[asterisk-bugs] [JIRA] (ASTERISK-27103) core: ast_safe_system command injection possible.

Asterisk Team (JIRA) noreply at issues.asterisk.org
Fri Oct 13 12:59:33 CDT 2017


     [ https://issues.asterisk.org/jira/browse/ASTERISK-27103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-27103:
-------------------------------------

    Target Release Version/s: 14.7.0

> core: ast_safe_system command injection possible.
> -------------------------------------------------
>
>                 Key: ASTERISK-27103
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27103
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Applications/app_minivm, Applications/app_mixmonitor, Applications/app_system, Applications/app_voicemail, Channels/chan_dahdi, Core/General, Functions/func_shell, Resources/res_monitor
>    Affects Versions: 13.16.0, 14.5.0, GIT
>            Reporter: Corey Farrell
>            Assignee: Richard Mudgett
>      Target Release: 11.25.2, 13.17.1, 14.6.1, 14.7.0, 13.18.0, 15.0.0
>
>         Attachments: 0001-core-Add-ast_safe_execvp-function.patch, 0002-app_minivm-Use-ast_safe_execvp-to-run-externnotify.patch
>
>
> {{ast_safe_system}} and {{popen}} do not provide protection against command injection.  This is a vulnerability if Asterisk code or an admin uses untrusted strings for parameters to any external call (such as callerid).
> h2. C level vulnerability
> {{app_minivm: run_externnotify}} - callerid is passed as parameters to command.
> h2. Config level vulnerabilities
> {{app_system, app_mixmonitor, func_shell, res_monitor}} - These modules allow the administrator to execute arbitrary commands with arbitrary parameters.  If the admin gets parameters from untrusted values they are vulnerable.  Likely these must be addressed by documenting the risk.
>   {{func_shell}} is the odd case which uses {{popen}} instead of {{ast_safe_system}}, still an issue.
> h2. Possibly not vulnerable
> * {{app_alarmreceiver}} and {{chan_dahdi}} are pretty simple cases that I'm pretty sure are safe.
> * {{app_voicemail}} is more difficult. I don't think it uses any untrusted values for parameters but I'm not ready to say this for sure.
> h1. Not vulnerable
> * main/db.c, main/config.c, main/logger.c, main/asterisk.c, utils/extconf.c
> h1. Not checked
> * tests/test_time.c



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list