Thursday, May 20, 2021

Asterisk and importance of filtering of numbers dialed

 Recently my collegaue found an interesting vector of possible attacks on Asterisk.

Imagine having following construction

[endpoints]

exten => _X.,1,GoTo(check_rights,${EXTEN},1)

....

[check_rights]

exten => _X.,1,AGI(my_check.agi)

 same => 2,GoTo(all_ok,${EXTEN},1)


I know, looks a bit dully, but quite common situation. You may believe, that all calls from [endpoints] context will bypass your script of checking auth. my_check.agi, actually.

But imagine calling not to 12345, for example, but 12345,2

What will happen, that line

exten => _X.,1,GoTo(check_rights,${EXTEN},1)

will evaluate to

Goto("PJSIP/anonymous-00000579", "check_rights,12345,2,1") 

So, you can attach desired priority to your number and in example above - just bypass auth.

I'm not saying it's very common case, but don't forget to use something like FILTER

Possible good idea would be using something like

GoToIf($[ "${EXTEN}" == "${FILTER(+0-9,${EXTEN})}" ]?number_ok:number_not_ok)

to filter only + and digits.