NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2010-02

[Full-disclosure] AST-2010-002: Dialplan injection vulnerability

From: Asterisk Security Team (securityasterisk.org)
Date: Thu Feb 18 2010 - 17:46:22 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Asterisk Project Security Advisory - AST-2010-002

   +------------------------------------------------------------------------+
   | Product | Asterisk |
   |----------------------+-------------------------------------------------|
   | Summary | Dialplan injection vulnerability |
   |----------------------+-------------------------------------------------|
   | Nature of Advisory | Data injection vulnerability |
   |----------------------+-------------------------------------------------|
   | Susceptibility | Remote Unauthenticated Sessions |
   |----------------------+-------------------------------------------------|
   | Severity | Critical |
   |----------------------+-------------------------------------------------|
   | Exploits Known | Yes |
   |----------------------+-------------------------------------------------|
   | Reported On | 10/02/10 |
   |----------------------+-------------------------------------------------|
   | Reported By | Hans Petter Selasky |
   |----------------------+-------------------------------------------------|
   | Posted On | 16/02/10 |
   |----------------------+-------------------------------------------------|
   | Last Updated On | February 18, 2010 |
   |----------------------+-------------------------------------------------|
   | Advisory Contact | Leif Madsen < lmadsen AT digium DOT com > |
   |----------------------+-------------------------------------------------|
   | CVE Name | |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Description | A common usage of the ${EXTEN} channel variable in a |
   | | dialplan with wildcard pattern matches can lead to a |
   | | possible string injection vulnerability. By having a |
   | | wildcard match in a dialplan, it is possible to allow |
   | | unintended calls to be executed, such as in this |
   | | example: |
   | | |
   | | exten => _X.,1,Dial(SIP/${EXTEN}) |
   | | |
   | | If you have a channel technology which can accept |
   | | characters other than numbers and letters (such as SIP) |
   | | it may be possible to craft an INVITE which sends data |
   | | such as 300&Zap/g1/4165551212 which would create an |
   | | additional outgoing channel leg that was not originally |
   | | intentioned by the dialplan programmer. |
   | | |
   | | Usage of the wildcard character is common in dialplans |
   | | that require variable number length, such as European |
   | | dial strings. |
   | | |
   | | Please note that this is not limited to an specific |
   | | protocol or the Dial() application. |
   | | |
   | | The expansion of variables into |
   | | programmatically-interpreted strings is a common |
   | | behavior in many script or script-like languages, |
   | | Asterisk included. The ability for a variable to |
   | | directly replace components of a command is a feature, |
   | | not a bug - that is the entire point of string |
   | | expansion. |
   | | |
   | | However, it is often the case due to expediency or |
   | | design misunderstanding that a developer will not |
   | | examine and filter string data from external sources |
   | | before passing it into potentially harmful areas of |
   | | their dialplan. With the flexibility of the design of |
   | | Asterisk come these risks if the dialplan designer is |
   | | not suitably |
   | | cautious as to how foreign data is allowed to continue |
   | | into the system. |
   | | |
   | | This security release is intended to raise awareness of |
   | | how it is possible to insert malicious strings into |
   | | dialplans, and to advise developers to read the best |
   | | practices documents so that they may easily avoid these |
   | | dangers. |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | One resolution is to wrap the ${EXTEN} channel variable |
   | | with the FILTER() dialplan function to only accept |
   | | characters which are expected by the dialplan programmer. |
   | | The recommendation is for this to be the first priority |
   | | in all contexts defined as incoming contexts in the |
   | | channel driver configuration files. |
   | | |
   | | Examples of this and other best practices can be found in |
   | | the new README-SERIOUSLY.bestpractices.txt document in |
   | | the top level folder of your Asterisk sources. |
   | | |
   | | Asterisk 1.2.40 has also been released with a backport of |
   | | the FILTER() dialplan function from 1.4 in order to |
   | | provide the tools required to resolve this issue in your |
   | | dialplan. |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Affected Versions |
   |------------------------------------------------------------------------|
   | Product | Release Series | |
   |------------------------------+----------------+------------------------|
   | Asterisk Open Source | 1.2.x | All versions |
   |------------------------------+----------------+------------------------|
   | Asterisk Open Source | 1.4.x | All versions |
   |------------------------------+----------------+------------------------|
   | Asterisk Open Source | 1.6.x | All versions |
   |------------------------------+----------------+------------------------|
   | Asterisk Business Edition | B.x.x | All versions |
   |------------------------------+----------------+------------------------|
   | Asterisk Business Edition | C.x.x | All versions |
   |------------------------------+----------------+------------------------|
   | Switchvox | None | No versions affected |
   +------------------------------------------------------------------------+

+---------------------------------------------------------------------------------------------+
| Document |
|---------------------------------------------------------------------------------------------|
| SVN URL |Branch|
|--------------------------------------------------------------------------------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.2/README-SERIOUSLY.bestpractices.txt |v1.2 |
|--------------------------------------------------------------------------------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.4/README-SERIOUSLY.bestpractices.txt |v1.4 |
|--------------------------------------------------------------------------------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.6.0/README-SERIOUSLY.bestpractices.txt|v1.6.0|
|--------------------------------------------------------------------------------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.6.1/README-SERIOUSLY.bestpractices.txt|v1.6.1|
|--------------------------------------------------------------------------------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.6.2/README-SERIOUSLY.bestpractices.txt|v1.6.2|
+---------------------------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Corrected In |
   |------------------------------------------------------------------------|
   | Product | Release |
   |------------------------------------------+-----------------------------|
   | Open Source Asterisk | 1.2.40 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Links | https://issues.asterisk.org/view.php?id=16810 |
   | | |
   | | https://issues.asterisk.org/view.php?id=16808 |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Asterisk Project Security Advisories are posted at |
   | http://www.asterisk.org/security |
   | |
   | This document may be superseded by later versions; if so, the latest |
   | version will be posted at |
   | http://downloads.digium.com/pub/security/AST-2010-002.pdf and |
   | http://downloads.digium.com/pub/security/AST-2010-002.html |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Revision History |
   |------------------------------------------------------------------------|
   | Date | Editor | Revisions Made |
   |-----------------+--------------------+---------------------------------|
   | 16/02/10 | Leif Madsen | Initial release |
   +------------------------------------------------------------------------+

               Asterisk Project Security Advisory - AST-2010-002
              Copyright (c) 2010 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]