[Asterisk-code-review] manager.c: Prevent the Originate action from running the Originate app (asterisk[17.0])

Benjamin Keith Ford asteriskteam at digium.com
Thu Nov 21 14:45:42 CST 2019 

Benjamin Keith Ford has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/13288 )

Change subject: manager.c:  Prevent the Originate action from running the Originate app
......................................................................

manager.c:  Prevent the Originate action from running the Originate app

If an AMI user without the "system" authorization calls the
Originate AMI command with the Originate application,
the second Originate could run the "System" command.

Action: Originate
Channel: Local/1111
Application: Originate
Data: Local/2222,app,System,touch /tmp/owned

If the "system" authorization isn't set, we now block the
Originate app as well as the System, Exec, etc. apps.

ASTERISK-28580
Reported by: Eliel SardaƱons

Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa
(cherry picked from commit 1b9281a5ded62e5d30af2959e5aa33bc5a0fc285)
---
A doc/UPGRADE-staging/AMI-Originate.txt
M main/manager.c
2 files changed, 6 insertions(+), 0 deletions(-)

Approvals:
  Benjamin Keith Ford: Looks good to me, approved; Approved for Submit



diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt
new file mode 100644
index 0000000..f2d3133
--- /dev/null
+++ b/doc/UPGRADE-staging/AMI-Originate.txt
@@ -0,0 +1,5 @@
+Subject: AMI
+
+The AMI Originate action, which optionally takes a dialplan application as
+an argument, no longer accepts "Originate" as the application due to
+security concerns.
diff --git a/main/manager.c b/main/manager.c
index 69cbe37..f96195e 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -5698,6 +5698,7 @@
 				                                     EAGI(/bin/rm,-rf /)       */
 				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
 				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
+				strcasestr(app, "originate") ||   /* Originate(Local/1234,app,System,rm -rf) */
 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
 				)) {

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/13288
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 17.0
Gerrit-Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa
Gerrit-Change-Number: 13288
Gerrit-PatchSet: 1
Gerrit-Owner: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-CC: Friendly Automation
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20191121/d9894f1c/attachment.html>

More information about the asterisk-code-review mailing list