[asterisk-bugs] [JIRA] (ASTERISK-24490) Security Vulnerability: CONFBRIDGE function's record_command option allows arbitrary parameters to be passed to MixMonitor, allowing remote execution of commands

Matt Jordan (JIRA) noreply at issues.asterisk.org
Thu Nov 20 18:01:30 CST 2014


     [ https://issues.asterisk.org/jira/browse/ASTERISK-24490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-24490:
-----------------------------------

    Target Release Version/s: 11.14.1
                              12.7.1
                              13.0.1
                    Security:     (was: Reporter, Bug Marshals, and Digium)

> Security Vulnerability: CONFBRIDGE function's record_command option allows arbitrary parameters to be passed to MixMonitor, allowing remote execution of commands
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-24490
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24490
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Applications/app_confbridge
>    Affects Versions: 11.13.1, 12.6.1, 13.0.0
>            Reporter: Matt Jordan
>            Assignee: Kevin Harwell
>              Labels: Security
>      Target Release: 11.14.1, 12.7.1, 13.0.1
>
>         Attachments: ami-restrict-vars-427335.patch, confbridge_record_permissions.diff, inhibit-escalations-427353.patch
>
>
> See comments on https://reviewboard.asterisk.org/r/4023/ for more information. To quote Gareth:
> {quote}
> The record_file option is not safe because by including two commas, MixMonitor() can be made to execute a command eg:
> CONFBRIDGE(bridge,record_file) = test.wav,,/usr/bin/touch /tmp/oops.txt -- .wav
> So instead of registering CONFBRIDGE() as escalating, I could have function_capable_string_allowed_with_auths check for CONFBRIDGE(bridge,record_command) in main/manager.c.
> As for record_file, I don't know if supporting filenames with commas is desirable. If not I can just have it truncate the filename at the first comma. 
> {quote}
> My proposal would be to just mark the write functionality of CONFBRIDGE as being unsafe, and let {{live_dangerously}} deal with it.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list