[asterisk-bugs] [JIRA] (ASTERISK-28580) Bypass SYSTEM write permission in manager action allows system commands execution
Friendly Automation (JIRA)
noreply at issues.asterisk.org
Thu Nov 21 14:48:32 CST 2019
[ https://issues.asterisk.org/jira/browse/ASTERISK-28580?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=248844#comment-248844 ]
Friendly Automation commented on ASTERISK-28580:
------------------------------------------------
Change 13287 merged by Benjamin Keith Ford:
manager.c: Prevent the Originate action from running the Originate app
[https://gerrit.asterisk.org/c/asterisk/+/13287|https://gerrit.asterisk.org/c/asterisk/+/13287]
> Bypass SYSTEM write permission in manager action allows system commands execution
> ---------------------------------------------------------------------------------
>
> Key: ASTERISK-28580
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28580
> Project: Asterisk
> Issue Type: Security
> Components: Core/ManagerInterface
> Affects Versions: GIT
> Reporter: Eliel SardaƱons
> Assignee: Unassigned
> Severity: Blocker
> Labels: patch, security
> Attachments: 908eb49.diff
>
>
> it is possible to bypass the SYSTEM write permission in manager if the user is allowed to originate calls allowing remote code execution to the asterisk server.
> The current validation is found in this line of code https://github.com/asterisk/asterisk/blob/8aa4e1c3c99b58f072888ce8798623be227910c6/main/manager.c#L5735
> As you may notice all the validations are made on the application name so if we craft an action Originate with an Originate Application and end up running a SYSTEM application we can bypass this checks:
> Action: Originate
> Channel: Local/1111 at eliel
> Application: Originate
> Data: Local/2222 at eliel,app,System,touch /tmp/owned
> I tested it with a user with this permissions:
> read = call,log,verbose,agent,user,config,dtmf,reporting,cdr,dialplan
> write = call,agent,user,config,command,reporting,originate,message
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list