[asterisk-bugs] [JIRA] Updated: (ASTERISK-20132) Security Vulnerability: remote authenticated attacker can execute arbitrary shell commands on system through app ExternalIVR
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Thu Aug 30 15:53:08 CDT 2012
[ https://issues.asterisk.org/jira/browse/ASTERISK-20132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Jordan updated ASTERISK-20132:
-----------------------------------
Target Release Version/s: 1.8.15.1
10.7.1
10.7.1-digiumphones
Security: None (was: Reporter, Bug Marshals, and Digium)
> Security Vulnerability: remote authenticated attacker can execute arbitrary shell commands on system through app ExternalIVR
> ----------------------------------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-20132
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-20132
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Applications/app_externalivr, Core/ManagerInterface
> Affects Versions: 10.4.1
> Reporter: Matt Jordan
> Assignee: Matt Jordan
> Severity: Critical
> Fix For: 1.8.15.1, 10.7.1, 10.7.1-digiumphones
>
> Attachments: AST-2012-012-10.diff, AST-2012-012-11.diff, AST-2012-012-1.8.diff
>
>
> Asterisk Manager externalivr shell command execution
> CVE-2012-2186
> Discovered by:
> Zubair Ashraf of the IBM X-Force
> Description:
> Asterisk could allow a remote authenticated attacker to execute arbitrary shell
> commands on the system, caused by the failure to restrict access to the Manager
> Interface. An attacker could exploit this vulnerability using the externalIVR
> application with the originate action.s
> Consequences
> This allows an authenticated user (who does not have permission to execute
> System Commands) to execute system commands via Asterisk Manager Interface.
> Platforms Affected
> Asterisk 10.4.1 (latest as of this writing)
> Vulnerability Location
> This happens because of insufficient validation in function action_originate in
> file manager.c
> {noformat}
> if (!ast_strlen_zero(app)) {
> /* To run the System application (or anything else that goes to
> * shell), you must have the additional System privilege */
> if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
> && (
> strcasestr(app, "system") || /* System(rm -rf /)
> TrySystem(rm -rf /) */
> strcasestr(app, "exec") || /* Exec(System(rm -rf /))
> TryExec(System(rm -rf /)) */
> strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
> <==== MISSED externalivr
> EAGI(/bin/rm,-rf /) */
> strstr(appdata, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
> strstr(appdata, "EVAL") /*
> NoOp(${EVAL(${some_var_containing_SHELL})}) */
> )) {
> astman_send_error(s, m, "Originate with certain 'Application' arguments
> requires the additional System privilege, which you do not have.");
> res = 0;
> goto fast_orig_cleanup;
> }
> }
> {noformat}
> POC
> Sample of commands sent to the Asterisk Manager to launch xclock
> {noformat}
> action:originate
> channel:console/dsp
> application:externalivr
> data:/usr/bin/xclock
> {noformat}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list