[Freeswitch-users] Dial String Inject in FreeSwitch

Anthony Minessale anthony.minessale at gmail.com
Mon Feb 22 09:24:37 PST 2010


correct,

You could write a CGI for apache too that could let someone figure out how
to download the root password.

By default, nobody should trust the data supplied by the outside user.
FreeSWITCH cannot do this for you or the limitations would impair desired
functionality.

All you have to do is look for a digit sequence in your dial string.
Moreover you need to make sure even then that it's safe to pass this digit
string to the provider.
Here in USA we share the 1 country code with several other countries that
could cost 50 cents to a dollar a minute.
So you are not even safe when you made sure it's a number.



On Mon, Feb 22, 2010 at 11:09 AM, Eder Souza <ederwander at gmail.com> wrote:

> i prefer FreeSwitch im left Asterisk
>
> FreeSwitch is Very Very betther then Asterisk in my option !!
>
>
> my intention is just say dont use (.*), (.+)  or combinations of this
> regular expressions, for me FreeSwitch is the betther  !!
>
>
>
>
> On Mon, Feb 22, 2010 at 1:47 PM, Anthony Minessale <
> anthony.minessale at gmail.com> wrote:
>
>> To me it sounds like a way to sound the alarms and bring negative
>> attention.
>>
>> For instance, if you were sincerely concerned, you could have told us
>> about your discovery privately first, and we could feature a story on our
>> own site warning people of this danger and reminding them how to compose
>> extension properly.
>>
>> The posting was instead made like a big public announcement calling our
>> software "imperfect".
>> Yes it is imperfect, It can't properly detect someone being a moron 100%
>> of the time but it sure tries it's darndest.
>>
>>
>>
>>
>>
>> On Mon, Feb 22, 2010 at 10:33 AM, Eder Souza <ederwander at gmail.com>wrote:
>>
>>> Antony i dont see why ??
>>>
>>>
>>> this is just one alert for all comunity of danger in the use of regular
>>> expression (.*) or (.*) ...
>>>
>>> many peoples can make dialplans witch use of this expressions ...
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale <
>>> anthony.minessale at gmail.com> wrote:
>>>
>>>> Please do not use our project to try to make your blog more popular.
>>>>
>>>> Your example requires you to prepare an intentional specific extension
>>>> on the FreeSWITCH custom made for your attack. It’s like saying if you leave
>>>> your door wide open at your house and call and tell someone, they can come
>>>> and rob you at 8:30.
>>>>
>>>> This extension is also vulnerable “by virtue of the stupidity of the
>>>> composer”
>>>>
>>>> <extension name=”please-hack-me”/>
>>>>   <condition>
>>>>    <action application=”system” data=”${destination_number}”/>
>>>>   </condition>
>>>> </extension>
>>>>
>>>> You should not allow tainted data from outside system to be fed directly
>>>> into your code. There is a regex system in place to extract legitimate data
>>>> from the user tainted input and safeguard against this.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>   On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <ederwander at gmail.com>wrote:
>>>>
>>>>>
>>>>> http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/
>>>>>
>>>>> just for yours informations i write this article my test for injections
>>>>> in freesitch
>>>>>
>>>>> version of my tests
>>>>>
>>>>> freeswitch at internal> version
>>>>> FreeSWITCH Version 1.0.5-20100218-0400 (hacked)
>>>>> freeswitch at internal>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Anthony Minessale II
>>>>
>>>> FreeSWITCH http://www.freeswitch.org/
>>>> ClueCon http://www.cluecon.com/
>>>> Twitter: http://twitter.com/FreeSWITCH_wire
>>>>
>>>> AIM: anthm
>>>> MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
>>>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
>>>> IRC: irc.freenode.net #freeswitch
>>>>
>>>> FreeSWITCH Developer Conference
>>>> sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
>>>> iax:guest at conference.freeswitch.org/888
>>>> googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
>>>> pstn:+19193869900
>>>>
>>>> _______________________________________________
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>>
>> --
>> Anthony Minessale II
>>
>> FreeSWITCH http://www.freeswitch.org/
>> ClueCon http://www.cluecon.com/
>> Twitter: http://twitter.com/FreeSWITCH_wire
>>
>> AIM: anthm
>> MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
>> IRC: irc.freenode.net #freeswitch
>>
>> FreeSWITCH Developer Conference
>> sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
>> iax:guest at conference.freeswitch.org/888
>> googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
>> pstn:+19193869900
>>
>> _______________________________________________
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>


-- 
Anthony Minessale II

FreeSWITCH http://www.freeswitch.org/
ClueCon http://www.cluecon.com/
Twitter: http://twitter.com/FreeSWITCH_wire

AIM: anthm
MSN:anthony_minessale at hotmail.com <MSN%3Aanthony_minessale at hotmail.com>
GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com<PAYPAL%3Aanthony.minessale at gmail.com>
IRC: irc.freenode.net #freeswitch

FreeSWITCH Developer Conference
sip:888 at conference.freeswitch.org <sip%3A888 at conference.freeswitch.org>
iax:guest at conference.freeswitch.org/888
googletalk:conf+888 at conference.freeswitch.org<googletalk%3Aconf%2B888 at conference.freeswitch.org>
pstn:+19193869900
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100222/6c7fa474/attachment-0002.html 


More information about the FreeSWITCH-users mailing list