ASTERISK-17465: Security Vulnerability: AMI access to SHELL function only seems to need CALL Privilege, should be SYSTEM

[Home]

Summary: ASTERISK-17465: Security Vulnerability: AMI access to SHELL function only seems to need CALL Privilege, should be SYSTEM

Reporter: David Woolley (davidw) Labels:

Date Opened: 2011-02-23 12:05:28.000-0600 Date Closed: 2012-04-23 09:22:19

Priority: Major Regression? No

Status: Closed/Complete Components: Core/ManagerInterface

Versions: Frequency of
Occurrence

Related
Issues:
must be completed before resolving ASTERISK-19618 Asterisk 1.8.12.0 Blockers

must be completed before resolving ASTERISK-19619 Asterisk 10.4.0 Blockers

is related to ASTERISK-20132 Security Vulnerability: remote authenticated attacker can execute arbitrary shell commands on system through app ExternalIVR

Environment: Attachments: ( 0) 10_ami_readfunc_security_r2.diff
( 1) 162_ami_readfunc_security_r2.diff
( 2) 18_ami_readfunc_security_r2.diff
( 3) asterisk_1.62_AST-2012-004_patch.diff

Description: Whilst there are safety checks on the AMI System command, to require SYSTEM privilege before using the SHELL function, I can find no such checks when accessing it using GetVar.

****** ADDITIONAL INFORMATION ******

Marked as private because of security implications. You may make public at your discretion.

Until we have established that we want to use this method of running shell scripts, our time to verify the exploit is limited, and complicated by using an older version with bugs in GetVar.

Comments: By: Jonathan Rose (jrose) 2012-03-27 14:26:35.351-0500

> Whilst there are safety checks on the AMI System command

Manager has no command called 'System' that shows up in any version of Asterisk I'm aware of.

Anyway, I've reproduced the problem and I'm starting to look into fixing it.

EDIT: As far as I can tell, only the action_originate actually seems to check for SHELL.
By: David Woolley (davidw) 2012-03-28 05:03:49.178-0500

It's a while since I picked this one up, but I suspect what I meant was the System application being run via originate.
By: Jonathan Rose (jrose) 2012-04-10 14:09:28.238-0500

Adding patches which should solve the noted problems as well as another action with the same problem for 1.6.2 as well as 1.8 and up.
By: Jonathan Rose (jrose) 2012-04-10 14:10:00.230-0500

Re-adding 1.8 patch since licenses go stupid when uploading multiple files.
By: Jonathan Rose (jrose) 2012-04-12 08:32:07.195-0500

Added patches for 1.6.2, 1.8, and 10.
By: Jonathan Rose (jrose) 2012-04-24 16:36:42.277-0500

Add a revised version of the 1.6.2 version of this patch due to failed application in the 1.6.2 branch.