Summary: | ASTERISK-27185: s3 bucket writable - asteriskconfig | ||
Reporter: | vijiln (vijil) | Labels: | |
Date Opened: | 2017-08-07 10:12:48 | Date Closed: | 2017-08-07 10:16:36 |
Priority: | Critical | Regression? | |
Status: | Closed/Complete | Components: | |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) asterisk.png | |
Description: | Team,
Found a writable amazon s3 bucket "asteriskconfig" in which anyone can upload,rename,delete files.Also all the config files where found on the s3 public which makes this severe. POC : when i opened the following s3 bucket http://s3.amazonaws.com/asteriskconfig/ got the contents of the bucket listed,whilst a secure bucket would have brought up an access denied page. further i tried to upload copy rename and delete "test.txt" using aws cli ,all succeeded !! 1.Copy local file to s3 $ aws s3 cp test.txt s3://asteriskconfig Result: upload: ./test.txt to s3://asteriskconfig/test.txt 2.Renaming file $ aws s3 mv s3://asteriskconfig/test.txt s3://asteriskconfig/test2.txt Result:move: s3://asteriskconfig/test.txt to s3://asteriskconfig/test2.txt 3.Deleting file $ aws s3 rm s3://asteriskconfig/test2.txt delete: s3://asteriskconfig/test2.txt Impact : Risk is that anyone can upload malicious files,delete the existing files,rename and move files which makes this a critical vulnerability. Hope you guys will fix this soon. Screen shot is added here. Thank you !! | ||
Comments: | By: Asterisk Team (asteriskteam) 2017-08-07 10:12:48.592-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Joshua C. Colp (jcolp) 2017-08-07 10:16:36.078-0500 Asterisk, the project, doesn't control or use this S3 bucket. We also don't have S3 support in Asterisk itself that would have default settings. This appears to be from a user of Asterisk and not something we can control or rectify. By: vijiln (vijil) 2017-08-07 10:20:59.093-0500 screen shot of aws cli commands executed |