AST-2010-002: Dialplan injection vulnerability Feb 18 2010 11:46PM
Asterisk Security Team (security asterisk org)
Asterisk Project Security Advisory - AST-2010-002

+-----------------------------------------------------------------------
-+
| Product | Asterisk |
|----------------------+------------------------------------------------
-|
| Summary | Dialplan injection vulnerability |
|----------------------+------------------------------------------------
-|
| Nature of Advisory | Data injection vulnerability |
|----------------------+------------------------------------------------
-|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------+------------------------------------------------
-|
| Severity | Critical |
|----------------------+------------------------------------------------
-|
| Exploits Known | Yes |
|----------------------+------------------------------------------------
-|
| Reported On | 10/02/10 |
|----------------------+------------------------------------------------
-|
| Reported By | Hans Petter Selasky |
|----------------------+------------------------------------------------
-|
| Posted On | 16/02/10 |
|----------------------+------------------------------------------------
-|
| Last Updated On | February 18, 2010 |
|----------------------+------------------------------------------------
-|
| Advisory Contact | Leif Madsen < lmadsen AT digium DOT com > |
|----------------------+------------------------------------------------
-|
| CVE Name | |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Description | A common usage of the ${EXTEN} channel variable in a |
| | dialplan with wildcard pattern matches can lead to a |
| | possible string injection vulnerability. By having a |
| | wildcard match in a dialplan, it is possible to allow |
| | unintended calls to be executed, such as in this |
| | example: |
| | |
| | exten => _X.,1,Dial(SIP/${EXTEN}) |
| | |
| | If you have a channel technology which can accept |
| | characters other than numbers and letters (such as SIP) |
| | it may be possible to craft an INVITE which sends data |
| | such as 300&Zap/g1/4165551212 which would create an |
| | additional outgoing channel leg that was not originally |
| | intentioned by the dialplan programmer. |
| | |
| | Usage of the wildcard character is common in dialplans |
| | that require variable number length, such as European |
| | dial strings. |
| | |
| | Please note that this is not limited to an specific |
| | protocol or the Dial() application. |
| | |
| | The expansion of variables into |
| | programmatically-interpreted strings is a common |
| | behavior in many script or script-like languages, |
| | Asterisk included. The ability for a variable to |
| | directly replace components of a command is a feature, |
| | not a bug - that is the entire point of string |
| | expansion. |
| | |
| | However, it is often the case due to expediency or |
| | design misunderstanding that a developer will not |
| | examine and filter string data from external sources |
| | before passing it into potentially harmful areas of |
| | their dialplan. With the flexibility of the design of |
| | Asterisk come these risks if the dialplan designer is |
| | not suitably |
| | cautious as to how foreign data is allowed to continue |
| | into the system. |
| | |
| | This security release is intended to raise awareness of |
| | how it is possible to insert malicious strings into |
| | dialplans, and to advise developers to read the best |
| | practices documents so that they may easily avoid these |
| | dangers. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Resolution | One resolution is to wrap the ${EXTEN} channel variable |
| | with the FILTER() dialplan function to only accept |
| | characters which are expected by the dialplan programmer. |
| | The recommendation is for this to be the first priority |
| | in all contexts defined as incoming contexts in the |
| | channel driver configuration files. |
| | |
| | Examples of this and other best practices can be found in |
| | the new README-SERIOUSLY.bestpractices.txt document in |
| | the top level folder of your Asterisk sources. |
| | |
| | Asterisk 1.2.40 has also been released with a backport of |
| | the FILTER() dialplan function from 1.4 in order to |
| | provide the tools required to resolve this issue in your |
| | dialplan. |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Affected Versions |
|-----------------------------------------------------------------------
-|
| Product | Release Series | |
|------------------------------+----------------+-----------------------
-|
| Asterisk Open Source | 1.2.x | All versions |
|------------------------------+----------------+-----------------------
-|
| Asterisk Open Source | 1.4.x | All versions |
|------------------------------+----------------+-----------------------
-|
| Asterisk Open Source | 1.6.x | All versions |
|------------------------------+----------------+-----------------------
-|
| Asterisk Business Edition | B.x.x | All versions |
|------------------------------+----------------+-----------------------
-|
| Asterisk Business Edition | C.x.x | All versions |
|------------------------------+----------------+-----------------------
-|
| Switchvox | None | No versions affected |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
----------------------+
| Document |
|-----------------------------------------------------------------------
----------------------|
| SVN URL |Branch|
|-----------------------------------------------------------------------
---------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.2/README-SERIOUSLY.best
practices.txt |v1.2 |
|-----------------------------------------------------------------------
---------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.4/README-SERIOUSLY.best
practices.txt |v1.4 |
|-----------------------------------------------------------------------
---------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.6.0/README-SERIOUSLY.be
stpractices.txt|v1.6.0|
|-----------------------------------------------------------------------
---------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.6.1/README-SERIOUSLY.be
stpractices.txt|v1.6.1|
|-----------------------------------------------------------------------
---------------+------|
|http://svn.asterisk.org/svn/asterisk/branches/1.6.2/README-SERIOUSLY.be
stpractices.txt|v1.6.2|
+-----------------------------------------------------------------------
----------------------+

+-----------------------------------------------------------------------
-+
| Corrected In |
|-----------------------------------------------------------------------
-|
| Product | Release |
|------------------------------------------+----------------------------
-|
| Open Source Asterisk | 1.2.40 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Links | https://issues.asterisk.org/view.php?id=16810 |
| | |
| | https://issues.asterisk.org/view.php?id=16808 |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2010-002.pdf and |
| http://downloads.digium.com/pub/security/AST-2010-002.html |
+-----------------------------------------------------------------------
-+

+-----------------------------------------------------------------------
-+
| Revision History |
|-----------------------------------------------------------------------
-|
| Date | Editor | Revisions Made |
|-----------------+--------------------+--------------------------------
-|
| 16/02/10 | Leif Madsen | Initial release |
+-----------------------------------------------------------------------
-+

Asterisk Project Security Advisory - AST-2010-002
Copyright (c) 2010 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus