[Freeswitch-users] Dial String Inject in FreeSwitch

Giovanni Maruzzelli gmaruzz at celliax.org
Mon Feb 22 10:20:37 PST 2010


Thanks a lot, Eder.

If you feel like, you can add a paragraph yourself, then we'll edit if
necessary.

Just let us know.

-giovanni

On Mon, Feb 22, 2010 at 6:45 PM, Eder Souza <ederwander at gmail.com> wrote:
> Link Down :-)
>
> i thaks if somebody create one wiki witch this alert
>
>
> Eng Eder de Souza
>
> On Mon, Feb 22, 2010 at 2:39 PM, Eder Souza <ederwander at gmail.com> wrote:
>>
>> yeah can somebody make one wiki for this alert??
>>
>>
>> im make down my link page now to prevent thes problems !!
>>
>> OK
>>
>> On Mon, Feb 22, 2010 at 2:26 PM, Giovanni Maruzzelli <gmaruzz at celliax.org>
>> wrote:
>>>
>>> Eder,
>>>
>>> If you fear people can do such *really stupid* things, and this is
>>> nice from you, please add something to the wiki, for example a
>>> paragraph in the dialplan page, or whatever, explaining why this is a
>>> stupid thing.
>>>
>>> If you publish a page in your blog, that look like a security alert,
>>> or that you found a security flaw in FS, people will rightly think
>>> that you are just looking for some attention in the search engines,
>>> and to bring viewers to your page.
>>>
>>> Also, in doing so, you push non technical people to think there is a
>>> security problem in FS, and this is really a big damage to the
>>> project. Because it is not true, it is just how it look like in your
>>> page.
>>>
>>> So, delete that page, and add something to the wiki, if you care about
>>> telling people not to do stupid things.
>>>
>>> But please, be aware that your page, the page you published, is really
>>> something that do a damage and put a bad light on a project, and there
>>> is no one reason for doing this.
>>>
>>> -giovanni
>>>
>>>
>>>
>>> On Mon, Feb 22, 2010 at 6:09 PM, Eder Souza <ederwander at gmail.com> wrote:
>>> > i prefer FreeSwitch im left Asterisk
>>> >
>>> > FreeSwitch is Very Very betther then Asterisk in my option !!
>>> >
>>> >
>>> > my intention is just say dont use (.*), (.+)  or combinations of this
>>> > regular expressions, for me FreeSwitch is the betther  !!
>>> >
>>> >
>>> >
>>> > On Mon, Feb 22, 2010 at 1:47 PM, Anthony Minessale
>>> > <anthony.minessale at gmail.com> wrote:
>>> >>
>>> >> To me it sounds like a way to sound the alarms and bring negative
>>> >> attention.
>>> >>
>>> >> For instance, if you were sincerely concerned, you could have told us
>>> >> about your discovery privately first, and we could feature a story on
>>> >> our
>>> >> own site warning people of this danger and reminding them how to
>>> >> compose
>>> >> extension properly.
>>> >>
>>> >> The posting was instead made like a big public announcement calling
>>> >> our
>>> >> software "imperfect".
>>> >> Yes it is imperfect, It can't properly detect someone being a moron
>>> >> 100%
>>> >> of the time but it sure tries it's darndest.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Mon, Feb 22, 2010 at 10:33 AM, Eder Souza <ederwander at gmail.com>
>>> >> wrote:
>>> >>>
>>> >>> Antony i dont see why ??
>>> >>>
>>> >>>
>>> >>> this is just one alert for all comunity of danger in the use of
>>> >>> regular
>>> >>> expression (.*) or (.*) ...
>>> >>>
>>> >>> many peoples can make dialplans witch use of this expressions ...
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> On Mon, Feb 22, 2010 at 1:19 PM, Anthony Minessale
>>> >>> <anthony.minessale at gmail.com> wrote:
>>> >>>>
>>> >>>> Please do not use our project to try to make your blog more popular.
>>> >>>>
>>> >>>> Your example requires you to prepare an intentional specific
>>> >>>> extension
>>> >>>> on the FreeSWITCH custom made for your attack. It’s like saying if
>>> >>>> you leave
>>> >>>> your door wide open at your house and call and tell someone, they
>>> >>>> can come
>>> >>>> and rob you at 8:30.
>>> >>>>
>>> >>>> This extension is also vulnerable “by virtue of the stupidity of the
>>> >>>> composer”
>>> >>>>
>>> >>>> <extension name=”please-hack-me”/>
>>> >>>>   <condition>
>>> >>>>    <action application=”system” data=”${destination_number}”/>
>>> >>>>   </condition>
>>> >>>> </extension>
>>> >>>>
>>> >>>> You should not allow tainted data from outside system to be fed
>>> >>>> directly
>>> >>>> into your code. There is a regex system in place to extract
>>> >>>> legitimate data
>>> >>>> from the user tainted input and safeguard against this.
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> On Mon, Feb 22, 2010 at 9:58 AM, Eder Souza <ederwander at gmail.com>
>>> >>>> wrote:
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> http://ederwander.wordpress.com/2010/02/22/dial-string-inject-in-freeswitch/
>>> >>>>>
>>> >>>>> just for yours informations i write this article my test for
>>> >>>>> injections
>>> >>>>> in freesitch
>>> >>>>>
>>> >>>>> version of my tests
>>> >>>>>
>>> >>>>> freeswitch at internal> version
>>> >>>>> FreeSWITCH Version 1.0.5-20100218-0400 (hacked)
>>> >>>>> freeswitch at internal>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> _______________________________________________
>>> >>>>> FreeSWITCH-users mailing list
>>> >>>>> FreeSWITCH-users at lists.freeswitch.org
>>> >>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >>>>>
>>> >>>>>
>>> >>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >>>>> http://www.freeswitch.org
>>> >>>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> Anthony Minessale II
>>> >>>>
>>> >>>> FreeSWITCH http://www.freeswitch.org/
>>> >>>> ClueCon http://www.cluecon.com/
>>> >>>> Twitter: http://twitter.com/FreeSWITCH_wire
>>> >>>>
>>> >>>> AIM: anthm
>>> >>>> MSN:anthony_minessale at hotmail.com
>>> >>>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com
>>> >>>> IRC: irc.freenode.net #freeswitch
>>> >>>>
>>> >>>> FreeSWITCH Developer Conference
>>> >>>> sip:888 at conference.freeswitch.org
>>> >>>> iax:guest at conference.freeswitch.org/888
>>> >>>> googletalk:conf+888 at conference.freeswitch.org
>>> >>>> pstn:+19193869900
>>> >>>>
>>> >>>> _______________________________________________
>>> >>>> FreeSWITCH-users mailing list
>>> >>>> FreeSWITCH-users at lists.freeswitch.org
>>> >>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >>>>
>>> >>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >>>> http://www.freeswitch.org
>>> >>>>
>>> >>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> FreeSWITCH-users mailing list
>>> >>> FreeSWITCH-users at lists.freeswitch.org
>>> >>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >>>
>>> >>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >>> http://www.freeswitch.org
>>> >>>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Anthony Minessale II
>>> >>
>>> >> FreeSWITCH http://www.freeswitch.org/
>>> >> ClueCon http://www.cluecon.com/
>>> >> Twitter: http://twitter.com/FreeSWITCH_wire
>>> >>
>>> >> AIM: anthm
>>> >> MSN:anthony_minessale at hotmail.com
>>> >> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com
>>> >> IRC: irc.freenode.net #freeswitch
>>> >>
>>> >> FreeSWITCH Developer Conference
>>> >> sip:888 at conference.freeswitch.org
>>> >> iax:guest at conference.freeswitch.org/888
>>> >> googletalk:conf+888 at conference.freeswitch.org
>>> >> pstn:+19193869900
>>> >>
>>> >> _______________________________________________
>>> >> FreeSWITCH-users mailing list
>>> >> FreeSWITCH-users at lists.freeswitch.org
>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >>
>>> >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >> http://www.freeswitch.org
>>> >>
>>> >
>>> >
>>> > _______________________________________________
>>> > FreeSWITCH-users mailing list
>>> > FreeSWITCH-users at lists.freeswitch.org
>>> > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >
>>> > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> > http://www.freeswitch.org
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> Sincerely,
>>>
>>> Giovanni Maruzzelli
>>> Cell : +39-347-2665618
>>>
>>> _______________________________________________
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>
>
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>



-- 
Sincerely,

Giovanni Maruzzelli
Cell : +39-347-2665618




More information about the FreeSWITCH-users mailing list