| Summary: | ASTERISK-14641: [patch] MeetMe privilege escalation in password query | ||
| Reporter: | Heiko Wundram (modelnine) | Labels: | |
| Date Opened: | 2009-08-12 15:43:59 | Date Closed: | 2010-08-25 10:35:16 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Applications/app_meetme |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) asterisk-1.6.1.1-meetme-privesc.patch ( 1) bug15704.patch ( 2) meetme-patched.diff | |
| Description: | Due to invalid checking in the conference pin query of the MeetMe application, a user can enter a conference as administrator when the "a" flag is set in the MeetMe() call from the dial-plan and the user only knows the user pin (which of course might be empty). This stems from the fact that confflags is set to contain the ADMIN flag by the "a" option, but this is not handled separately in the testing code for checking the pin (i.e., the ADMIN flag is not reset or the authentication rejected when the user doesn't enter the admin, but the user pin). The attached patch fixes the issue for conferences which have an empty user-pin (which is the only reasonable assumption I could find for actually giving the "a" flag on the MeetMe() commandline); reworking the patch to fix the issue in the general case (i.e., if "a" is specified, only admins may enter) is simple. | ||
| Comments: | By: Heiko Wundram (modelnine) 2009-08-17 15:58:47 The attached patch contains a more comprehensive fix for the problem, in that it actually tests which password to compare against (using confflags) when fetching and comparing the password. The patch also includes "enhancements" that are related to ASTERISK-14644, which I didn't want to break out. I can't put the two bugs into relation, though. By: Jeff Peeler (jpeeler) 2010-06-29 16:35:35 I don't agree that this is undesired behavior as this seems to be exactly what the 'a' option is for. However, I do see that in the case of configuring a conference both without a user pin and with an admin pin it is not possible to join as an admin user without the 'a' option. This will be fixed. By: Jeff Peeler (jpeeler) 2010-06-29 18:01:21 Ok, after looking way back to issue ASTERISK-2355 trying to figure out the best way to handle this I've changed: conf => 2345,5555 : didn't prompt for pin with 'a' option, now does conf => 2345,,6666 : didn't prompt for pin without 'a' option, now does This seems to make the most sense to me. By: Jeff Peeler (jpeeler) 2010-07-01 14:45:22 Changed my mind, just going to change this scenario: conf => 2345,,6666 : didn't prompt for pin without 'a' option, now does By: Digium Subversion (svnbot) 2010-07-01 15:21:12 Repository: asterisk Revision: 273474 U branches/1.4/apps/app_meetme.c ------------------------------------------------------------------------ r273474 | jpeeler | 2010-07-01 15:19:16 -0500 (Thu, 01 Jul 2010) | 14 lines Allow admin user to join conference without using admin mode and no user pin. Configuring the conference in meetme.conf like the following: conf => 2345,,6666 did not prompt for pin when used without admin mode. This meant that the conference could not be joined as an admin even if the user knew the correct pin. The original bug report was submitted claiming that the blank user pin should deny entry into the conference. I think a better way to handle this would be with a feature enhancement that used the following syntax: conf => 2345,X,6666 - where X denotes no acceptable pin allowed (closes issue ASTERISK-14641) Reported by: modelnine ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=273474 By: Digium Subversion (svnbot) 2010-07-01 15:28:14 Repository: asterisk Revision: 273522 _U trunk/ U trunk/apps/app_meetme.c ------------------------------------------------------------------------ r273522 | jpeeler | 2010-07-01 15:28:14 -0500 (Thu, 01 Jul 2010) | 21 lines Merged revisions 273474 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r273474 | jpeeler | 2010-07-01 15:19:16 -0500 (Thu, 01 Jul 2010) | 14 lines Allow admin user to join conference without using admin mode and no user pin. Configuring the conference in meetme.conf like the following: conf => 2345,,6666 did not prompt for pin when used without admin mode. This meant that the conference could not be joined as an admin even if the user knew the correct pin. The original bug report was submitted claiming that the blank user pin should deny entry into the conference. I think a better way to handle this would be with a feature enhancement that used the following syntax: conf => 2345,X,6666 - where X denotes no acceptable pin allowed (closes issue ASTERISK-14641) Reported by: modelnine ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=273522 By: Digium Subversion (svnbot) 2010-07-01 15:29:49 Repository: asterisk Revision: 273529 _U branches/1.6.2/ U branches/1.6.2/apps/app_meetme.c ------------------------------------------------------------------------ r273529 | jpeeler | 2010-07-01 15:29:48 -0500 (Thu, 01 Jul 2010) | 28 lines Merged revisions 273522 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r273522 | jpeeler | 2010-07-01 15:28:15 -0500 (Thu, 01 Jul 2010) | 21 lines Merged revisions 273474 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r273474 | jpeeler | 2010-07-01 15:19:16 -0500 (Thu, 01 Jul 2010) | 14 lines Allow admin user to join conference without using admin mode and no user pin. Configuring the conference in meetme.conf like the following: conf => 2345,,6666 did not prompt for pin when used without admin mode. This meant that the conference could not be joined as an admin even if the user knew the correct pin. The original bug report was submitted claiming that the blank user pin should deny entry into the conference. I think a better way to handle this would be with a feature enhancement that used the following syntax: conf => 2345,X,6666 - where X denotes no acceptable pin allowed (closes issue ASTERISK-14641) Reported by: modelnine ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=273529 | ||