CVE-2010-0685
Published: 23 February 2010
The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using the ${EXTEN} channel variable and wildcard pattern matches, allows context-dependent attackers to inject strings into the dialplan using metacharacters that are injected when the variable is expanded, as demonstrated using the Dial application to process a crafted SIP INVITE message that adds an unintended outgoing channel leg. NOTE: it could be argued that this is not a vulnerability in Asterisk, but a class of vulnerabilities that can occur in any program that uses this feature without the associated filtering functionality that is already available.
Notes
Author | Note |
---|---|
jdstrand | According to upstream, this is not a code vulnerability but a configuration/best practice/documentation issue. From AST-2010-002.html: "One resolution is to wrap the ${EXTEN} channel variable with the FILTER() dialplan function to only accept characters which are expected by the dialplan programmer. The recommendation is for this to be the first priority in all contexts defined as incoming contexts in the channel driver configuration files." asterisk 1.4 and higher have FILTER(), but 1.2 needs a patch |