | http://www.asterisk.org/security                                       |
   |                                                                        |
   | This document may be superseded by later versions; if so, the latest   |
   | version will be posted at                                              |
   | http://downloads.digium.com/pub/security/AST-2010-002.pdf and          |
   | http://downloads.digium.com/pub/security/AST-2010-002.html             |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                            Revision History                            |
   |------------------------------------------------------------------------|
   |      Date       |       Editor       |         Revisions Made          |
   |-----------------+--------------------+---------------------------------|
   | 16/02/10        | Leif Madsen        | Initial release                 |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2010-002
              Copyright (c) 2010 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • AST-2010-002: Dialplan injection vulnerability Asterisk Security Team (Feb 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]