Digium Asterisk Manager Command Execution (May 17, 2012)
Asterisk is a software implementation of a telephone private branch exchange (PBX). Like any PBX, it allows attached telephones to make calls to one another, and to connect to other telephone services including the public switched telephone network (PSTN) and Voice over Internet Protocol (VoIP) services. Asterisk is released under a dual license model, using the GNU General Public License (GPL) as a free software license and a proprietary software license to permit licensees to distribute proprietary, unpublished system components.
Asterisk supports a wide range of video and Voice over IP protocols, including the Session Initiation Protocol (SIP), the Media Gateway Control Protocol (MGCP), and H.323. Asterisk can interoperate with most SIP telephones, acting both as registrar and as a gateway between IP phones and the PSTN.
The Asterisk Manager Interface (AMI) protocol is a very simple protocol that allows you to communicate and manage your asterisk server, almost completely. The Asterisk Manager Interface (AMI) allows a client program to connect to an Asterisk instance and issue commands or read events over a TCP/IP stream. AMI defines 3 kind of possible packets:
- Actions: This kind of packet is what the client sends. Only the client can generate Actions.
- Responses: Actions have at least one Response, indicating the result of the executed (or requested) action.
- Events: There are two kinds of events. The ones attached to a particular response for a particular action, and the ones that asterisk generate to inform the connected client about things that are happening in the server (like call events, changes in variables values, agents and other clients that connect/disconnect to/from the server, etc).
A typical action is the Login action, which looks like this: (CRLF presents carriage return and new line characters)
Action: Login[CRLF] Username: admin[CRLF] Secret: mysecret[CRLF] ActionId: 1a2b[CRLF] [CRLF]
A security bypass vulnerability exists in Digium Asterisk. If Asterisk receives a specially crafted action request from a user, it may allow the unauthorized user to execute administrator commands. A remote, authenticated attacker could exploit this vulnerability to crack into a vulnerable Asterisk server.
Dell SonicWALL UTM team has researched this vulnerability and released the following IPS signatures to detect the attacks addressing this issue.
- 7839 Digium Asterisk Manager Interface Remote Command Execution
This vulnerability has been referred by CVE as CVE-2012-2414.