ASTERISK-28580: Bypass SYSTEM write permission in manager action allows system commands execution

[Home]

Summary: ASTERISK-28580: Bypass SYSTEM write permission in manager action allows system commands execution

Reporter: Eliel Sardañons (elielsardanons) Labels: patch security

Date Opened: 2019-10-10 14:54:29 Date Closed: 2019-11-21 12:21:21.000-0600

Priority: Blocker Regression?

Status: Closed/Complete Components: Core/ManagerInterface

Versions: GIT Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) 908eb49.diff

Description: it is possible to bypass the SYSTEM write permission in manager if the user is allowed to originate calls allowing remote code execution to the asterisk server.

The current validation is found in this line of code https://github.com/asterisk/asterisk/blob/8aa4e1c3c99b58f072888ce8798623be227910c6/main/manager.c#L5735

As you may notice all the validations are made on the application name so if we craft an action Originate with an Originate Application and end up running a SYSTEM application we can bypass this checks:

Action: Originate
Channel: Local/1111@eliel
Application: Originate
Data: Local/2222@eliel,app,System,touch /tmp/owned

I tested it with a user with this permissions:
read = call,log,verbose,agent,user,config,dtmf,reporting,cdr,dialplan
write = call,agent,user,config,command,reporting,originate,message

Comments: By: Asterisk Team (asteriskteam) 2019-10-10 14:54:30.696-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.
By: Asterisk Team (asteriskteam) 2019-10-10 14:54:31.979-0500

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.
By: Benjamin Keith Ford (bford) 2019-10-11 09:27:39.909-0500

Thanks for reporting this - we've created an internal issue to track it.
By: George Joseph (gjoseph) 2019-10-24 12:53:11.723-0500

[~elielsardanons] Can you try the attached patch and confirm it plugs the hole?
It simply prevents a user from running the Originate app from an Originate action if they don't have the "system" authorization.

By: Eliel Sardañons (elielsardanons) 2019-10-24 13:43:44.834-0500

[~gjoseph], de patch is working as expected and fixes the bypass reported.

By: Eliel Sardañons (elielsardanons) 2019-11-14 09:06:30.618-0600

Hello George, do you have any update on this? Thanks!
By: Joshua C. Colp (jcolp) 2019-11-14 09:12:45.783-0600

[~elielsardanons] This is in queue to be released. We had another security vulnerability come in that just got taken care of. We have to notify various parties, so I expect a security release in 2-3 weeks.
By: Joshua C. Colp (jcolp) 2019-11-14 10:45:41.467-0600

We are aiming for next week as of this point.
By: Friendly Automation (friendly-automation) 2019-11-21 12:21:22.184-0600

Change 13232 merged by Friendly Automation:
manager.c: Prevent the Originate action from running the Originate app

[https://gerrit.asterisk.org/c/asterisk/+/13232|https://gerrit.asterisk.org/c/asterisk/+/13232]
By: Friendly Automation (friendly-automation) 2019-11-21 12:28:43.949-0600

Change 13233 merged by Friendly Automation:
manager.c: Prevent the Originate action from running the Originate app

[https://gerrit.asterisk.org/c/asterisk/+/13233|https://gerrit.asterisk.org/c/asterisk/+/13233]
By: Friendly Automation (friendly-automation) 2019-11-21 12:32:13.298-0600

Change 13235 merged by Friendly Automation:
manager.c: Prevent the Originate action from running the Originate app

[https://gerrit.asterisk.org/c/asterisk/+/13235|https://gerrit.asterisk.org/c/asterisk/+/13235]
By: Friendly Automation (friendly-automation) 2019-11-21 13:36:00.355-0600

Change 13279 merged by Benjamin Keith Ford:
manager.c: Prevent the Originate action from running the Originate app

[https://gerrit.asterisk.org/c/asterisk/+/13279|https://gerrit.asterisk.org/c/asterisk/+/13279]
By: Friendly Automation (friendly-automation) 2019-11-21 13:37:08.598-0600

Change 13277 merged by Benjamin Keith Ford:
manager.c: Prevent the Originate action from running the Originate app

[https://gerrit.asterisk.org/c/asterisk/+/13277|https://gerrit.asterisk.org/c/asterisk/+/13277]
By: Friendly Automation (friendly-automation) 2019-11-21 14:06:25.868-0600

Change 13234 merged by Friendly Automation:
manager.c: Prevent the Originate action from running the Originate app

[https://gerrit.asterisk.org/c/asterisk/+/13234|https://gerrit.asterisk.org/c/asterisk/+/13234]
By: Friendly Automation (friendly-automation) 2019-11-21 14:47:16.429-0600

Change 13286 merged by Benjamin Keith Ford:
manager.c: Prevent the Originate action from running the Originate app

[https://gerrit.asterisk.org/c/asterisk/+/13286|https://gerrit.asterisk.org/c/asterisk/+/13286]
By: Friendly Automation (friendly-automation) 2019-11-21 14:48:26.002-0600

Change 13287 merged by Benjamin Keith Ford:
manager.c: Prevent the Originate action from running the Originate app

[https://gerrit.asterisk.org/c/asterisk/+/13287|https://gerrit.asterisk.org/c/asterisk/+/13287]
By: Friendly Automation (friendly-automation) 2019-11-21 14:48:47.002-0600

Change 13288 merged by Benjamin Keith Ford:
manager.c: Prevent the Originate action from running the Originate app

[https://gerrit.asterisk.org/c/asterisk/+/13288|https://gerrit.asterisk.org/c/asterisk/+/13288]