Severe Security Flaw?

That log is unreadable. Edit your message and repost with a readable log.

This was a PBXtra system bought from Fonality. No Disas or Pin options are available in that version. The company paid a significant amount of money for the PBX and now I route all outbound calls through a Trixbox CE with Pinsets on International calling.

This means there are thousands of vulnarable systems out there. I would like to find out the key combination they used to exploit this.

Jun 20 22:26:36 VERBOSE[2905] logger.c: -- Executing Set("Zap/7-1", "EXTENSION=5555") in new stack
Jun 20 22:26:36 VERBOSE[2905] logger.c: -- Executing AGI("Zap/7-1", "fon://localhost:4574") in new stack
Jun 20 22:26:36 VERBOSE[2905] logger.c: -- AGI Script fon://localhost:4574 completed, returning 0
Jun 20 22:26:36 VERBOSE[2905] logger.c: -- Executing Dial("Zap/7-1", "/dev/null|20|r") in new stack
Jun 20 22:26:36 WARNING[2905] channel.c: No channel type registered for ''
Jun 20 22:26:36 NOTICE[2905] app_dial.c: Unable to create channel of type '' (cause 66 - Channel not implemented)
Jun 20 22:26:36 VERBOSE[2905] logger.c: == Everyone is busy/congested at this time (1:0/0/1)
Jun 20 22:26:36 VERBOSE[2905] logger.c: -- Executing Goto("Zap/7-1", "s-CHANUNAVAIL|1") in new stack
Jun 20 22:26:36 VERBOSE[2905] logger.c: -- Goto (macro-stdexten,s-CHANUNAVAIL,1)
Jun 20 22:26:36 VERBOSE[2905] logger.c: -- Executing Goto("Zap/7-1", "s|11") in new stack
Jun 20 22:26:36 VERBOSE[2905] logger.c: -- Goto (macro-stdexten,s,11)
Jun 20 22:26:36 VERBOSE[2905] logger.c: -- Executing VoiceMail("Zap/7-1", "u5555") in new stack
Jun 20 22:26:36 VERBOSE[2905] logger.c: -- Playing '/var/spool/asterisk/voicemail/default/5555/unavail' (language 'en')
Jun 20 22:26:38 VERBOSE[2905] logger.c: -- Playing 'beep' (language 'en') Jun 20 22:26:38 VERBOSE[2905] logger.c: -- Recording the message
Jun 20 22:26:38 VERBOSE[2905] logger.c: -- x=0, open writing: /var/spool/asterisk/voicemail/default/5555/tmp/yKnmQ3 format: wav, 0x87e7888
Jun 20 22:26:39 VERBOSE[2905] logger.c: -- User ended message by pressing #
Jun 20 22:26:39 VERBOSE[2905] logger.c: -- Playing 'auth-thankyou' (language 'en')
Jun 20 22:26:40 VERBOSE[2905] logger.c: -- Recording was 1 seconds long but needs to be at least 3 - abandoning
Jun 20 22:26:40 VERBOSE[2905] logger.c: -- Executing Goto("Zap/7-1", "130") in new stack
Jun 20 22:26:40 VERBOSE[2905] logger.c: -- Goto (macro-stdexten,s,130)
Jun 20 22:26:40 VERBOSE[2905] logger.c: -- Executing WaitExten("Zap/7-1", "1") in new stack
Jun 20 22:26:41 VERBOSE[2905] logger.c: -- Timeout on Zap/7-1, continuing...
Jun 20 22:26:41 VERBOSE[2905] logger.c: -- Executing BackGround("Zap/7-1", "vm_message_sent") in new stack
Jun 20 22:26:41 VERBOSE[2905] logger.c: -- Playing 'vm_message_sent' (language 'en')
Jun 20 22:26:50 VERBOSE[2905] logger.c: == CDR updated on Zap/7-1
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Executing GotoIf("Zap/7-1", "0?20") in new stack
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Executing Set("Zap/7-1", "EXTENSION=4232297200") in new stack
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Executing AGI("Zap/7-1", "fon://localhost:4574") in new stack
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- AGI Script fon://localhost:4574 completed, returning 0
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Executing Dial("Zap/7-1", "Zap/g2/0115352690560") in new stack
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Requested transfer capability: 0x00 - SPEECH
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Called g2/0115352690560
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Zap/2-1 is proceeding passing it to Zap/7-1
Jun 20 22:26:50 VERBOSE[9097] logger.c: -- Channel 0/2, span 1 got hangup request
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Zap/2-1 is circuit-busy
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Hungup 'Zap/2-1'
Jun 20 22:26:50 VERBOSE[2905] logger.c: == Everyone is busy/congested at this time (1:0/1/0)
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Executing Dial("Zap/7-1", "Zap/g3/0115352690560") in new stack
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Requested transfer capability: 0x00 - SPEECH
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Called g3/0115352690560
Jun 20 22:26:50 VERBOSE[2905] logger.c: -- Zap/26-1 is proceeding passing it to Zap/7-1 Jun 20 22:28:13 VERBOSE[2905] logger.c: -- Zap/26-1 is ringing
Jun 20 22:28:13 VERBOSE[2905] logger.c: -- Zap/26-1 answered Zap/7-1
Jun 20 22:28:13 VERBOSE[2905] logger.c: -- Attempting native bridge of Zap/7-1 and Zap/26-1

Looking at the logs when in the voicemail for extension 5555 they pressed #

Jun 20 22:26:39 VERBOSE[2905] logger.c: -- User ended message by pressing #

this then dropped them into the std extension macro that was waiting for an extension to be entered rather than hanging up the call

they then dialled the number they required and got connected

so I think at the unavailiable greeting of 5555 they dialed # 0115352690560

This is a system hosted by fonality. Basically its a trixbox Call Center edition that sits in our server room. However Fonality has a VPN connection into our box. They Overwrite our configs from thier servers whenever a change is made. To administer the server you have to goto http://cp.fonality.com to make changes which then overwrite all the files in the asterisk directory.

I was unable to find a general config, but here is a list of the .conf files

key
asterisk.adsi
telcordia-1.adsi
zapata.conf.bak
adsi.conf
adtranvofr.conf
agents.conf
alerts.conf
alsa.conf
asterisk.conf
astwatch.conf
cdr_odbc.conf
cdr_pgsql.conf
enum.conf
extensions.conf
festival.conf
FONmon.conf
iax.conf
indications.conf
internal.conf
logger.conf
manager.conf
meetme.conf
mgcp.conf
modem.conf
modprobe.conf
modules.conf
musiconhold.conf
oss.conf
parking.conf
pbxtra.conf
phone.conf
privacy.conf
queues.conf
rpt.conf
rtp.conf
sip.conf
skinny.conf
smg_bri.conf
voicemail.conf
vpb.conf
woot.conf
zapata.conf
zaptel.conf
sip.conf.default
modules.conf.bak.FONmon
.astwatch.co.swp
permissions.xml
user_recordings.xml
users.xml

Since this is the trixbox CE forum I did not consider pro or PBextra.

Since you paid for those systems I suggest you work with Fonality to resolve the issue. The folks in this forum have no connection to Fonality other than Andrew.

There is also a Pro forum, it was to support the Free version of Pro that does not exist anymore.

Can someone post detailed logs ( core set debug 99 and core set verbose 99) from when this happens.
I'd like to make sure Trixbox CE users are not affected. My thinking is that whatever Fonality put on port 4574 is to blame.

In this situation Even without knowing the VM password they were able to obtain an outside line. I guess Fonalities implimentation is different than CE and therefore it is a flaw of thiers that allows this.

is this a flaw in the normal version too? how do we stop this madness!

[ticket.fonality.com #1488432] Server ID 6652: Software - Receiving Abusive or SPAM Calls

Dear Larry Casey:

Thank you for your recent contact with the Fonality Support Team (Ticket ID: 1488432). Our records indicate that further action/response is needed on your part before we can proceed with the resolution of this service request.

Below, you will find the last correspondence from Fonality Support sent on 2010-06-30.

-----LAST MESSAGE BELOW-----

Larry;

My apologies for the delay.

It appears that our engineering has already been aware of this, and have resolved the issue on our next release (I was able to confirm that).

We are slated to release this in July (hopefully).

If you would still like to go over the information you found, let me know.

I would also like to mention that you may be receiving a survey from us regarding your experience with this issue. This survey reflects back on my performance and we appreciate any feedback you can give us.

Thank you for your time,

Garth Nysschens
Fonality Support
866-FONALITY
PBXtra Press 1
Trixbox Press 2

Have you seen our knowledge base lately?
http://help.pbxtra.com/
http://help.trixbox.com/
http://learn.fonality.com/

The Fonality Team
Fonality, Inc.