Foniva Contact Center Software
Asterisk Experts Support

asterisk : Run linux command from asterisk cli

This feature can help you with you want to stay in the asterisk cli while running others linux commands.

To do so, you can prefix the command by ! (exclamation point).

Example :

ouidah*CLI> !date
Wed Aug  5 20:48:22 EDT 2009
ouidah*CLI>

Asterisk security : AST-2009-004: Remote Crash Vulnerability in RTP stack

Today (2009-09-03), a vulnerability was discoved in asterisk RTP stack and may allow a remote user to make your server crash by sending malformed RTP packets.

Only 1.6.1 versions are affected. Please upgrade. Here is the full vulnerability release.

Asterisk Project Security Advisory - AST-2009-004

+————————————————————————+
|       Product        | Asterisk                                        |
|———————-+————————————————-|
|       Summary        | Remote Crash Vulnerability in RTP stack         |
|———————-+————————————————-|
|  Nature of Advisory  | Exploitable Crash                               |
|———————-+————————————————-|
|    Susceptibility    | Remote unauthenticated sessions                 |
|———————-+————————————————-|
|       Severity       | Critical                                        |
|———————-+————————————————-|
|    Exploits Known    | No                                              |
|———————-+————————————————-|
|     Reported On      | July 27, 2009                                   |
|———————-+————————————————-|
|     Reported By      | Marcus Hunger <hunger AT sipgate DOT de>        |
|———————-+————————————————-|
|      Posted On       | August 2, 2009                                  |
|———————-+————————————————-|
|   Last Updated On    | August 2, 2009                                  |
|———————-+————————————————-|
|   Advisory Contact   | Mark Michelson <mmichelson AT digium DOT com>   |
|———————-+————————————————-|
|       CVE Name       |                                                 |
+————————————————————————+

+————————————————————————+
| Description | An attacker can cause Asterisk to crash remotely by      |
|             | sending malformed RTP text frames. While the attacker    |
|             | can cause Asterisk to crash, he cannot execute arbitrary |
|             | remote code with this exploit.                           |
+————————————————————————+

+————————————————————————+
| Resolution | Users should upgrade to a version listed in the           |
|            | “Corrected In” section below.                             |
+————————————————————————+

+————————————————————————+
|                           Affected Versions                            |
|————————————————————————|
|            Product            | Release Series |                       |
|——————————-+—————-+———————–|
|     Asterisk Open Source      |     1.2.x      | Unaffected            |
|——————————-+—————-+———————–|
|     Asterisk Open Source      |     1.4.x      | Unaffected            |
|——————————-+—————-+———————–|
|     Asterisk Open Source      |     1.6.x      | All 1.6.1 versions    |
|——————————-+—————-+———————–|
|        Asterisk Addons        |     1.2.x      | Unaffected            |
|——————————-+—————-+———————–|
|        Asterisk Addons        |     1.4.x      | Unaffected            |
|——————————-+—————-+———————–|
|        Asterisk Addons        |     1.6.x      | Unaffected            |
|——————————-+—————-+———————–|
|   Asterisk Business Edition   |     A.x.x      | Unaffected            |
|——————————-+—————-+———————–|
|   Asterisk Business Edition   |     B.x.x      | Unaffected            |
|——————————-+—————-+———————–|
|   Asterisk Business Edition   |     C.x.x      | Unaffected            |
|——————————-+—————-+———————–|
|          AsteriskNOW          |      1.5       | Unaffected            |
|——————————-+—————-+———————–|
|  s800i (Asterisk Appliance)   |     1.2.x      | Unaffected            |
+————————————————————————+

+————————————————————————+
|                              Corrected In                              |
|————————————————————————|
|                   Product                   |         Release          |
|———————————————+————————–|
|         Open Source Asterisk 1.6.1          |         1.6.1.2          |
|———————————————+————————–|
|———————————————+————————–|
+————————————————————————+

+—————————————————————————-+
|                                  Patches                                   |
|—————————————————————————-|
|                              SVN URL                               |Version|
|——————————————————————–+——-|
|http://downloads.digium.com/pub/security/AST-2009-004-1.6.1.diff.txt| 1.6.1 |
|——————————————————————–+——-|
+—————————————————————————-+

+————————————————————————+
|        Links        |                                                  |
+————————————————————————+

+————————————————————————+
| Asterisk Project Security Advisories are posted at                     |
| http://www.asterisk.org/security |
|                                                                        |
| This document may be superseded by later versions; if so, the latest   |
| version will be posted at                                              |
| http://downloads.digium.com/pub/security/AST-2009-004.pdf and          |
| http://downloads.digium.com/pub/security/AST-2009-004.html |
+————————————————————————+

+————————————————————————+
|                            Revision History                            |
|————————————————————————|
|      Date      |     Editor      |           Revisions Made            |
|—————-+—————–+————————————-|
| 27 Jul, 2009   | Mark Michelson  | Initial Draft                       |
|—————-+—————–+————————————-|
| 31 Jul, 2009   | Mark Michelson  | Added sentence about how remote     |
|                |                 | code cannot be executed.            |
|—————-+—————–+————————————-|
| August 2, 2009 | Tilghman Lesher | Public release                      |
+————————————————————————+

Asterisk Project Security Advisory - AST-2009-004
Copyright (c) 2009 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Write your own asterisk application

Maybe you want to do something that does not exist on asterisk or you want to write your own asterisk applicaiton.

if so, you may read this sample provide in asterisk source code under apps/app_skel.c

Basicly, what you need to know, is at startup, asterisk will load your application by running the load_module function. That function will register your new application with it’s name and execute function (app_exec in this case). When that application will be call from the dialplan for example, app_exec will be execute.

You can see the code here

http://svn.digium.com/svn/asterisk/trunk/apps/app_skel.c


Our sponsors


Asterisk Experts Support