Summary:ASTERISK-09872: Important vulnerability after native transfer: the transferred gets context privileges
Reporter:IƱaki Baz Castillo (ibc)Labels:
Date Opened:2007-07-13 03:47:15Date Closed:2007-09-01 16:04:13
Versions:Frequency of
Description:Any common company using a PBX needs:

- Calls between local users can be transferred in both directions --> tT
- Outgoing calls can be transferred just by the local caller --> T

In Asterisk this is a simple context/dialplan for that common need:


; In internal calls we want bidirectional transfer -> tT
exten => _2XX,1,Dial(SIP/${EXTEN}|60|tT)

; In outgoing calls we just want transfer by the caller (us) -> T
exten => _6XXXXXXXX,1,Dial(Zap/1/${EXTEN}|60|T)

This means: we DON'T want that a external called could transfer us.

Now imagine this common scenary:

- SIP/200 calls to a mobile 666777888
   Dial("SIP/200", "Zap/1/666777888|60|T")

- They speak for a while and 200 wants to transfer him to 201. 200 can transfer because the Dial had "T". It doesn't matter if the transfer is blind or attended:
   Transferring Zap/1-1 to '201' (context users) priority 1
   Dial("Zap/1-1", "SIP/201|60|tT") in new stack    <--- **** "tT" !!! ****
   -- Called 201

- 201 answers and starts a conversation with 666777888.
The BIG vulnerability is that now the mobile CAN transfer by pressing the DTMF code of features.conf for blind/attended trasference:
   Started music on hold, class 'default', on SIP/201
   -- <Zap/1-1> Playing 'pbx-transfer' (language 'en')   <------ !!!!!!!!

This means that the remote called can transfer us by calling to any number available in [users] context, that generally are all the numbers in the world.
This is a important issue that can cost money for people/companies using Asterisk.

I've checked this bug and more people has done it in their Asterisk. You can check it just with the simple dialplan of above that I think is very common.

A solution could be to check the Dial parameters after a native transfer and sure that the called doesn't get privileges it shouldn't have.

Hope a solution for this. Best regards.

****** STEPS TO REPRODUCE ******

Explained in the description, just modify the dialplan of [users] context for your enviroment.