[asterisk-bugs] [JIRA] (ASTERISK-24490) Security Vulnerability: CONFBRIDGE function's record_command option allows arbitrary parameters to be passed to MixMonitor, allowing remote execution of commands
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Thu Nov 20 18:01:30 CST 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-24490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Jordan updated ASTERISK-24490:
-----------------------------------
Target Release Version/s: 11.14.1
12.7.1
13.0.1
Security: (was: Reporter, Bug Marshals, and Digium)
> Security Vulnerability: CONFBRIDGE function's record_command option allows arbitrary parameters to be passed to MixMonitor, allowing remote execution of commands
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-24490
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24490
> Project: Asterisk
> Issue Type: Bug
> Components: Applications/app_confbridge
> Affects Versions: 11.13.1, 12.6.1, 13.0.0
> Reporter: Matt Jordan
> Assignee: Kevin Harwell
> Labels: Security
> Target Release: 11.14.1, 12.7.1, 13.0.1
>
> Attachments: ami-restrict-vars-427335.patch, confbridge_record_permissions.diff, inhibit-escalations-427353.patch
>
>
> See comments on https://reviewboard.asterisk.org/r/4023/ for more information. To quote Gareth:
> {quote}
> The record_file option is not safe because by including two commas, MixMonitor() can be made to execute a command eg:
> CONFBRIDGE(bridge,record_file) = test.wav,,/usr/bin/touch /tmp/oops.txt -- .wav
> So instead of registering CONFBRIDGE() as escalating, I could have function_capable_string_allowed_with_auths check for CONFBRIDGE(bridge,record_command) in main/manager.c.
> As for record_file, I don't know if supporting filenames with commas is desirable. If not I can just have it truncate the filename at the first comma.
> {quote}
> My proposal would be to just mark the write functionality of CONFBRIDGE as being unsafe, and let {{live_dangerously}} deal with it.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list