AST-2010-002: Dialplan injection vulnerability

           Asterisk Project Security Advisory - AST-2010-002

±-----------------------------------------------------------------------+
| Product | Asterisk |
|----------------------±------------------------------------------------|
| Summary | Dialplan injection vulnerability |
|----------------------±------------------------------------------------|
| Nature of Advisory | Data injection vulnerability |
|----------------------±------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|----------------------±------------------------------------------------|
| Severity | Critical |
|----------------------±------------------------------------------------|
| Exploits Known | Yes |
|----------------------±------------------------------------------------|
| Reported On | 10/02/10 |
|----------------------±------------------------------------------------|
| Reported By | Hans Petter Selasky |
|----------------------±------------------------------------------------|
| Posted On | 16/02/10 |
|----------------------±------------------------------------------------|
| Last Updated On | February 18, 2010 |
|----------------------±------------------------------------------------|
| Advisory Contact | Leif Madsen < lmadsen AT digium DOT com > |
|----------------------±------------------------------------------------|
| CVE Name | |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Description | A common usage of the ${EXTEN} channel variable in a |
| | dialplan with wildcard pattern matches can lead to a |
| | possible string injection vulnerability. By having a |
| | wildcard match in a dialplan, it is possible to allow |
| | unintended calls to be executed, such as in this |
| | example: |
| | |
| | exten => _X.,1,Dial(SIP/${EXTEN}) |
| | |
| | If you have a channel technology which can accept |
| | characters other than numbers and letters (such as SIP) |
| | it may be possible to craft an INVITE which sends data |
| | such as 300&Zap/g1/4165551212 which would create an |
| | additional outgoing channel leg that was not originally |
| | intentioned by the dialplan programmer. |
| | |
| | Usage of the wildcard character is common in dialplans |
| | that require variable number length, such as European |
| | dial strings. |
| | |
| | Please note that this is not limited to an specific |
| | protocol or the Dial() application. |
| | |
| | The expansion of variables into |
| | programmatically-interpreted strings is a common |
| | behavior in many script or script-like languages, |
| | Asterisk included. The ability for a variable to |
| | directly replace components of a command is a feature, |
| | not a bug - that is the entire point of string |
| | expansion. |
| | |
| | However, it is often the case due to expediency or |
| | design misunderstanding that a developer will not |
| | examine and filter string data from external sources |
| | before passing it into potentially harmful areas of |
| | their dialplan. With the flexibility of the design of |
| | Asterisk come these risks if the dialplan designer is |
| | not suitably |
| | cautious as to how foreign data is allowed to continue |
| | into the system. |
| | |
| | This security release is intended to raise awareness of |
| | how it is possible to insert malicious strings into |
| | dialplans, and to advise developers to read the best |
| | practices documents so that they may easily avoid these |
| | dangers. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Resolution | One resolution is to wrap the ${EXTEN} channel variable |
| | with the FILTER() dialplan function to only accept |
| | characters which are expected by the dialplan programmer. |
| | The recommendation is for this to be the first priority |
| | in all contexts defined as incoming contexts in the |
| | channel driver configuration files. |
| | |
| | Examples of this and other best practices can be found in |
| | the new README-SERIOUSLY.bestpractices.txt document in |
| | the top level folder of your Asterisk sources. |
| | |
| | Asterisk 1.2.40 has also been released with a backport of |
| | the FILTER() dialplan function from 1.4 in order to |
| | provide the tools required to resolve this issue in your |
| | dialplan. |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±--------------------------------------------------------------------------------------------+

±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Links | https://issues.asterisk.org/view.php?id=16810 |
| | |
| | https://issues.asterisk.org/view.php?id=16808 |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2010-002.pdf and |
| http://downloads.digium.com/pub/security/AST-2010-002.html |
±-----------------------------------------------------------------------+

±-----------------------------------------------------------------------+

           Asterisk Project Security Advisory - AST-2010-002
          Copyright (c) 2010 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.