Asterisk
  1. Asterisk
  2. ASTERISK-27103

core: ast_safe_system command injection possible.

    Details

      Description

      ast_safe_system and popen do not provide protection against command injection. This is a vulnerability if Asterisk code or an admin uses untrusted strings for parameters to any external call (such as callerid).

      C level vulnerability

      app_minivm: run_externnotify - callerid is passed as parameters to command.

      Config level vulnerabilities

      app_system, app_mixmonitor, func_shell, res_monitor - These modules allow the administrator to execute arbitrary commands with arbitrary parameters. If the admin gets parameters from untrusted values they are vulnerable. Likely these must be addressed by documenting the risk.
      func_shell is the odd case which uses popen instead of ast_safe_system, still an issue.

      Possibly not vulnerable

      • app_alarmreceiver and chan_dahdi are pretty simple cases that I'm pretty sure are safe.
      • app_voicemail is more difficult. I don't think it uses any untrusted values for parameters but I'm not ready to say this for sure.

      Not vulnerable

      • main/db.c, main/config.c, main/logger.c, main/asterisk.c, utils/extconf.c

      Not checked

      • tests/test_time.c

        Issue Links

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          Hide
          Friendly Automation added a comment -

          Change 6357 merged by Joshua Colp:
          AST-2017-006: Fix app_minivm application MinivmNotify command injection

          https://gerrit.asterisk.org/6357

          Show
          Friendly Automation added a comment - Change 6357 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection https://gerrit.asterisk.org/6357
          Hide
          Friendly Automation added a comment -

          Change 6343 merged by Joshua Colp:
          AST-2017-006: Fix app_minivm application MinivmNotify command injection

          https://gerrit.asterisk.org/6343

          Show
          Friendly Automation added a comment - Change 6343 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection https://gerrit.asterisk.org/6343
          Hide
          Friendly Automation added a comment -

          Change 6347 merged by Joshua Colp:
          AST-2017-006: Fix app_minivm application MinivmNotify command injection

          https://gerrit.asterisk.org/6347

          Show
          Friendly Automation added a comment - Change 6347 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection https://gerrit.asterisk.org/6347
          Hide
          Friendly Automation added a comment -

          Change 6362 merged by Joshua Colp:
          AST-2017-006: Fix app_minivm application MinivmNotify command injection

          https://gerrit.asterisk.org/6362

          Show
          Friendly Automation added a comment - Change 6362 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection https://gerrit.asterisk.org/6362
          Hide
          Friendly Automation added a comment -

          Change 6348 merged by Jenkins2:
          AST-2017-006: Fix app_minivm application MinivmNotify command injection

          https://gerrit.asterisk.org/6348

          Show
          Friendly Automation added a comment - Change 6348 merged by Jenkins2: AST-2017-006: Fix app_minivm application MinivmNotify command injection https://gerrit.asterisk.org/6348

            People

            • Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: