[asterisk-bugs] [JIRA] (ASTERISK-28580) Bypass SYSTEM write permission in manager action allows system commands execution

Friendly Automation (JIRA) noreply at issues.asterisk.org
Thu Nov 21 12:32:32 CST 2019 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28580?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=248827#comment-248827 ] 

Friendly Automation commented on ASTERISK-28580:
------------------------------------------------

Change 13235 merged by Friendly Automation:
manager.c:  Prevent the Originate action from running the Originate app

[https://gerrit.asterisk.org/c/asterisk/+/13235|https://gerrit.asterisk.org/c/asterisk/+/13235]

> Bypass SYSTEM write permission in manager action allows system commands execution
> ---------------------------------------------------------------------------------
>
>                 Key: ASTERISK-28580
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28580
>             Project: Asterisk
>          Issue Type: Security
>          Components: Core/ManagerInterface
>    Affects Versions: GIT
>            Reporter: Eliel SardaƱons
>            Assignee: Unassigned
>            Severity: Blocker
>              Labels: patch, security
>         Attachments: 908eb49.diff
>
>
> it is possible to bypass the SYSTEM write permission in manager if the user is allowed to originate calls allowing remote code execution to the asterisk server.
> The current validation is found in this line of code https://github.com/asterisk/asterisk/blob/8aa4e1c3c99b58f072888ce8798623be227910c6/main/manager.c#L5735
> As you may notice all the validations are made on the application name so if we craft an action Originate with an Originate Application and end up running a SYSTEM application we can bypass this checks:
> Action: Originate
> Channel: Local/1111 at eliel
> Application: Originate
> Data: Local/2222 at eliel,app,System,touch /tmp/owned
> I tested it with a user with this permissions:
> read = call,log,verbose,agent,user,config,dtmf,reporting,cdr,dialplan
> write = call,agent,user,config,command,reporting,originate,message



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list