Summary: | ASTERISK-27103: core: ast_safe_system command injection possible. | ||
Reporter: | Corey Farrell (coreyfarrell) | Labels: | patch |
Date Opened: | 2017-07-01 20:12:28 | Date Closed: | 2017-08-31 06:10:02 |
Priority: | Major | Regression? | |
Status: | Closed/Complete | Components: | Applications/app_minivm Applications/app_mixmonitor Applications/app_system Applications/app_voicemail Channels/chan_dahdi Core/General Functions/func_shell Resources/res_monitor |
Versions: | 13.16.0 14.5.0 GIT | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ( 0) 0001-core-Add-ast_safe_execvp-function.patch ( 1) 0002-app_minivm-Use-ast_safe_execvp-to-run-externnotify.patch | |
Description: | {{ast_safe_system}} and {{popen}} do not provide protection against command injection. This is a vulnerability if Asterisk code or an admin uses untrusted strings for parameters to any external call (such as callerid).
h2. C level vulnerability {{app_minivm: run_externnotify}} - callerid is passed as parameters to command. h2. Config level vulnerabilities {{app_system, app_mixmonitor, func_shell, res_monitor}} - These modules allow the administrator to execute arbitrary commands with arbitrary parameters. If the admin gets parameters from untrusted values they are vulnerable. Likely these must be addressed by documenting the risk. {{func_shell}} is the odd case which uses {{popen}} instead of {{ast_safe_system}}, still an issue. h2. Possibly not vulnerable * {{app_alarmreceiver}} and {{chan_dahdi}} are pretty simple cases that I'm pretty sure are safe. * {{app_voicemail}} is more difficult. I don't think it uses any untrusted values for parameters but I'm not ready to say this for sure. h1. Not vulnerable * main/db.c, main/config.c, main/logger.c, main/asterisk.c, utils/extconf.c h1. Not checked * tests/test_time.c | ||
Comments: | By: Corey Farrell (coreyfarrell) 2017-07-02 11:40:43.537-0500 h2. Demo h3. Attackers dialplan {noformat} exten => s,1,Set(CALLERID(name)=name"\;touch /tmp/hacked\;echo ") same => n,Dial(SIP/target/100) {noformat} h3. Vulnerable dialplan {noformat} exten => 100,1,System(/usr/bin/notifyscript --from "${CALLERID(name)}") {noformat} h3. Actual commands run: {noformat} /usr/bin/notifyscript --from "name" touch /tmp/hacked echo "" {noformat} By: Corey Farrell (coreyfarrell) 2017-07-02 11:54:29.549-0500 These patches are against 13. The first creates an {{ast_safe_execvp}} function and the second modifies {{app_minivm}} to use it. I have not yet tested {{ast_safe_execvp}} in the double-fork mode. This is needed because {{app_minivm}} ran the command in the background with {{&}}. By: Friendly Automation (friendly-automation) 2017-08-31 06:10:04.471-0500 Change 6346 merged by Jenkins2: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6346|https://gerrit.asterisk.org/6346] By: Friendly Automation (friendly-automation) 2017-08-31 06:14:42.297-0500 Change 6359 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6359|https://gerrit.asterisk.org/6359] By: Friendly Automation (friendly-automation) 2017-08-31 06:37:21.619-0500 Change 6344 merged by Jenkins2: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6344|https://gerrit.asterisk.org/6344] By: Friendly Automation (friendly-automation) 2017-08-31 06:38:15.233-0500 Change 6354 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6354|https://gerrit.asterisk.org/6354] By: Friendly Automation (friendly-automation) 2017-08-31 06:39:56.317-0500 Change 6345 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6345|https://gerrit.asterisk.org/6345] By: Friendly Automation (friendly-automation) 2017-08-31 07:20:08.555-0500 Change 6342 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6342|https://gerrit.asterisk.org/6342] By: Friendly Automation (friendly-automation) 2017-08-31 07:20:48.791-0500 Change 6357 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6357|https://gerrit.asterisk.org/6357] By: Friendly Automation (friendly-automation) 2017-08-31 07:20:55.635-0500 Change 6343 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6343|https://gerrit.asterisk.org/6343] By: Friendly Automation (friendly-automation) 2017-08-31 07:59:21.116-0500 Change 6347 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6347|https://gerrit.asterisk.org/6347] By: Friendly Automation (friendly-automation) 2017-08-31 07:59:56.454-0500 Change 6362 merged by Joshua Colp: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6362|https://gerrit.asterisk.org/6362] By: Friendly Automation (friendly-automation) 2017-08-31 08:28:26.857-0500 Change 6348 merged by Jenkins2: AST-2017-006: Fix app_minivm application MinivmNotify command injection [https://gerrit.asterisk.org/6348|https://gerrit.asterisk.org/6348] |