System information

ManualsBrandsATech Machine ManualsComputer equipmentLIBRA-02 M

601

602

603

604

605

606

607

608

609

610

A call like this is an attempt at exploiting a dialplan injection vulnerability. In the pre-

vious extension definition, once ${EXTEN} has been evaluated, the actual Dial() state-

ment that will be executed is:

exten => _X.,1,Dial(IAX2/otherserver/1234&DAHDI/g1/12565551212,30)

If the system has a PRI configured, this call will cause a call to go out on the PRI to a

number chosen by the attacker, even though you did not explicitly grant access to the

PRI to that caller. This problem can quickly cost you a whole lot of money.

There are (at least) two approaches for avoiding this problem. The first and easiest

approach is to always use strict pattern matching. If you know the length of extensions

you are expecting and only expect only numeric extensions, use a strict numeric pattern

match. For example, this would work if you are expecting four-digit numeric extensions

only:

exten => _XXXX,1,Dial(IAX2/otherserver/${EXTEN},30)

The other approach to mitigating dialplan injection vulnerabilities is by using the FIL

TER() dialplan function. Perhaps you would like to allow numeric extensions of any

length. FILTER() makes that easy to achieve safely.

exten => _X.,1,Set(SAFE_EXTEN=${FILTER(0-9,${EXTEN})})

same => n,Dial(IAX2/otherserver/${SAFE_EXTEN},30)

For more information about the syntax for the FILTER() dialplan function, see the out-

put of the core show function FILTER command at the Asterisk CLI.

Tip #8: Be wary of dialplan injection vulnerabilities. Use strict pattern matching or use

the FILTER() dialplan function to avoid these problems.

Securing Asterisk Network APIs

FastAGI and the AMI are two network-based APIs commonly used in Asterisk deploy-

ments. For more details on AGI, see Chapter 21. For more information on the AMI,

see Chapter 20.

In the case of FastAGI, there is no encryption or authentication available. It is up to

you as the administrator to ensure that the only communication allowed to the FastAGI

server is from Asterisk.

The AMI protocol includes authentication, but it is very weak. Further, the data ex-

changed via the AMI is often sensitive, from a privacy standpoint. It is critical to secure

AMI connectivity. It is best to only expose the AMI on trusted networks. If it must be

exposed to an untrusted networks, we recommend only allowing connections

using SSL.

It is critical to understand what power the AMI provides. If an AMI user is granted all

permissions that are available, that user will be able to run arbitrary commands on your

system. If the account has the ability to update configuration files, it will be able to add

572 | Chapter 26: Security