Jump to content


Photo
- - - - -

Getting to the bottom of a DMS bug


  • Please log in to reply
No replies to this topic

#1 ThoughtPhreaker

ThoughtPhreaker

    DDP r0x0rz my s0x0rz

  • Members
  • 1,243 posts
  • Gender:Male

Posted 29 October 2013 - 07:06 AM

So after hearing Evan's awesome 1A centrex presentation, I thought I'd look into a switch bug of my own.

 

Way back in 2007, I discovered a bug on a DMS-100 where if you flashed at just the right time, the switch would let you hold up an ANAC indefinitely. Fun, sure, but really nothing more then a novelty.

So for the longest time, I was trying to figure out - why couldn't you hold up anything else? If you flashed while someone hung up on you, the best you could do was make it wait a few more seconds before sending you to permanent signal. The answer is so simple, I can't believe it took me this long to figure it out;

 

You can't hold anybody else up because the ANAC isn't going on-hook. When it ends the call, all it's doing in this case is flashing. So I tried this out on a couple DMS lines and sure enough, if one person flashes over, the other person is stuck! They can hang up, sure, but that's about it. No call waiting, no flashing, nothing. Interestingly, this'll actually stop if someone flashes over and then dials a number. It doesn't matter if the call goes through or supervises or whatever. As soon as the other person is done dialing a phone number - even if they just get a reorder or an error message, you can do whatever you want.

 

What really gets weird is when someone flashes, and then hangs up on you. You still can't do anything! In fact, if you try to flash, it'll just hold you up for longer. Normally after someone hangs up, you've got about ten seconds of nothingness before the switch gets sick of you and boots you over to permanent signal recording. When you flash though, that resets the counter back to zero. So if you flash every ten seconds, you'll just sit at that silence forever.

 

Anywho, I know, this isn't quite as dramatic as the bugs in the Centrex presentation. This does have some interesting potential, though. If an IVR in the same switch is using an analog line and wants to transfer you, you can effectively block it, and intercept whatever it's trying to call. What I'd really like to know is if this applies to trunks with q.931 (BRI, PRI related) signaling as well. I *think* there's messages within the standard that allow you to instruct the switch to suspend or transfer a call. Since it's so common for PBXes to use a PRI and transfer you to outside numbers, if this same bug still applies, things could get really interesting!

 

Just for a proof of concept, attached is a recording of making a call to an ANAC normally, and then holding it up.

Attached File  anac_holdup.wav   369.14KB   11 downloads






BinRev is hosted by the great people at Lunarpages!