|Summary:||ASTERISK-17465: Security Vulnerability: AMI access to SHELL function only seems to need CALL Privilege, should be SYSTEM|
|Reporter:||David Woolley (davidw)||Labels:|
|Date Opened:||2011-02-23 12:05:28.000-0600||Date Closed:||2012-04-23 09:22:19|
|Environment:||Attachments:||( 0) 10_ami_readfunc_security_r2.diff|
( 1) 162_ami_readfunc_security_r2.diff
( 2) 18_ami_readfunc_security_r2.diff
( 3) asterisk_1.62_AST-2012-004_patch.diff
|Description:||Whilst there are safety checks on the AMI System command, to require SYSTEM privilege before using the SHELL function, I can find no such checks when accessing it using GetVar.|
****** ADDITIONAL INFORMATION ******
Marked as private because of security implications. You may make public at your discretion.
Until we have established that we want to use this method of running shell scripts, our time to verify the exploit is limited, and complicated by using an older version with bugs in GetVar.
|Comments:||By: Jonathan Rose (jrose) 2012-03-27 14:26:35.351-0500|
> Whilst there are safety checks on the AMI System command
Manager has no command called 'System' that shows up in any version of Asterisk I'm aware of.
Anyway, I've reproduced the problem and I'm starting to look into fixing it.
EDIT: As far as I can tell, only the action_originate actually seems to check for SHELL.
By: David Woolley (davidw) 2012-03-28 05:03:49.178-0500
It's a while since I picked this one up, but I suspect what I meant was the System application being run via originate.
By: Jonathan Rose (jrose) 2012-04-10 14:09:28.238-0500
Adding patches which should solve the noted problems as well as another action with the same problem for 1.6.2 as well as 1.8 and up.
By: Jonathan Rose (jrose) 2012-04-10 14:10:00.230-0500
Re-adding 1.8 patch since licenses go stupid when uploading multiple files.
By: Jonathan Rose (jrose) 2012-04-12 08:32:07.195-0500
Added patches for 1.6.2, 1.8, and 10.
By: Jonathan Rose (jrose) 2012-04-24 16:36:42.277-0500
Add a revised version of the 1.6.2 version of this patch due to failed application in the 1.6.2 branch.