Summary:ASTERISK-17465: Security Vulnerability: AMI access to SHELL function only seems to need CALL Privilege, should be SYSTEM
Reporter:David Woolley (davidw)Labels:
Date Opened:2011-02-23 12:05:28.000-0600Date Closed:2012-04-23 09:22:19
Versions:Frequency of
must be completed before resolvingASTERISK-19618 Asterisk Blockers
must be completed before resolvingASTERISK-19619 Asterisk 10.4.0 Blockers
is related toASTERISK-20132 Security Vulnerability: remote authenticated attacker can execute arbitrary shell commands on system through app ExternalIVR
Environment:Attachments:( 0) 10_ami_readfunc_security_r2.diff
( 1) 162_ami_readfunc_security_r2.diff
( 2) 18_ami_readfunc_security_r2.diff
( 3) asterisk_1.62_AST-2012-004_patch.diff
Description:Whilst there are safety checks on the AMI System command, to require SYSTEM privilege before using the SHELL function, I can find no such checks when accessing it using GetVar.


Marked as private because of security implications.  You may make public at your discretion.

Until we have established that we want to use this method of running shell scripts, our time to verify the exploit is limited, and complicated by using an older version with bugs in GetVar.
Comments:By: Jonathan Rose (jrose) 2012-03-27 14:26:35.351-0500

> Whilst there are safety checks on the AMI System command

Manager has no command called 'System' that shows up in any version of Asterisk I'm aware of.

Anyway, I've reproduced the problem and I'm starting to look into fixing it.

EDIT: As far as I can tell, only the action_originate actually seems to check for SHELL.

By: David Woolley (davidw) 2012-03-28 05:03:49.178-0500

It's a while since I picked this one up, but I suspect what I meant was the System application being run via originate.

By: Jonathan Rose (jrose) 2012-04-10 14:09:28.238-0500

Adding patches which should solve the noted problems as well as another action with the same problem for 1.6.2 as well as 1.8 and up.

By: Jonathan Rose (jrose) 2012-04-10 14:10:00.230-0500

Re-adding 1.8 patch since licenses go stupid when uploading multiple files.

By: Jonathan Rose (jrose) 2012-04-12 08:32:07.195-0500

Added patches for 1.6.2, 1.8, and 10.

By: Jonathan Rose (jrose) 2012-04-24 16:36:42.277-0500

Add a revised version of the 1.6.2 version of this patch due to failed application in the 1.6.2 branch.