ALERT Security Hole in Dial Plan

progs_00

Active Member
Joined
Jan 6, 2014
Messages
132
Reaction score
37
Sorry for returning on this but I want to be absolutely sure I'm doing things right. Since the patch is out that means that we can set outbound trunk to whatever we want (including Tt) or it must always remain empty?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Not unless you've installed the latest core module.
 

progs_00

Active Member
Joined
Jan 6, 2014
Messages
132
Reaction score
37
Ouch!!!! In other words you either have the latest core module otherwise you must leave the outbound trunk completely empty to be safe. What a mess!!!
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
How many people actually need a called party to be able to transfer calls within your PBX? I would think that's a fairly small subset of users.

The danger scenario also presupposes that (1) you have *2 activated on your PBX and (2) a bad guy actually receives a call from your PBX. Only then could he actually transfer that call without your knowing about it.

I guess the IRS Scam would give the bad guy the necessary access assuming someone was stupid enough to respond to one of these calls from a phone on their PBX:

https://api.ringplus.net/uploads/audio/voicemail_message/42539511-ca48-4504-b16c-2412be7e903b.wav

That's easily remedied by disabling the In-Call Asterisk Attended Transfer *2 feature code.

the-sky-is-falling.jpg
 
Last edited:

progs_00

Active Member
Joined
Jan 6, 2014
Messages
132
Reaction score
37
Infact I immediately disabled *2 AND ## on my pbx. However from what I've there's actually no need for the bad guy to receive a call from you. He just calls, you or your IVR answer and then he can press *2 or ## and call whatever he wants.Isn't that the case?
Because if it is the way you describe it, it's a lot less dangerous than I thought
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@progs_00 If you have applied and/or received the Incredible PBX patch from the previous page, then the Dial Options are set to tr which means that, for calls ringing internal phones, only the called party can transfer a call. The Trunk Options are set to blank which means neither party can transfer a call when a call is handled by an Outbound trunk. Again, *2 is the problem because when the bad guy has permissions to transfer a call, it means he can do a transfer without the other party hearing what's going on. With ##, if the bad guy has permissions, he still could transfer the call, but the other party would hear what was going on and would know the call was being transferred. Thus, the victim need only hang up.

And, no, in more recent versions of FreePBX, you can't transfer a call while an IVR session is underway. IVRs respond to one digit keypresses only.
 
Last edited:

progs_00

Active Member
Joined
Jan 6, 2014
Messages
132
Reaction score
37
Thank you very very much Ward. This is crystal clear now
 

Members online

Forum statistics

Threads
25,779
Messages
167,505
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top