Dialplan injection vulnerability
+————————————————————————+
| Description | A common usage of the ${EXTEN} channel variable in a |
| | dialplan with wildcard pattern matches can lead to a |
| | possible string injection vulnerability. By having a |
| | wildcard match in a dialplan, it is possible to allow |
| | unintended calls to be executed, such as in this |
| | example: |
| | |
| | exten => _X.,1,Dial(SIP/${EXTEN}) |
| | |
| | If you have a channel technology which can accept |
| | characters other than numbers and letters (such as SIP) |
| | it may be possible to craft an INVITE which sends data |
| | such as 300&Zap/g1/4165551212 which would create an |
| | additional outgoing channel leg that was not originally |
| | intentioned by the dialplan programmer. |
| | |
| | Usage of the wildcard character is common in dialplans |
| | that require variable number length, such as European |
| | dial strings. |
| | |
| | Please note that this is not limited to an specific |
| | protocol or the Dial() application. |
| | |
| | The expansion of variables into |
| | programmatically-interpreted strings is a common |
| | behavior in many script or script-like languages, |
| | Asterisk included. The ability for a variable to |
| | directly replace components of a command is a feature, |
| | not a bug - that is the entire point of string |
| | expansion. |
| | |
| | However, it is often the case due to expediency or |
| | design misunderstanding that a developer will not |
| | examine and filter string data from external sources |
| | before passing it into potentially harmful areas of |
| | their dialplan. With the flexibility of the design of |
| | Asterisk come these risks if the dialplan designer is |
| | not suitably |
| | cautious as to how foreign data is allowed to continue |
| | into the system. |
| | |
| | This security release is intended to raise awareness of |
| | how it is possible to insert malicious strings into |
| | dialplans, and to advise developers to read the best |
| | practices documents so that they may easily avoid these |
| | dangers. |
+————————————————————————+
+————————————————————————+
| Resolution | One resolution is to wrap the ${EXTEN} channel variable |
| | with the FILTER() dialplan function to only accept |
| | characters which are expected by the dialplan programmer. |
| | The recommendation is for this to be the first priority |
| | in all contexts defined as incoming contexts in the |
| | channel driver configuration files. |
| | |
| | Examples of this and other best practices can be found in |
| | the new README-SERIOUSLY.bestpractices.txt document in |
| | the top level folder of your Asterisk sources. |
| | |
| | Asterisk 1.2.40 has also been released with a backport of |
| | the FILTER() dialplan function from 1.4 in order to |
| | provide the tools required to resolve this issue in your |
| | dialplan. |
+————————————————————————+
Asterisk configuration templates. Use the (+) option
Hi All
Today we will review the (+) sign in the asterisk configuration files.
This can be applied to any file under the /etc/asterisk directory.
[mycontext]
option1=value1
—- many others stuff —-
[mycontext] (+)
option2=value2
So, basically, in the same file, you can have the same context twice. If the two contexts have the same name and the second one is followed by the (+) options, then both context will be merge.
Notice: If the first context does not exists, the load will fail.
This can be useful if you include one configuration file in another and need to refer to a context in another configuration file.
Enjoy !
Asterisk : spy a conversation
Hi everybody
Today, we will look at the ChanSpy application.
Let say you have channels coming on our asterisk and you want to be able
to hear what people are doing without them knowing that.
Then, Chanspy is for you.
ChanSpy
Synopsis
Listen in on a call. Useful in a call center to monitor agents on the phone.
Description
This adds the ability to spy on any bridged call, this includes VoIP only calls where ZapScan/ZapBarge couldn’t this can.
Chanspy([<chanprefix>][,<options>])
Valid Options:
- b: Only spy on channels involved in a bridged call.
- g(grp): Match only channels where their ${SPYGROUP} variable is set to contain ’grp’ in an optional : delimited list.
- q: Don’t play a beep when beginning to spy on a channel, or speak the selected channel name.
- r[(basename)]: Record the session to the monitor spool directory. An optional base for the filename may be specified.
The default is ’chanspy’.
- v([value]): Adjust the initial volume in the range from -4 to 4. A negative value refers to a quieter setting.
Since 1.4:
- w Enable ’whisper’ mode, so the spying channel can talk to the spied-on channel.
- W Enable ’private whisper’ mode, so the spying channel can talk to the spied-on
channel but cannot listen to that channel.
Since 1.6:
- o: Only listen to audio coming from this channel.
- X: Allow the user to exit ChanSpy to a valid single digit numeric extension in the current context or
the context specified by the SPY_EXIT_CONTEXT channel variable. The name of the last channel
that was spied on will be stored in the SPY_CHANNEL variable.
- e(ext): Enable ’enforced’ mode, so the spying channel can only monitor extensions whose name
is in the ’ext’ : delimited list.
If <chanprefix> is specified, only channel names *beginning* with that string will be scanned.
(’all’ or an empty string are also both valid <chanprefix>)
While spying, the following actions may be performed:
Dialing # cycles the volume level.
Dialing * will stop spying and look for another channel to spy on.
Dialing a series of digits followed by # builds a channel name to append to <chanprefix>
(e.g. run ChanSpy(Agent) and dial 1234# while spying to jump to channel Agent/1234)
Install asterisk on ubuntu (apt-get)
If you don’t want to compile asterisk on ubuntu and you are already using a debian based system like ubuntu,
you can just apt-get asterisk
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install astersisk
Asterisk security : ACL not respected on SIP INVITE
A missing ACL check for handling SIP INVITEs allows a device to make calls on networks intended to be prohibited as defined by the “deny” and “permit” lines in sip.conf. The ACL check for handling SIP registrations was not affected.
http://www.asterisk.org/security
Asterisk and others PBX monitoring
Here is a great tool to monitor your web services as well as your public phone services
Asterisk: send and receive fax
You may have search all over the internet about a reliable way to send and receive fax using
asterik and a voip connection or your TDM/T1 card you already have.
Digium have a solution for you.
http://store.digium.com/productview.php?product_code=804-00007
Check their free fax product. Register and install it.
You can use it for free if you need only one conccurent channel. This may be all you need if you have only one outbound line anyway or expect only on fax at the time.
For multiple channels, the pricing is as low as 39.99$
asterisk : Run linux command from asterisk cli
This feature can help you with you want to stay in the asterisk cli while running others linux commands.
To do so, you can prefix the command by ! (exclamation point).
Example :
ouidah*CLI> !date
Wed Aug 5 20:48:22 EDT 2009
ouidah*CLI>
Asterisk security : AST-2009-004: Remote Crash Vulnerability in RTP stack
Today (2009-09-03), a vulnerability was discoved in asterisk RTP stack and may allow a remote user to make your server crash by sending malformed RTP packets.
Only 1.6.1 versions are affected. Please upgrade. Here is the full vulnerability release.
Asterisk Project Security Advisory - AST-2009-004
+————————————————————————+
| Product | Asterisk |
|———————-+————————————————-|
| Summary | Remote Crash Vulnerability in RTP stack |
|———————-+————————————————-|
| Nature of Advisory | Exploitable Crash |
|———————-+————————————————-|
| Susceptibility | Remote unauthenticated sessions |
|———————-+————————————————-|
| Severity | Critical |
|———————-+————————————————-|
| Exploits Known | No |
|———————-+————————————————-|
| Reported On | July 27, 2009 |
|———————-+————————————————-|
| Reported By | Marcus Hunger <hunger AT sipgate DOT de> |
|———————-+————————————————-|
| Posted On | August 2, 2009 |
|———————-+————————————————-|
| Last Updated On | August 2, 2009 |
|———————-+————————————————-|
| Advisory Contact | Mark Michelson <mmichelson AT digium DOT com> |
|———————-+————————————————-|
| CVE Name | |
+————————————————————————+
+————————————————————————+
| Description | An attacker can cause Asterisk to crash remotely by |
| | sending malformed RTP text frames. While the attacker |
| | can cause Asterisk to crash, he cannot execute arbitrary |
| | remote code with this exploit. |
+————————————————————————+
+————————————————————————+
| Resolution | Users should upgrade to a version listed in the |
| | “Corrected In” section below. |
+————————————————————————+
+————————————————————————+
| Affected Versions |
|————————————————————————|
| Product | Release Series | |
|——————————-+—————-+———————–|
| Asterisk Open Source | 1.2.x | Unaffected |
|——————————-+—————-+———————–|
| Asterisk Open Source | 1.4.x | Unaffected |
|——————————-+—————-+———————–|
| Asterisk Open Source | 1.6.x | All 1.6.1 versions |
|——————————-+—————-+———————–|
| Asterisk Addons | 1.2.x | Unaffected |
|——————————-+—————-+———————–|
| Asterisk Addons | 1.4.x | Unaffected |
|——————————-+—————-+———————–|
| Asterisk Addons | 1.6.x | Unaffected |
|——————————-+—————-+———————–|
| Asterisk Business Edition | A.x.x | Unaffected |
|——————————-+—————-+———————–|
| Asterisk Business Edition | B.x.x | Unaffected |
|——————————-+—————-+———————–|
| Asterisk Business Edition | C.x.x | Unaffected |
|——————————-+—————-+———————–|
| AsteriskNOW | 1.5 | Unaffected |
|——————————-+—————-+———————–|
| s800i (Asterisk Appliance) | 1.2.x | Unaffected |
+————————————————————————+
+————————————————————————+
| Corrected In |
|————————————————————————|
| Product | Release |
|———————————————+————————–|
| Open Source Asterisk 1.6.1 | 1.6.1.2 |
|———————————————+————————–|
|———————————————+————————–|
+————————————————————————+
+—————————————————————————-+
| Patches |
|—————————————————————————-|
| SVN URL |Version|
|——————————————————————–+——-|
|http://downloads.digium.com/pub/security/AST-2009-004-1.6.1.diff.txt| 1.6.1 |
|——————————————————————–+——-|
+—————————————————————————-+
+————————————————————————+
| Links | |
+————————————————————————+
+————————————————————————+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2009-004.pdf and |
| http://downloads.digium.com/pub/security/AST-2009-004.html |
+————————————————————————+
+————————————————————————+
| Revision History |
|————————————————————————|
| Date | Editor | Revisions Made |
|—————-+—————–+————————————-|
| 27 Jul, 2009 | Mark Michelson | Initial Draft |
|—————-+—————–+————————————-|
| 31 Jul, 2009 | Mark Michelson | Added sentence about how remote |
| | | code cannot be executed. |
|—————-+—————–+————————————-|
| August 2, 2009 | Tilghman Lesher | Public release |
+————————————————————————+
Asterisk Project Security Advisory - AST-2009-004
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Write your own asterisk application
Maybe you want to do something that does not exist on asterisk or you want to write your own asterisk applicaiton.
if so, you may read this sample provide in asterisk source code under apps/app_skel.c
Basicly, what you need to know, is at startup, asterisk will load your application by running the load_module function. That function will register your new application with it’s name and execute function (app_exec in this case). When that application will be call from the dialplan for example, app_exec will be execute.
You can see the code here