Summary:	ASTERISK-20132: Security Vulnerability: remote authenticated attacker can execute arbitrary shell commands on system through app ExternalIVR
Reporter:	Matt Jordan (mjordan)	Labels:
Date Opened:	2012-07-16 08:45:28	Date Closed:	2012-08-30 11:12:07
Priority:	Critical	Regression?	No
Status:	Closed/Complete	Components:	Applications/app_externalivr Core/ManagerInterface
Versions:	10.4.1	Frequency of Occurrence
Related Issues:	must be completed before resolving ASTERISK-20308 Asterisk 1.8.16.0 Blockers must be completed before resolving ASTERISK-20309 Asterisk 10.8.0 Blockers is related to ASTERISK-17465 Security Vulnerability: AMI access to SHELL function only seems to need CALL Privilege, should be SYSTEM
Environment:		Attachments:	( 0) AST-2012-012-1.8.diff ( 1) AST-2012-012-10.diff ( 2) AST-2012-012-11.diff
Description:	Asterisk Manager externalivr shell command execution CVE-2012-2186 Discovered by: Zubair Ashraf of the IBM X-Force Description: Asterisk could allow a remote authenticated attacker to execute arbitrary shell commands on the system, caused by the failure to restrict access to the Manager Interface. An attacker could exploit this vulnerability using the externalIVR application with the originate action.s                 Consequences This allows an authenticated user (who does not have permission to execute System Commands) to execute system commands via Asterisk Manager Interface. Platforms Affected Asterisk 10.4.1 (latest as of this writing) Vulnerability Location This happens because of insufficient validation in function action_originate in file manager.c {noformat}        if (!ast_strlen_zero(app)) {                /* To run the System application (or anything else that goes to                 * shell), you must have the additional System privilege */                if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)                        && (                                strcasestr(app, "system") ||      /* System(rm -rf /)                                                                     TrySystem(rm -rf /)       */                                strcasestr(app, "exec") ||        /* Exec(System(rm -rf /))                                                                     TryExec(System(rm -rf /)) */                                strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)             <==== MISSED externalivr                                                                     EAGI(/bin/rm,-rf /)       */                                strstr(appdata, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */                                strstr(appdata, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */                                )) {                        astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");                        res = 0;                        goto fast_orig_cleanup;                }        } {noformat} POC Sample of commands sent to the Asterisk Manager to launch xclock {noformat} action:originate channel:console/dsp application:externalivr data:/usr/bin/xclock {noformat}
Comments: