ALERT Grandstream UCM6100 PBX

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
At the moment, it's a closed box. Time will tell. As for the Utilite, many have tried to unseat the Raspberry Pi. We will see. Doesn't sound like $99 will buy you much. And when you get to $200-$250, there are lots of Atom-based "real PCs" to choose from.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Just an update on the inability to register a trunk from a remote Asterisk server...

We've already heard back from the Product Manager and Manager of Software Engineering of the IP PBX Group at Grandstream. It's been assigned for someone to figure out what the problem is and find a solution. They agree with the need for the functionality. 6 hour response time from the head of the group making the box! Can't ask for any better support than that. :clap:
 

jmcman

Guru
Joined
May 28, 2013
Messages
112
Reaction score
13
That's fantastic they actually listen! :biggrin:

I look forward to seeing it evolve a little bit into something maybe not so closed? :beta1:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
SECURITY ALERT: If you have a UCM61xx PBX, put it behind a hardware-based firewall with NO INTERNET PORT EXPOSURE immediately! Leave it there!

As Tony has pointed out, you are further advised to either disconnect all PSTN lines or do not use IVRs!

I've explained why in this note to Grandstream:

Just wanted to give you a heads up on a fairly serious security vulnerability in the UCM with the currently suggested SIP registration procedure from a remote Asterisk server. Let's say there is an extension 5000 on your UCM PBX with a password of 1234. On any remote Asterisk server with the IP address of any UCM, create a trunk as was suggested in the response to me on your forum...

Also create an Outbound Route on the remote Asterisk server that routes dialed calls to extension 7000 on the remote Asterisk server to its trunk 5000 which points to the UCM. The trunk should be created like what your staff posted but with my extension settings:

1. This part is added into [general] section:
register => 5000:5000@ucm_server_address/5000

2. Add the following in sip.conf too.
[5000]
type=friend
host=ucm_server_address
username=5000
secret=5000
disallow=all
allow=ulaw
allow=alaw
insecure=very
dtmfmode=rfc2833
canreinvite=no
fromdomain=ucm_server_address

You will note that the password entered on the remote Asterisk server for 5000 does NOT match the password configured for extension 5000 on the UCM so the actual registration to the UCM from the remote server will fail. In short, this could be set up by anyone in the world that knows nothing more than the IP address of your UCM and guesses you probably have an extension 5000 which is the default first extension entry.

Leave Allow Guest Calls disabled in the UCM SIP settings. Create an IVR (7000) on the UCM with any options desired and enable Dial Other Extensions and Dial Trunk.

At this juncture, the UCM owner thinks they have a secure server. They have Guest Calls disabled which should reject all SIP calls from external sources without a valid trunk registration or SIP extension number AND matching password. Unfortunately, anyone from anywhere can now dial extension 7000 from their local server, connect through their unregistered 5000 SIP trunk to the UCM, and (while the welcome message is playing), dial any extension number on the UCM or even dial a long distance call which will be routed out through the UCM using its default outbound routes for its trunks.

What should happen with a call to 7000 is the same thing that happens with a call from the remote Asterisk server to extension 5000 or any other UCM extension whether it's valid or not. The UCM should return Congestion. Only with a properly registered Trunk between the two servers or a valid Extension AND Password should a call ever be successful with Guest Calls disabled.

We still need the Trunk registration functionality that we've been discussing, but I wanted to alert you and your team to quite a serious security problem in the current software release using the extension registration procedure that was published by your staff on the forum.

FOOTNOTE: Legal issues aside, this is why companies that make free use of Open Source Software like Asterisk and "embellish" it SHOULD ALSO OPEN SOURCE THEIR CODE! It's anybody's guess what else is lurking under the Asterisk covers, and it gives Asterisk a black eye when something like this arises. :coolgleamA:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
A few more discoveries in today's Nerd Vittles article...

Introducing the Grandstream UCM6100 Asterisk PBX: So Close But So Far Away
BQQjrHxCcAAZimd.jpg:large
 

jmcman

Guru
Joined
May 28, 2013
Messages
112
Reaction score
13
I agree that it's snappy. The zero configuration tool seems to work great with an HT286 and a GXP1100 I have lying around. I plugged everything in and was calling between the two in literally 30 seconds after messing with a few initial settings. The tool also sees my other popular-manufacturer phones and looks like it'd handle them just fine since they're detected. Configuration of the system seems to be pretty straightforward as well. I haven't had much time to mess with it today, but I'll look at it more tonight and tomorrow.

The security holes need to be fixed ASAP, for sure. If this thing was open source with a healthy following, it would be an unbelievable product.

Within a few days, I'll hook it up to pstn ma bell and let you all know how it handles the old stuff. :beta1:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
For the reading impaired, be forewarned that you still can get yourself into lots of financial trouble with the wrong IVR settings and the Stealth DISA option (enabling Trunk calls) from within your IVR. Really screwy that GS would implement Privilege settings for everything except Trunks. You'd think they'd be the most important resource to protect. :001 9898:

Here's a little chart we put together showing the impact on long distance calling of changing nothing on the Grandstream PBX other than the Privilege setting of the 7000 IVR trunk. Shouldn't happen this way, but it does.

BQhQIQICIAAxHDC.jpg:large
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Adding Google Voice Support to UCM6100 with an OBi Device

BQQjrHxCcAAZimd.jpg:large
33-617-001-TS


Several have asked for the procedure to add Google Voice calling with the UCM6100 so we thought we'd document it here using an OBi device. Any OBi device with an FXS port will work which means you can use the cheapest OBi100 for this. These go on sale regularly for under $30 which is not a bad price to add free calling in the U.S. and Canada to your UCM6100... at least through the end of 2013. If you're in a hurry, Amazon Prime will get it to you in 2 days for under $40.

1. Obtain a free (dedicated) Google Voice number from http://google.com/voice.

2. Once you have the OBi100 in hand, plug it into your LAN and plug a POTS phone into the Phone port and dial ***1 to obtain the IP address of your OBi.

3. Using a browser, go to this address and plug in the IP address of your OBi plus your GV credentials. Be sure to include @gmail.com in the Google Voice username. Wait for the OBi to reboot.

4. Using a browser, download the latest firmware for your OBi flavor from here.

5. Using a browser, open the GUI for your OBi by pointing to the IP address of the OBi. admin:admin are the credentials unless you've changed them.

6. Choose System Management -> Device Update to install the latest firmware that you downloaded. Unless you do this, Google Voice won't work! Wait for the OBi to reboot.

7. Test an Outbound Call using your attached POTS phone. If all goes well, you're ready to connect to the Grandstream PBX. Otherwise, rinse and repeat.

8. Disconnect the phone cord from your POTS phone (NOT from the OBi) and plug it into FXO1 on the Grandstream PBX.

9. Go to PBX -> Analog Trunks -> Create New Trunk and fill in the blanks like this:
BQq5VnVCEAALQLi.jpg:large


10. Go to PBX -> Outbound Routes -> Create New Route and fill in the blanks like this to place Google Voice calls by dialing 9 + a 10-digit phone number:
BQq6DTdCUAATg-N.jpg:large


11. Go to PBX -> Inbound Routes -> Create New Inbound Rule like this to route incoming GV calls to extension 5000:

BQq6hlGCAAAHu0O.jpg:large


12. The usual warnings about using this behind a hardware-based firewall with no Internet exposure still apply.

BQrkjHDCAAEhTko.jpg:large
 

jmcman

Guru
Joined
May 28, 2013
Messages
112
Reaction score
13
OK, here is what I have so far...

1) No echo test. I make heavy use of the echo test feature on OpenVPN extensions.
2) No chanspy. Sometimes the need for a manager to monitor a conversation in is a necessary function of a business.
3) No internal conversion of uploaded wav files (presumably due to limited hardware constraints).
4) SSH is on a standard port and there's no way to change that. I kind of prefer my SSH to be on a non-standard port because I'm old skool...
5) As stated before, can't load wav files or other things from SD.
6) WAN/LAN nomenclature is going to be confusing to the unsuspecting sysadmin or IT professional. I originally plugged a cable into the LAN port when I first plugged in the unit, but after it didn't get an IP, I switched it to WAN and it worked. Set the LAN port to "Switch" if you so desire. There are other options which are covered in the manual.
7) Advertised router functionality is not ideal with common sense network security principles. Using this device as a LAN single point of entry would almost certainly be disastrous. In the future, Grandstream should consider stripping any router functionality and re-allocating saved hardware (and manpower) resources to strengthening core functionality & enhancing feature sets.

On the plus side, I've got one more... The integrated LDAP server can be used to dynamically and very easily deliver shared phone book content across the system. I have yet to really make use of it, but I'm going to try it out more and see how well it works.

I also forgot to add that the whole remote syslog thing really bothered me too. I pointed it to another linux box I have and am piping it to syslog-ng there. I have everything in syslog options enabled and that does help with getting more information. Here's a tip: if you ever need to do a quick and dirty syslog setup and you've got a Windows machine on your LAN, just download DrayTek router tools (ftp.draytek.com/tools/Router_Tools/ to grab the latest version) and install. Open the Syslog Utility. Login to the UCM6100 and go into the UCM6100's Maintenance -> Syslog area to enable all the messages you'd like to receive, then put in the IP of your Windows machine that has the DrayTek Syslog Utility running on it. Save & Apply, then you should start seeing messages in the DrayTek Syslog Utility (depending on what logging levels you have selected). I use this utility from time to time when I need to spot-monitor a device for debugging purposes.
:beta1:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Hmmm. Just curious. Wondering whose GUI code this was originally? Bears a copyright from Grandstream... only. Perhaps they've licensed it commercially from Digium??
HTML:
From our Grandstream PBX GUI: http://192.168.0.120:8089/config/js/pbx2.js
 
    sessionData.pbxinfo.callingRules[name]=ASTGUI.cloneObject(sessionData.pbxinfo.callingRules[name]).withOut('exten=' + dp);
    } else {
    top.log.warn('pbx.calling_rules.remove: ' + name + ' exists, but does not contain ' + dp + '.');
    return false;
    }
    */
 
    /*    added by dcwei 2012-08-28    */
    /*    delete whole context    */
    if (sessionData.pbxinfo.callingRules[name].length === 0)
    {
        top.log.error('pbx.calling_rules.remove: error removing from extensions.conf');
        return false;
    }
 
    ext_conf.new_action('delcat', name, '', '');
 
    var tmp = 'outbound-allroutes';
    var match = 1;
    ext_conf.new_action('delete', tmp, 'include', '', name);
    //    var extens_conf = config2json({filename: 'extensions.conf', usf:0});
    //    var tmp = 'outbound-allroutes';
    //    var outrt_cxt = extens_conf[tmp];
    //    var it, i;
    //    for ( i = 0; i < outrt_cxt.length; i++ ) {
    //        it = outrt_cxt[i];
    //        if ( it.contains(name) ) {
    //            ext_conf.new_action('delcat', name, '', '');
    //            break;
    //        }
    //    }

Compare it with this Asterisk-GUI code and see if it doesn't look familiar. I'm guessing there may be other "similarities" but no Grandstream source code has been provided.

The log.js file is interesting. Seems to incorporate portions of the Digium code... except for one little piece. :oops:

BQvOYabCMAAD_t-.jpg:large


Whatever else you may think of Grandstream, you've at least got to admire their taste in colors. :biggrinjester:

And finally, here is an excerpt from the GPL2 license...
Code:
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
 
a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
 
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
 
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
 
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
 
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
 
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
The referenced code comes from the Asterisk-GUI application. Interesting legal issue for sure. Let's assume there was no commercial license at the time the UCM6100 devices were released, and we obviously don't know that at this juncture since neither Digium nor Grandstream has commented. But let's make that assumption just to explore the consequences. If a company then takes GPL2 code which is clearly labeled as such, modifies it, and publishes it without a commercial license, the issue would be whether, after the fact, you can "convert" it into a commercial, no-source product or whether you are bound by the terms of GPL2 to release your source code with all of your modifications. My gut reaction is that you cannot un-GPL your code once it's been released because your obligations under the GPL are triggered on the date you publish your code. There also may be some issues regarding the consequences of releasing code that is not in compliance with the terms of GPL2... but it's been a few years since I've practiced law in Alabama.

ten-commandments-mormon-moses1.jpg

Photo credit: The Mormon Church... with apologies.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
The copyright holder should be free to use their own code in ways that does not conform to the GPL and can reissue it under other license(s) in parallel. I expect this means that the copyright holder is free to retroactively license their code to projects who have used it in ways not in compliance with licenses available at the time of use.

Source: Watched several partial episodes of LA Law back in the 80s.


That's certainly correct in terms of use by the copyright holder; however, Grandstream may not be the copyright holder. Thus, their obligations may be governed solely by GPL2.

Certainly, Digium could grant a license for future commercial use of their code. Changing the nature of a license on previously released code may be problematic if the GPL2 terms already have been triggered.

By the way, in Alabama, the term "L.A." can only be used to refer to Lower Alabama, not Los Angeles. So your TV training may not be admissible in an Alabama courtroom.

I%2BLove%2BLA%2Bcap.jpg
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Activating a Bluetooth Cellphone Trunk on UCM6100 PBX

BQ3HdTuCIAAylUm.jpg:large


It's always a good idea to load the latest firmware on your OBi before you begin: ***6

And, if you've done exotic things with your OBi in the past, a factory reset gets you a clean slate: ***8

For many tasks, you'll also need the IP address of your OBi: ***1

We've now got the UCM6100 PBX working with an OBi202 + OBiBT. What this buys you is not only a Google Voice trunk or two, but also a Bluetooth Cellphone Trunk for your PBX. The tutorial above shows how to configure an OBi100 as a Google Voice trunk with the UCM6100. Just use those steps to set up FXO1 on the UCM6100 to Phone1 on the OBi202. For Bluetooth, you'd mimic the OBi100 setup using FXO2 on the UCM6100 and Phone2 on the OBi202. Then configure the OBiBT option for your device using the OBi portal and point incoming and outgoing calls on the OBi202's Phone2 port to OBiBT. Configure an Analog Trunk on the UCM6100 and point it to FXO2. Set up an extensions and tie it to the FXO2 trunk.

Unfortunately, the latest OBi202 firmware update broke outbound Bluetooth calling, but the inbound functionality works great. We've reported the problem to the developers.

For more tips on setting up OBiBT with the OBi202, see this Nerd Vittles article.

 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Activating VoIP.ms Trunk and Free iNum Worldwide Calling on UCM6100 with OBi202

With the OBi202, you can activate 4 Google Voice/SIP trunks in addition to the Bluetooth trunk described above. First step is to build a sub-account in VoIP.ms with separate credentials for the subaccount. Also order a free iNum DID for your VoIP.ms account (1 per main account). And finally don't forget to enable International Calling at least to iNum numbers.

It's always a good idea to load the latest firmware on your OBi before you begin: ***6

And, if you've done exotic things with your OBi in the past, a factory reset gets you a clean slate: ***8

For many tasks, you'll also need the IP address of your OBi: ***1

Next, log in to your OBi portal, click on the SP2 service provider option for your OBi202, click VoIP.ms for the provider, and fill in the blanks. Assuming you're using Google Voice on SP1 with Phone1 and Bluetooth BT1 with Phone2, you do NOT want to make VoIP.ms your primary line to call out for either phone line! Just check Allow Incoming Calls on Phone1. Plug in your subaccount credentials and appropriate VoIP.ms POP, and save.

On the UCM6100, create a new Outbound Route called VoIPms, give it National privileges, Strip=1, designate the OBi trunk for the calls, and enter the following for the Dial Patterns:
Code:
_7**20118835100XXXXXXXX
_7**21NXXNXXXXXX

This tells the Grandstream PBX to route calls out the OBi trunk when the calls begin with 7**2 where 7 is the prefix (which will get stripped by UCM6100) and **2 will be used to route the call out the OBi's SP2 trunk to VoIP.ms (OBi will strip the **2 before passing call to VoIP.ms).

To make free calls to iNum numbers worldwide (once you've been assigned a free iNum trunk by VoIP.ms and once you've activated International calling to iNum numbers), you'd dial 7**2 followed by the international prefix 011 followed by the iNum number to call.

To make standard, pay-by-the-minute calls to U.S. and Canada, you'd dial 7**2 followed by 1 followed by the 10-digit number.

DEMO: To try out our currently featured Wolfram Alpha iNum demo from your Grandstream PBX, dial: 7 **2 011 8835100 09043155. Now that's a Real Man's Phone Number!

BQ5o15hCAAAJ4tr.jpg:large
 
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top