Details
-
Type:
Bug
-
Status: Closed
-
Severity:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.16.0, 14.5.0, GIT
-
Labels:
Description
ast_safe_system and popen do not provide protection against command injection. This is a vulnerability if Asterisk code or an admin uses untrusted strings for parameters to any external call (such as callerid).
C level vulnerability
app_minivm: run_externnotify - callerid is passed as parameters to command.
Config level vulnerabilities
app_system, app_mixmonitor, func_shell, res_monitor - These modules allow the administrator to execute arbitrary commands with arbitrary parameters. If the admin gets parameters from untrusted values they are vulnerable. Likely these must be addressed by documenting the risk.
func_shell is the odd case which uses popen instead of ast_safe_system, still an issue.
Possibly not vulnerable
- app_alarmreceiver and chan_dahdi are pretty simple cases that I'm pretty sure are safe.
- app_voicemail is more difficult. I don't think it uses any untrusted values for parameters but I'm not ready to say this for sure.
Not vulnerable
- main/db.c, main/config.c, main/logger.c, main/asterisk.c, utils/extconf.c
Not checked
- tests/test_time.c
Issue Links
- is a clone of
-
SWP-9841 Loading...
Demo
Attackers dialplan
Vulnerable dialplan
exten => 100,1,System(/usr/bin/notifyscript --from "${CALLERID(name)}")Actual commands run: