[Home]

Summary:ASTERISK-27103: core: ast_safe_system command injection possible.
Reporter:Corey Farrell (coreyfarrell)Labels:patch
Date Opened:2017-07-01 20:12:28Date Closed:2017-08-31 06:10:02
Priority:MajorRegression?
Status:Closed/CompleteComponents:Applications/app_minivm Applications/app_mixmonitor Applications/app_system Applications/app_voicemail Channels/chan_dahdi Core/General Functions/func_shell Resources/res_monitor
Versions:13.16.0 14.5.0 GIT Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) 0001-core-Add-ast_safe_execvp-function.patch
( 1) 0002-app_minivm-Use-ast_safe_execvp-to-run-externnotify.patch
Description:{{ast_safe_system}} and {{popen}} do not provide protection against command injection.  This is a vulnerability if Asterisk code or an admin uses untrusted strings for parameters to any external call (such as callerid).

h2. C level vulnerability
{{app_minivm: run_externnotify}} - callerid is passed as parameters to command.

h2. Config level vulnerabilities
{{app_system, app_mixmonitor, func_shell, res_monitor}} - These modules allow the administrator to execute arbitrary commands with arbitrary parameters.  If the admin gets parameters from untrusted values they are vulnerable.  Likely these must be addressed by documenting the risk.
 {{func_shell}} is the odd case which uses {{popen}} instead of {{ast_safe_system}}, still an issue.

h2. Possibly not vulnerable
* {{app_alarmreceiver}} and {{chan_dahdi}} are pretty simple cases that I'm pretty sure are safe.
* {{app_voicemail}} is more difficult. I don't think it uses any untrusted values for parameters but I'm not ready to say this for sure.

h1. Not vulnerable
* main/db.c, main/config.c, main/logger.c, main/asterisk.c, utils/extconf.c

h1. Not checked
* tests/test_time.c
Comments:By: Corey Farrell (coreyfarrell) 2017-07-02 11:40:43.537-0500

h2. Demo

h3. Attackers dialplan
{noformat}
exten => s,1,Set(CALLERID(name)=name"\;touch /tmp/hacked\;echo ")
same => n,Dial(SIP/target/100)
{noformat}

h3. Vulnerable dialplan
{noformat}
exten => 100,1,System(/usr/bin/notifyscript --from "${CALLERID(name)}")
{noformat}

h3. Actual commands run:
{noformat}
/usr/bin/notifyscript --from "name"
touch /tmp/hacked
echo ""
{noformat}

By: Corey Farrell (coreyfarrell) 2017-07-02 11:54:29.549-0500

These patches are against 13. The first creates an {{ast_safe_execvp}} function and the second modifies {{app_minivm}} to use it.  I have not yet tested {{ast_safe_execvp}} in the double-fork mode.  This is needed because {{app_minivm}} ran the command in the background with {{&}}.

By: Friendly Automation (friendly-automation) 2017-08-31 06:10:04.471-0500

Change 6346 merged by Jenkins2:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6346|https://gerrit.asterisk.org/6346]

By: Friendly Automation (friendly-automation) 2017-08-31 06:14:42.297-0500

Change 6359 merged by Joshua Colp:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6359|https://gerrit.asterisk.org/6359]

By: Friendly Automation (friendly-automation) 2017-08-31 06:37:21.619-0500

Change 6344 merged by Jenkins2:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6344|https://gerrit.asterisk.org/6344]

By: Friendly Automation (friendly-automation) 2017-08-31 06:38:15.233-0500

Change 6354 merged by Joshua Colp:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6354|https://gerrit.asterisk.org/6354]

By: Friendly Automation (friendly-automation) 2017-08-31 06:39:56.317-0500

Change 6345 merged by Joshua Colp:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6345|https://gerrit.asterisk.org/6345]

By: Friendly Automation (friendly-automation) 2017-08-31 07:20:08.555-0500

Change 6342 merged by Joshua Colp:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6342|https://gerrit.asterisk.org/6342]

By: Friendly Automation (friendly-automation) 2017-08-31 07:20:48.791-0500

Change 6357 merged by Joshua Colp:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6357|https://gerrit.asterisk.org/6357]

By: Friendly Automation (friendly-automation) 2017-08-31 07:20:55.635-0500

Change 6343 merged by Joshua Colp:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6343|https://gerrit.asterisk.org/6343]

By: Friendly Automation (friendly-automation) 2017-08-31 07:59:21.116-0500

Change 6347 merged by Joshua Colp:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6347|https://gerrit.asterisk.org/6347]

By: Friendly Automation (friendly-automation) 2017-08-31 07:59:56.454-0500

Change 6362 merged by Joshua Colp:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6362|https://gerrit.asterisk.org/6362]

By: Friendly Automation (friendly-automation) 2017-08-31 08:28:26.857-0500

Change 6348 merged by Jenkins2:
AST-2017-006: Fix app_minivm application MinivmNotify command injection

[https://gerrit.asterisk.org/6348|https://gerrit.asterisk.org/6348]