Dialplan 2.5.3 injection vulnerability

2010-02-25 / 2010-02-26
Credit: Asterisk Security Team
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2010-0685
CWE: NVD-CWE-DesignError


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Asterisk Project Security Advisory - AST-2010-002 +----------------------------------------------------------------------- -+ | Product | Asterisk | |----------------------+------------------------------------------------ -| | Summary | Dialplan injection vulnerability | |----------------------+------------------------------------------------ -| | Nature of Advisory | Data injection vulnerability | |----------------------+------------------------------------------------ -| | Susceptibility | Remote Unauthenticated Sessions | |----------------------+------------------------------------------------ -| | Severity | Critical | |----------------------+------------------------------------------------ -| | Exploits Known | Yes | |----------------------+------------------------------------------------ -| | Reported On | 10/02/10 | |----------------------+------------------------------------------------ -| | Reported By | Hans Petter Selasky | |----------------------+------------------------------------------------ -| | Posted On | 16/02/10 | |----------------------+------------------------------------------------ -| | Last Updated On | February 18, 2010 | |----------------------+------------------------------------------------ -| | Advisory Contact | Leif Madsen < lmadsen AT digium DOT com > | |----------------------+------------------------------------------------ -| | CVE Name | | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Description | A common usage of the ${EXTEN} channel variable in a | | | dialplan with wildcard pattern matches can lead to a | | | possible string injection vulnerability. By having a | | | wildcard match in a dialplan, it is possible to allow | | | unintended calls to be executed, such as in this | | | example: | | | | | | exten => _X.,1,Dial(SIP/${EXTEN}) | | | | | | If you have a channel technology which can accept | | | characters other than numbers and letters (such as SIP) | | | it may be possible to craft an INVITE which sends data | | | such as 300&Zap/g1/4165551212 which would create an | | | additional outgoing channel leg that was not originally | | | intentioned by the dialplan programmer. | | | | | | Usage of the wildcard character is common in dialplans | | | that require variable number length, such as European | | | dial strings. | | | | | | Please note that this is not limited to an specific | | | protocol or the Dial() application. | | | | | | The expansion of variables into | | | programmatically-interpreted strings is a common | | | behavior in many script or script-like languages, | | | Asterisk included. The ability for a variable to | | | directly replace components of a command is a feature, | | | not a bug - that is the entire point of string | | | expansion. | | | | | | However, it is often the case due to expediency or | | | design misunderstanding that a developer will not | | | examine and filter string data from external sources | | | before passing it into potentially harmful areas of | | | their dialplan. With the flexibility of the design of | | | Asterisk come these risks if the dialplan designer is | | | not suitably | | | cautious as to how foreign data is allowed to continue | | | into the system. | | | | | | This security release is intended to raise awareness of | | | how it is possible to insert malicious strings into | | | dialplans, and to advise developers to read the best | | | practices documents so that they may easily avoid these | | | dangers. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Resolution | One resolution is to wrap the ${EXTEN} channel variable | | | with the FILTER() dialplan function to only accept | | | characters which are expected by the dialplan programmer. | | | The recommendation is for this to be the first priority | | | in all contexts defined as incoming contexts in the | | | channel driver configuration files. | | | | | | Examples of this and other best practices can be found in | | | the new README-SERIOUSLY.bestpractices.txt document in | | | the top level folder of your Asterisk sources. | | | | | | Asterisk 1.2.40 has also been released with a backport of | | | the FILTER() dialplan function from 1.4 in order to | | | provide the tools required to resolve this issue in your | | | dialplan. | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Affected Versions | |----------------------------------------------------------------------- -| | Product | Release Series | | |------------------------------+----------------+----------------------- -| | Asterisk Open Source | 1.2.x | All versions | |------------------------------+----------------+----------------------- -| | Asterisk Open Source | 1.4.x | All versions | |------------------------------+----------------+----------------------- -| | Asterisk Open Source | 1.6.x | All versions | |------------------------------+----------------+----------------------- -| | Asterisk Business Edition | B.x.x | All versions | |------------------------------+----------------+----------------------- -| | Asterisk Business Edition | C.x.x | All versions | |------------------------------+----------------+----------------------- -| | Switchvox | None | No versions affected | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- ----------------------+ | Document | |----------------------------------------------------------------------- ----------------------| | SVN URL |Branch| |----------------------------------------------------------------------- ---------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.2/README-SERIOUSLY.best practices.txt |v1.2 | |----------------------------------------------------------------------- ---------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.4/README-SERIOUSLY.best practices.txt |v1.4 | |----------------------------------------------------------------------- ---------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.6.0/README-SERIOUSLY.be stpractices.txt|v1.6.0| |----------------------------------------------------------------------- ---------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.6.1/README-SERIOUSLY.be stpractices.txt|v1.6.1| |----------------------------------------------------------------------- ---------------+------| |http://svn.asterisk.org/svn/asterisk/branches/1.6.2/README-SERIOUSLY.be stpractices.txt|v1.6.2| +----------------------------------------------------------------------- ----------------------+ +----------------------------------------------------------------------- -+ | Corrected In | |----------------------------------------------------------------------- -| | Product | Release | |------------------------------------------+---------------------------- -| | Open Source Asterisk | 1.2.40 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Links | https://issues.asterisk.org/view.php?id=16810 | | | | | | https://issues.asterisk.org/view.php?id=16808 | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2010-002.pdf and | | http://downloads.digium.com/pub/security/AST-2010-002.html | +----------------------------------------------------------------------- -+ +----------------------------------------------------------------------- -+ | Revision History | |----------------------------------------------------------------------- -| | Date | Editor | Revisions Made | |-----------------+--------------------+-------------------------------- -| | 16/02/10 | Leif Madsen | Initial release | +----------------------------------------------------------------------- -+ Asterisk Project Security Advisory - AST-2010-002 Copyright (c) 2010 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

References:

http://xforce.iss.net/xforce/xfdb/56397
http://www.vupen.com/english/advisories/2010/0439
http://www.securitytracker.com/id?1023637
http://www.securityfocus.com/archive/1/archive/1/509608/100/0/threaded
http://svn.asterisk.org/svn/asterisk/branches/1.2/README-SERIOUSLY.bestpractices.txt
http://secunia.com/advisories/38641
http://downloads.digium.com/pub/security/AST-2010-002.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top