Micro Registration Utility Dialplan Injection Vulnerability Allowing Call Redirection

A vulnerability in the Micro Registration Utility (µURU) telephone self-registration tool, which is based on Asterisk, has been identified. In versions prior to and including commit 88db9a953f38a3026bcd6816d51c7f3b93c55893, the application allows an attacker to inject special characters into the 'Dial()' application due to inadequate input validation. This injection can be exploited to redirect calls on both federating instances. The vulnerability requires an admin to accept the federation requests.

Impact

Exploitation of this vulnerability allows for unauthorized call redirection on both federating instances, with a high impact on the Asterisk 'Dial' application, where the injected extension can be used to manipulate call routing and potentially intercept calls.

Reproduction

To reproduce this vulnerability, create a federation with a name that includes special characters such as '&' and a payload like '${PJSIP_DIAL_CONTACTS(4444)}'. When a call is made to an extension that contacts the federating instance, Asterisk will attempt to dial both the injected IAX2 peer and the PJSIP extension simultaneously. This will redirect calls intended for the federating instance to the local extension '4444', effectively allowing interception of those calls.

Remediation

No known patched version of µURU is available as of the publication date.