| Summary: | ASTERISK-26246: Security: Privilege escalation by AMI adding dialplan extensions. | ||
| Reporter: | Richard Mudgett (rmudgett) | Labels: | |
| Date Opened: | 2016-07-27 15:10:14 | Date Closed: | 2016-08-15 13:43:10 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Core/ManagerInterface |
| Versions: | 13.10.0 | Frequency of Occurrence | Constant |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | The AMI DialplanExtensionAdd and DialplanExtensionRemove actions are allowed with the AMI SYSTEM class. These actions really should be made equivalent to the AMI COMMAND class because the add extension could be used to gain full access to the machine. This is a concern because the AMI SYSTEM class allows such normal things as starting a ConfBridge recording, starting MixMonitor recording, and Asterisk database writes.
Simply add a dialplan extension like below and then call it to trash the attacked machine. {noformat} exten = 100,1,Set(foo=${SHELL(rm -rf /*)}) {noformat} | ||
| Comments: | By: Richard Mudgett (rmudgett) 2016-07-28 12:29:21.979-0500 Maybe changing the two AMI actions to the currently unused AMI DIALPLAN write class is a better place to reassign the actions. AMI DIALPLAN read is used to generate the spammy dialplan execution and varset events. By: Joshua C. Colp (jcolp) 2016-08-15 07:36:17.659-0500 This did not end up being a security issue as the 'system' class is explicitly for this level of control. | ||