Dial plan injection vulnerability

I just read an article about a dial plan injection vulnerability that affects all versions of asterisk. http://www.voip-forum.com/?p=241 It basically says that a dial plan best practice that has been widely followed has now been deemed vulnerable to attack.

Since FreePBX handles much (or all) of the dial plan creation, I haven’t spent much time digging in to them. I started to look, but it wasn’t immediately clear…does this vulnerability affect FreePBX?

I think the answer is no though we would be welcome for people in the community to have a closer look at our dialplan to see if this or variations of this are possible on FreePBX.

Given the flexibility for customization, I would not be surprised if there were ways that ‘more advanced’ users could create such a vulnerability and there is no question that if they start putting customer dialplan at the ‘extensions.conf’ level they could.

In general, FreePBX always sends a call via a goto targeted at specific contexts. The closest vulnerability would be allowing anonymous sip calls. However in that case, here is the stock code that handles the calls:

exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})})
exten => _.,n,Goto(s,1)
exten => s,1,GotoIf($["${ALLOW_SIP_ANON}"="yes"]?checklang:noanonymous)
exten => s,n(checklang),GotoIf($["${SIPLANG}"!=""]?setlanguage:from-trunk,${DID},1)
exten => s,n(setlanguage),Set(CHANNEL(language)=${SIPLANG})
exten => s,n,Goto(from-trunk,${DID},1)

The crux of that being the last statement effectively using the ${EXTEN} that came in from the call, so conceptually:

exten => _X.,n,Goto(from-trunk,${EXTEN},1)

However we are not doing a dial, you must explicitly have a context in from-trunk or included in from-trunk that can capture the value in ${EXTEN}. This is not like the passing it straight to the Dial() command where you can get the injection results described in the article.

So … I think we are safe but we are very welcome to having vulnerabilities pointed out so we can address them. It happens on a fairly regular basis with some of the security organizations who publish vulnerabilities out there.

Hi

Would the ARI, and the forwarding ability of follow-me be a potential route of entry for a dialplan injection - not withstanding the fact that the ARI is typically protected with nothing more that a 3 digit extension number, and a 4 digit numeric password, and you could set any number in there, which was accessible via outbound routes.

If so, would some filtering of the dial strings in the follow-me in the ARI to only allow numerics be sufficient to reduce this potential threat.

Joe

As vulnerabilities get exposed to us we deal with them. It’s one of the great things about open source, lots of eyes.

So the answer is yes if they are not properly validated. One would have to check and go through the suspected scenarios to check.